Exploit Me 1 (LoTuX CTF)
Author: 堇姬Naup
asm
他可以輸入兩個東西,一個是fmt,一個是one_gadget,如果要用one_gadget,那就需要leak libc base,可以用fmt來leak
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
One_gadget
先看one gadget,需要達成幾個條件:
rsi == NULL
rdx == NULL
rbp-0x78可寫
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
觀察到最後他有兩個xor,所以前兩個條件已經達成了,接下來差rbp-0x78可寫,隨便找一段可寫丟給rbp就好了
解法
先leak libc
隨便試了一下,可以看到%9$p,會印出一個libc的address,可以用來leak libc
offset = 0x29d90
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
先做 b'a'*10,蓋到old rbp前
另外因為有開PIE,所以去找沒再用的libc可寫空間比較方便,因為我們已經有libc base了,這邊選
0x7ffff7e1a2c0-0x7ffff7c00000=0x21a2c0
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
Image Not Showing
Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
這邊蓋在rbp,最後填onegadget offset -> 0xebc88
備註:記得用libc裡面的東西要加libc base
script
HackMD
