Virtual

Securinets-Quals-CTF-2023 PWN

题目作者: 未知

一　　血: ‌‌‌‌‌暂无

一血奖励: 0金币

解　　决: 0

提　　示:

描　　述: 题目附件链接: https://pan.baidu.com/s/1DP955E5TzxfU-YYWZdA57A 提取码: hk7r

Notes:

The intended solution was using printf (format string) to leak libc. When overflowing the executeAsAService function (After changing the path), rdi contains the address of the path, the format string should be stored there.
Calling printf requires setting rax register to 0, however there are no gadgets in the binary to do so. In order to make rax null, you'll have to dump the vd.so memory area & extract gadgets from there, there's a xor eax, eax; ret; gadget. That memory area depends on the kernel used and that's the main reason for using this specific setup (qemu).
After the libc leak, you should be able to either pop a shell or open/read/write the flag (Which was I used in the solver).
Writing this with pwntools wouldn't work since some bytes are not written in memory, If someone knows the reason please let me know, I spent a while looking into it. That's why the solver is written in C.
Vdso base is written after the env. variables table.

详情