pwndbg> b exit Breakpoint 1 at 0x7ffff7c455f0: file ./stdlib/exit.c, line 142. pwndbg> r Starting program: /home/r3t2/CTF/pwn_demos/stdout/demo [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". printf addr is --> 0x7ffff7c606f0 stdout addr is --> 0x7ffff7e1b780 ---- input >>> a ---- leak >>>
Breakpoint 1, __GI_exit (status=0) at ./stdlib/exit.c:142 ... pwndbg> c Continuing. a new_data [Inferior 1 (process 55881) exited normally
pwndbg> b exit Breakpoint 1 at 0x7ffff7c455f0: file ./stdlib/exit.c, line 142. pwndbg> r Starting program: /home/r3t2/CTF/pwn_demos/stdout/demo [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". printf addr is --> 0x7ffff7c606f0 stdout addr is --> 0x7ffff7e1b780 ---- input >>> a ---- leak >>> a new_data
Breakpoint 1, __GI_exit (status=0) at ./stdlib/exit.c:142
pwndbg> b exit Breakpoint 1 at 0x7ffff7c455f0: file ./stdlib/exit.c, line 142. pwndbg> r Starting program: /home/r3t2/CTF/pwn_demos/stdout/demo [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". printf addr is --> 0x7ffff7c606f0 stdout addr is --> 0x7ffff7e1b780 ---- input >>> c ---- leak >>> c new_data
Breakpoint 1, __GI_exit (status=0) at ./stdlib/exit.c:142
pwndbg> b exit Breakpoint 1 at 0x7ffff7c455f0: file ./stdlib/exit.c, line 142. pwndbg> r Starting program: /home/r3t2/CTF/pwn_demos/stdout/demo [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". printf addr is --> 0x7ffff7c606f0 stdout addr is --> 0x7ffff7e1b780 ---- input >>> a ---- leak >>> a
Breakpoint 1, __GI_exit (status=0) at ./stdlib/exit.c:142 ... pwndbg> c Continuing. new_data [Inferior 1 (process 76592) exited normally]
for(int i = 0; i < 0x81; i++) { printf("new_data"); }
1 2 3 4 5 6 7 8 9 10 11 12 13 14
pwndbg> b exit Breakpoint 1 at 0x7ffff7c455f0: file ./stdlib/exit.c, line 142. pwndbg> r Starting program: /home/r3t2/CTF/pwn_demos/stdout/demo [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". printf addr is --> 0x7ffff7c606f0 stdout addr is --> 0x7ffff7e1b780 ---- input >>> a ---- leak >>> a new_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_datanew_data Breakpoint 1, __GI_exit (status=0) at ./stdlib/exit.c:142
开了沙箱,打orw,问题是没有show函数,而且全程没有调用io的函数,但是没有开pie,又是静态编译,相当于给了libc地址,我们能做的只有一个unsorted bin attack,这个时候问题就来了,往哪里写,大家如果了解过unsorted bin attack的话,就会知道我们写的其实是top chunk的地址(main_arena中的一定偏移处),就可以根据这个,修改top chunk的位置,迁移到chunk_list上面,达到任意地址写,然后调用fflush,打stdout,泄露栈地址(rsp),最后劫持rsp写rop就行(此题程序执行到这里自己会ret,也就是pop rip)