CTF-All-In-One/doc/6.3_pwn_xdctf2015_pwn200.md
2017-11-16 15:38:39 +08:00

57 lines
1.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 6.3 pwn xdctf2015 pwn200
- [题目复现](#题目复现)
- [ret2dl-resolve 原理及题目解析](#ret2dlresolve-原理及题目解析)
- [Exploit](#exploit)
- [参考资料](#参考资料)
## 题目复现
出题人在博客里贴出了源码,如下:
```C
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void vuln()
{
char buf[100];
setbuf(stdin, buf);
read(0, buf, 256);
}
int main()
{
char buf[100] = "Welcome to XDCTF2015~!\n";
setbuf(stdout, buf);
write(1, buf, strlen(buf));
vuln();
return 0;
}
```
使用下面的语句编译:
```
$ gcc -m32 -fno-stack-protector -s pwn200.c
```
checksec 如下:
```
$ checksec -f a.out
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH No 0 1 a.out
```
在开启 ASLR 的情况下把程序运行起来:
```
$ socat tcp4-listen:10001,reuseaddr,fork exec:./a.out &
```
这题提供了二进制文件而没有提供 libc.so而且也默认找不到在章节 4.8 中我们提供了一种解法,这里我们讲解另一种。
## ret2dl-resolve 原理及题目解析
## Exploit
完整的 exp 如下,其他文件放在了[github](../src/writeup/6.2_pwn_xdctf2015_pwn200)相应文件夹中:
## 参考资料
- [Return-to-dl-resolve](http://pwn4.fun/2016/11/09/Return-to-dl-resolve/)