mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-25 11:41:16 +07:00
57 lines
1.4 KiB
Markdown
57 lines
1.4 KiB
Markdown
# 6.3 pwn xdctf2015 pwn200
|
||
|
||
- [题目复现](#题目复现)
|
||
- [ret2dl-resolve 原理及题目解析](#ret2dlresolve-原理及题目解析)
|
||
- [Exploit](#exploit)
|
||
- [参考资料](#参考资料)
|
||
|
||
|
||
## 题目复现
|
||
出题人在博客里贴出了源码,如下:
|
||
```C
|
||
#include <unistd.h>
|
||
#include <stdio.h>
|
||
#include <string.h>
|
||
|
||
void vuln()
|
||
{
|
||
char buf[100];
|
||
setbuf(stdin, buf);
|
||
read(0, buf, 256);
|
||
}
|
||
int main()
|
||
{
|
||
char buf[100] = "Welcome to XDCTF2015~!\n";
|
||
|
||
setbuf(stdout, buf);
|
||
write(1, buf, strlen(buf));
|
||
vuln();
|
||
return 0;
|
||
}
|
||
```
|
||
使用下面的语句编译:
|
||
```
|
||
$ gcc -m32 -fno-stack-protector -s pwn200.c
|
||
```
|
||
checksec 如下:
|
||
```
|
||
$ checksec -f a.out
|
||
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 1 a.out
|
||
```
|
||
在开启 ASLR 的情况下把程序运行起来:
|
||
```
|
||
$ socat tcp4-listen:10001,reuseaddr,fork exec:./a.out &
|
||
```
|
||
这题提供了二进制文件而没有提供 libc.so,而且也默认找不到,在章节 4.8 中我们提供了一种解法,这里我们讲解另一种。
|
||
|
||
|
||
## ret2dl-resolve 原理及题目解析
|
||
|
||
## Exploit
|
||
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.2_pwn_xdctf2015_pwn200)相应文件夹中:
|
||
|
||
|
||
## 参考资料
|
||
- [Return-to-dl-resolve](http://pwn4.fun/2016/11/09/Return-to-dl-resolve/)
|