1. 程式人生 > >【jarvisoj刷題之旅】pwn題目Tell Me Something的writeup

【jarvisoj刷題之旅】pwn題目Tell Me Something的writeup

題目資訊:

file一下  發現是64位的ELF

checksec檢查下安全性

objdump -t 檔名   可以檢視符號表

[email protected]:~/Desktop/jarvisOJ$ objdump -t guestbook 

guestbook:     file format elf64-x86-64

SYMBOL TABLE:
0000000000400200 l    d  .interp	0000000000000000              .interp
000000000040021c l    d  .note.ABI-tag	0000000000000000              .note.ABI-tag
000000000040023c l    d  .note.gnu.build-id	0000000000000000              .note.gnu.build-id
0000000000400260 l    d  .gnu.hash	0000000000000000              .gnu.hash
0000000000400280 l    d  .dynsym	0000000000000000              .dynsym
0000000000400328 l    d  .dynstr	0000000000000000              .dynstr
0000000000400378 l    d  .gnu.version	0000000000000000              .gnu.version
0000000000400388 l    d  .gnu.version_r	0000000000000000              .gnu.version_r
00000000004003a8 l    d  .rela.dyn	0000000000000000              .rela.dyn
00000000004003c0 l    d  .rela.plt	0000000000000000              .rela.plt
0000000000400450 l    d  .init	0000000000000000              .init
0000000000400470 l    d  .plt	0000000000000000              .plt
00000000004004e0 l    d  .text	0000000000000000              .text
0000000000400704 l    d  .fini	0000000000000000              .fini
0000000000400710 l    d  .rodata	0000000000000000              .rodata
0000000000400768 l    d  .eh_frame_hdr	0000000000000000              .eh_frame_hdr
00000000004007b0 l    d  .eh_frame	0000000000000000              .eh_frame
00000000006008d8 l    d  .init_array	0000000000000000              .init_array
00000000006008e0 l    d  .fini_array	0000000000000000              .fini_array
00000000006008e8 l    d  .jcr	0000000000000000              .jcr
00000000006008f0 l    d  .dynamic	0000000000000000              .dynamic
0000000000600ac0 l    d  .got	0000000000000000              .got
0000000000600ac8 l    d  .got.plt	0000000000000000              .got.plt
0000000000600b10 l    d  .data	0000000000000000              .data
0000000000600b20 l    d  .bss	0000000000000000              .bss
0000000000000000 l    d  .comment	0000000000000000              .comment
0000000000000000 l    df *ABS*	0000000000000000              crtstuff.c
00000000006008e8 l     O .jcr	0000000000000000              __JCR_LIST__
0000000000400550 l     F .text	0000000000000000              deregister_tm_clones
0000000000400590 l     F .text	0000000000000000              register_tm_clones
00000000004005d0 l     F .text	0000000000000000              __do_global_dtors_aux
0000000000600b20 l     O .bss	0000000000000001              completed.6661
00000000006008e0 l     O .fini_array	0000000000000000              __do_global_dtors_aux_fini_array_entry
00000000004005f0 l     F .text	0000000000000000              frame_dummy
00000000006008d8 l     O .init_array	0000000000000000              __frame_dummy_init_array_entry
0000000000000000 l    df *ABS*	0000000000000000              pwn100.c
0000000000000000 l    df *ABS*	0000000000000000              crtstuff.c
00000000004008d0 l     O .eh_frame	0000000000000000              __FRAME_END__
00000000006008e8 l     O .jcr	0000000000000000              __JCR_END__
0000000000000000 l    df *ABS*	0000000000000000              
00000000006008e0 l       .init_array	0000000000000000              __init_array_end
00000000006008f0 l     O .dynamic	0000000000000000              _DYNAMIC
00000000006008d8 l       .init_array	0000000000000000              __init_array_start
0000000000600ac8 l     O .got.plt	0000000000000000              _GLOBAL_OFFSET_TABLE_
0000000000400700 g     F .text	0000000000000002              __libc_csu_fini
0000000000000000  w      *UND*	0000000000000000              _ITM_deregisterTMCloneTable
0000000000600b10  w      .data	0000000000000000              data_start
0000000000000000       F *UND*	0000000000000000              
[email protected]
@GLIBC_2.2.5 0000000000600b20 g .data 0000000000000000 _edata 0000000000400704 g F .fini 0000000000000000 _fini 0000000000000000 F *UND* 0000000000000000 [email protected]@GLIBC_2.2.5 0000000000000000 F *UND* 0000000000000000 [email protected]@GLIBC_2.2.5 0000000000000000 F *UND* 0000000000000000 [email protected]@GLIBC_2.2.5 0000000000600b10 g .data 0000000000000000 __data_start 0000000000000000 w *UND* 0000000000000000 __gmon_start__ 0000000000600b18 g O .data 0000000000000000 .hidden __dso_handle 0000000000400710 g O .rodata 0000000000000004 _IO_stdin_used 0000000000400690 g F .text 0000000000000065 __libc_csu_init 0000000000600b28 g .bss 0000000000000000 _end 0000000000400526 g F .text 0000000000000000 _start 0000000000600b20 g .bss 0000000000000000 __bss_start 00000000004004e0 g F .text 0000000000000046 main 0000000000000000 F *UND* 0000000000000000
[email protected]
@GLIBC_2.2.5 0000000000000000 w *UND* 0000000000000000 _Jv_RegisterClasses 0000000000400670 g F .text 000000000000001e readmessage 0000000000600b20 g O .data 0000000000000000 .hidden __TMC_END__ 0000000000000000 w *UND* 0000000000000000 _ITM_registerTMCloneTable 0000000000400450 g F .init 0000000000000000 _init 0000000000400620 g F .text 000000000000004a good_game

這裡可以看到good_game很可疑

IDA  分析一下也可以看到flag.txt,read,read等

分別雙擊這個Input your message 和flag.txt 的引用    然後F5    

那麼我們就可以判斷出good_game()這個函式的作用就是開啟flag.txt並讀取內容輸出

main()是沒有呼叫它的   也就是說程式正常是無法執行good_game()的

但是可以看到main()中有呼叫read(),那麼我們就可以通過向緩衝區中輸入大於 buf 長度的資料 , 這樣多餘的資料就會溢位 , 並覆蓋棧上的一些資料,那麼我們就將main()函式的返回地址改成good_game()的入口地址,這樣就可以在main()執行完之後輸出flag.txt內容了

雙擊main()中的v4  就可以檢視main函式的棧幀

可以看到 , 用於緩衝使用者輸入的字元陣列距離 main 的返回地址有 0x88 個位元組
那麼我們需要輸入 0x88 (136) 個位元組的資料 , 再輸入 good_game 的地址 , 這樣程式返回的時候就會跳轉到 good_game 去執行

通過 ida 來檢視 good_game 的地址

需要轉換成小端序的形式 , 可以利用zio這個庫

我直接用pwntools

指令碼如下:

 

參考連結:https://www.jianshu.com/p/16901e0e51e4